Yifei Xu,Ting Liu,Pengfei Liu,Hong Sun

DOI: https://doi.org/10.1109/CNS.2018.8433163

2018-01-01

Abstract:The firmware vulnerability is one of the most serious threats for Internet-of-Things (IoT) security. However, it is hard to investigate firmware, due to the lack of source code and the complicated structure. In this paper, a searchbased firmware code analysis method is proposed to associate the program functionalities with the assembly code. In the experiment, the firmware of Siemens PAC4200 power meter is selected to demonstrate how to search the assembly code of device information interface. Moreover, one vulnerability of this interface is shown, which would be exploited to manipulate the data of device.

Binbin Zhao,Shouling Ji,Jiacheng Xu,Yuan Tian,Qiuyang Wei,Qinying Wang,Chenyang Lyu,Xuhong Zhang,Changting Lin,Jingzheng Wu,Raheem Beyah

DOI: https://doi.org/10.1145/3533767.3534366

2022-01-01

Abstract:As the core of IoT devices, firmware is undoubtedly vital. Currently, the development of IoT firmware heavily depends on third-party components (TPCs), which significantly improves the development efficiency and reduces the cost. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will turn back influence the security of IoT firmware. Currently, existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs at version-level in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the usage of TPCs and the corresponding vulnerabilities in firmware. More specifically, we perform an analysis on 34,136 firmware images, including 11,086 publicly accessible firmware images, and 23,050 private firmware images from TSmart. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security issues for different kinds of firmware from various vendors, and discovers some well-known vulnerabilities are still deeply rooted in many firmware images. We also find that the TPCs used in firmware have fallen behind by five years on average. Besides, we explore the geographical distribution of vulnerable devices, and confirm the security situation of devices in several regions, e.g., South Korea and China, is more severe than in other regions. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.

Yongyi Zhang,Bo Yu,Lei Zhou,Qiang Yang

DOI: https://doi.org/10.1145/3689236.3689262

2024-01-01

Abstract:With the development of Internet of Things (IoT) technology, the number and complexity of IoT devices have increased rapidly. As the basic enabling software of IoT devices, firmware provides rich functions such as communication, collection and management. Nevertheless, developers do not fully consider security when developing firmware, leaving the firmware vulnerable to exploitation by malware. IoT firmware security analysis has become the focus of research. However, existing works for the security of firmware pay less attention to nested third-party components (TPCs) including the TPCs directly and indirectly referenced. Meanwhile, these works lack a quantitatively analysis of the complexity brought by TPCs to firmware. In this paper, we propose a nested TPCs identification method and introduce firmware complexity metric at the firmware supply chain level. Then, we propose FirmRadar to automatically and comprehensively analyze IoT firmware characterization, including basic information, TPC characterization, CVE characterization and firmware complexity metric. Based on FirmRadar, we conduct a large-scale analysis of 11,988 firmware from 14 vendors. We successfully identify 5,365 TPCs and detect 516,280 potential vulnerabilities caused by 590 CVEs. We further find that although firmware may reference a large number of TPCs, most of the vulnerabilities are concentrated on a few TPCs. Moreover, by analyzing the nested TPCs in firmware, we discover that the number of TPCs directly referenced is less than the number of TPCs indirectly referenced. Finally, we quantitatively analyze firmware complexity metric of each vendor and find that the firmware referencing more TPCs and TPCs functions does not always contain more vulnerabilities.

Binbin Zhao,Shouling Ji,Jiacheng Xu,Yuan Tian,Qiuyang Wei,Qinying Wang,Chenyang Lyu,Xuhong Zhang,Changting Lin,Jingzheng Wu,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2023.3279846

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the security risks raised by TPCs on 34,136 firmware images. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security risks in firmware and discovers some well-known vulnerabilities are still rooted in firmware. Besides, we explore the geographical distribution of vulnerable devices and confirm that the security situation of devices in different regions varies. Our analysis also indicates that vulnerabilities caused by TPCs in firmware keep growing with the boom of the IoT ecosystem. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.

