Purdue University researchers and other teammates from the University of California, Santa Barbara and Swiss Federal Institute of Technology Lausanne (EPFL) have received a grant from the Defense Advanced Research Projects Agency (DARPA) to improve the way developers remotely patch IoT devices.
Security is the most significant problem of IoT devices, and one of the reasons is the inherent difficulty of remotely patching a system. For example, very few routers support over-the-air updates for their firmware, leaving this process to customers. The result is a security nightmare.
The DARPA grant covers a project named “Assured Micropatching” that will take four years to complete. If they succeed, fixing very old systems in the absence of the source code should be possible.
“Without source code, patching a vulnerability necessitates editing the binary code directly,” said Antonio Bianchi, one of the main researchers on the project. “Additionally, even in a system that has been patched, there is no guarantee that the patch will not interfere with the original functionality of the device. Because of these difficulties, he said, the code running in embedded systems is often left unpatched, even when it is known to be vulnerable.”
Patching old systems should not interfere with the original functionality of the device, and it’s one of the tenets of the “Assured Micropatching” project. Developers could push micro-updates to fix devices vulnerable to cyberattacks without replacing the entire firmware.
“Many embedded systems, like computer systems running in trucks, airplanes and medical devices, run old code for which the source code and the original compilation toolchain are unavailable,” Bianchi said.
While it’s an exciting proposition, it will take a long time to become commonplace, and that’s only true if they find a way to do it safely. Until then, users should always make sure they have the latest updates installed on their IoT devices.