Caracterização das vulnerabilidades dos roteadores Wi-Fi no mercado brasileiro
Abstract
Characterizing the vulnerabilities of Wi-Fi routers is essential to identify and quantify the risks and threats present in the digital ecosystem that permeates the routine of users. This paper analyzes the firmware of Wi-Fi routers in Brazilian e-commerce. The results indicate a predominance of Linux on MIPS and ARM architectures, with an average lag of 5 to 10 years between the release of kernel and the most recent version of firmware. As a result, we observed 1344 and 72 vulnerabilities on average in kernel and applications; and 54 indicators of compromises that can lead to vulnerabilities in the web interface. On the other hand, replacing an open-source firmware (OpenWrt, DD-WRT, Tomato) reduces the average vulnerabilities to 291, 12, and 21 for kernel, applications, and web interface, respectively. This investigation also allowed the report of a new remote code execution vulnerability (zero-day).
References
Conversion (2022). E-commerce no brasil: conheça os principais dados, o market share, o crescimento e as principais estatísticas, com atualização mensal! [link]. acessado em 10/11/2022.
Feng, X., Zhu, X., Han, Q.-L., Zhou, W., Wen, S., and Xiang, Y. (2022). Detecting vulnerability on iot device firmware: A survey. IEEE/CAA Journal of Automatica Sinica, pages 1-17.
Fiorenza, M., Kreutz, D., Escarrone, T., and Temp, D. (2020). Uma análise da utilização de https no brasil. In Anais do XXXVIII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 966-979, Porto Alegre, RS, Brasil. SBC.
Heffner, C. (2013). Github repository: Binwalk. [link]. Publicado em 11/11/2013; acessado em 11/09/2022.
Helmke, R. and Dorp, J. v. (2022). Towards reliable and scalable linux kernel cve attribution in automated static firmware analyses. DOI: 10.48550/ARXIV.2209.05217.
Kim, M., Kim, D., Kim, E., Kim, S., Jang, Y., and Kim, Y. (2020). FirmAE: Towards large-scale emulation of iot firmware for dynamic analysis. In Annual Computer Security Applications Conference (ACSAC), Online.
Kluban, M., Mannan, M., and Youssef, A. (2022). On measuring vulnerable javascript functions in the wild. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, ASIA CCS '22, page 917-930, New York, NY, USA. ACM.
Mitre (2023). CVE-2022-46552. Available from MITRE, CVE-ID CVE-2022-46552. [link].
Networks, P. A. (2020). 2020 unit 42 iot threat report. acessado em 30/12/2022.
Ponce, L., Gimpel, M., Fazzion, E., Ítalo Cunha, Hoepers, C., Steding-Jessen, K., Chaves, M., Guedes, D., and Jr., W. M. (2022). Caracterização escalável de vulnerabilidades de segurança: um estudo de caso na internet brasileira. In Anais do XL Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 433-446, Porto Alegre, RS, Brasil. SBC.
Redini, N., Machiry, A., Wang, R., Spensky, C., Continella, A., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. (2020). Karonte: Detecting insecure multi-binary interactions in embedded firmware. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1544-1561.
Toso, G. and Pereira, L. A. (2021). Enumeração de sistemas operacionais e serviços de firmwares de roteadores sem-fio. In Anais Estendidos do XXI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 178-191, Porto Alegre, RS, Brasil. SBC.
WEFORUM, W. E. F. (2022). Employers are giving workers the work from home days they want. [link]. acessado em 05/01/2023.
