The Internet of Things (IoT) has become indispensable to our daily lives and work. Unfortunately, developers often reuse software libraries in the IoT firmware, leading to a major security concern. If vulnerabilities or insecure versions of these libraries go unpatched, a massive number of IoT devices can be impacted. In this paper, we propose the AutoFirm, an automated tool for detecting reused libraries in IoT firmware at a large scale. Specifically, AutoFirm leverages the syntax information (library name and version) to determine whether IoT firmware reuses the libraries. We conduct a large-scale empirical study of reused libraries of IoT firmware, investigating more than 6,900+ firmware and 2,700+ distinct vulnerabilities affecting 11,300+ vulnerable versions from 349 open-source software libraries. Leveraging this diverse information set, we conduct a qualitative assessment of vulnerable library versions to understand security gaps and the misplaced trust of libraries in IoT firmware. Our research reveals that: manufacturers neglected to update outdated libraries for IoT firmware in 67.3\% of cases; on average, outdated libraries persisted for over 1.34 years prior to remediation; vulnerabilities of software libraries have posed server threats to widespread IoT devices.

翻译：物联网（IoT）已成为我们日常生活和工作中不可或缺的组成部分。然而，开发者在物联网固件中复用软件库的做法带来了重大的安全隐患。若这些库中的漏洞或不安全版本未得到修补，将影响海量物联网设备。本文提出AutoFirm，一种用于大规模检测物联网固件中复用库的自动化工具。具体而言，AutoFirm利用语法信息（库名称与版本）判断物联网固件是否复用了特定软件库。我们对物联网固件的复用库开展了大规模实证研究，分析了超过6,900个固件样本及349个开源软件库中影响11,300余个脆弱版本的2,700多个独立漏洞。基于此多维信息集，我们对脆弱库版本进行定性评估，以理解物联网固件中的安全缺口及对软件库的误置信任。研究结果表明：67.3%的情况下制造商未更新物联网固件中的过时库；过时库平均在修复前已持续存在超过1.34年；软件库的漏洞已对广泛部署的物联网设备构成严重威胁。