Fuzz Testing Finds IoT & ICS Most
Vulnerable to Exploits
A fuzzing report has provided deep analysis on potential zero-day exploits in the open source protocols and common file formats used across six key industries, including automotive, financial services, government, healthcare, industrial control systems, and Internet of Things (IoT). The results stem from more than 4.8 billion fuzz tests conducted by Synopsys' customers in 2016 using the Defensics Fuzz Testing solution.
"Fuzz testing is a powerful component
of the Synopsys Software Integrity Platform to uncover zero-day
vulnerabilities and help organizations protect their software," said
Andreas Kuehlmann, senior vice president and general manager for the
Synopsys Software Integrity Group. "By analyzing such a large data set
from our customers, the Synopsys fuzzing report provides visibility into
unknown, hard-to-find vulnerabilities and highlights where security
teams should look to improve the quality and security of their
•The overall average time to first failure (TTFF) — the first instance when a protocol crash is recorded — was 1.4 hours. In the case of more mature protocols, the length of time is in hours. But with less mature protocols, that time could be as short as a few seconds, indicating a higher likelihood of exploitable vulnerabilities.
•The least mature protocol tested in 2016 was IEC-61850 MMS (ICS). This is a niche protocol used in IoT and industrial control systems. The average TTFF for IEC-61850 MMS was 6.6 seconds.
•The most mature protocol tested in
2016 was TLS client (Core IP). This is commonly used for secure web
browsing including online banking and e-commerce. The average TTFF for
TLS client was 9 hours.