It has been reported that firmware security company Binarly has discovered at least 13 serious vulnerabilities affecting BIOS firmware present on devices by HP and possibly other manufacturers, resulting in a total of 15 CVE identifiers. The vulnerabilities have been characterized as stack overflows, heap overflows, and corruption of memory. All of these security holes have been assigned “high severity” ratings. The flaws affect a wide range of enterprise products made by HP, including desktop, laptop, point-of-sale, and edge computing devices.
Inadequate security capabilities, lack of real-time vulnerability patching (like updating firmware), and lack of consumer awareness are key drivers for repeated attacks on Internet of Thing (IoT) devices. Because IoT devices can have several types of interfaces (e.g., web-based interfaces for consumers or object interfaces for governance-as-code applications such as control systems), it’s critical to test for input validation, command injection, and code injection using a full spectrum of security tools. Currently, we find that even though many organisations probably conducted their own transparent box security testing—such as static analysis and open source analysis, it’s critical to complement that with dynamic analysis, mobile, and penetration testing.