R354. Prevent firmware downgrades

Requirement

Devices should have mechanisms that protect their firmware (anti-rollback) from being downgraded.

References

  1. CWE-693: Protection Mechanism Failure. The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

  2. Algorithm Downgrade. A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

  3. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.22) Verify that the device cannot be downgraded to old versions (anti-rollback) of valid firmware.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy