We present data on recent work conducted at CITL concerning embedded devices, IoT, and home routers. This data, generated from an analysis of over 6000 firmware images from 18 vendors (over 2.7 million binaries total), shows:
Lastly, we remark on the utility of large empirical studies in assessing the overall state of security–a topic often discussed, but rarely backed by data.
Parker Thompson (@m0thran) is a computer hacker and research engineer from Seattle, Washington, specializing in reverse engineering and software analysis. His prior research includes contributions to crash dump analysis, fuzzing, Internet censorship, and related areas. He currently serves as the lead engineer at CITL.
Tim Carstens (@intoverflow) is a mathematician and research engineer from Seattle, Washington, specializing in geometry, logic, and software verification. His prior research includes contributions to crash dump analysis, computational number theory, and related areas. He currently serves as the acting director at CITL.
Mudge (@dotMudge) is a computer hacker from the United States. His prior research includes early contributions to the theory and practice of buffer overflows, vulnerability discovery, and other foundational topics in computer and communications security. For over 20 years, he has been working to inform and protect the public, in both public and private sector. In 2016, together with Sarah Zatko, he co-founded CITL and currently serves as the chairman of the board.