Daojing He,Hongjie Gu,Tinghui Li,Yongliang Du,Xiaolei Wang,Sencun Zhu,Nadra Guizani

DOI: https://doi.org/10.1109/mnet.011.2000450

IF: 10.294

2021-03-01

IEEE Network

Abstract:IoT devices are becoming increasingly ubiquitous because they have greatly simplified many aspects of our daily life and our work. However, most firmware in these embedded devices carry various security vulnerabilities, such as hard-cod-ed passwords, cryptographic keys, insecure configurations and backdoors. Recent large-scale attacks have demonstrated that the security vulnerabilities in IoT firmware have posed a severe threat to the Internet infrastructure. In this work, we design a hybrid platform to detect vulnerabilities in IoT firmware, which integrates both offline static detection and online dynamic detection. Our evaluation on real IoT devices shows that the proposed platform can effectively identify various security weaknesses and risks in firmware, such as dangerous processes, exploitable vulnerabilities, and other attack surfaces.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yikun Jiang,Wei Xie,Yong Tang

DOI: https://doi.org/10.1145/3290480.3290491

2018-01-01

Abstract:With the rapid development of network and communication technologies, everything is able to be connected to the Internet. IoT devices, which include home routers, IP cameras, wireless printers and so on, are crucial parts facilitating to build pervasive and ubiquitous networks. As the number of IoT devices around the world increases, the security issues become more and more serious. To handle with the security issues and protect the IoT devices from being compromised, the firmware of devices needs to be strengthened by discovering and repairing vulnerabilities. Current vulnerability detection tools can only help strengthening traditional software, nevertheless these tools are not practical enough for IoT device firmware, because of the peculiarity in firmware's structure and embedded device's architecture. Therefore, new vulnerability detection framework is required for analyzing IoT device firmware. This paper reviews related works on vulnerability detection in IoT firmware, proposes and implements a framework to automatically detect authentication-bypass flaws in a large scale of Linux-based firmware. The proposed framework is evaluated with a data set of 2351 firmware images from several target vendors, which is proved to be capable of performing large-scale and automated analysis on firmware, and 1 known and 10 unknown authentication-bypass flaws are found by the analysis.

Chi Zhang,Yu Wang,Linzhang Wang

DOI: https://doi.org/10.1145/3457913.3457934

2021-01-01

Abstract:Background: Firmware is the enable software of Internet of Things (IoT) devices, and its software vulnerabilities are one of the primary reason of IoT devices being exploited. Due to the limited resources of IoT devices, it is impractical to deploy sophisticated run-time protection techniques. Under an insecure network environment, when a firmware is exploited, it may lead to denial of service, information disclosure, elevation of privilege, or even life-threatening. Therefore, firmware vulnerability detection by fuzzing has become the key to ensure the security of IoT devices, and has also become a hot topic in academic and industrial research. With the rapid growth of the existing IoT devices, the size and complexity of firmware, the variety of firmware types, and the firmware defects, existing IoT firmware fuzzing methods face challenges. Objective: This paper summarizes the typical types of IoT firmware fuzzing methods, analyzes the contribution of these works, and summarizes the shortcomings of existing fuzzing methods. Method: We design several research questions, extract keywords from the research questions, then use the keywords to search for related literature. Result: We divide the existing firmware fuzzing work into real-device-based fuzzing and simulation-based fuzzing according to the firmware execution environment, and simulation-based fuzzing is the mainstream in the future; we found that the main types of vulnerabilities targeted by existing fuzzing methods are memory corruption vulnerabilities; firmware fuzzing faces more difficulties than ordinary software fuzzing. Conclusion: Through the analysis of the advantages and disadvantages of different methods, this review provides guidance for further improving the performance of fuzzing techniques, and proposes several recommendations from the findings of this review.

Dingding Wang,Muhui Jiang,Rui Chang,Yajin Zhou,Hexiang Wang,Baolei Hou,Lei Wu,Xiapu Luo

DOI: https://doi.org/10.1109/tdsc.2023.3334017

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:IoT devices are becoming popular. Meanwhile, researchers are actively working on improving the security of IoT devices. However, previous works ignore the insecurity caused by a special category of devices, i.e., the End-of-Life (EoL) devices. Once a product becomes End-of-Life, vendors tend to no longer maintain its firmware or software, including fixing bugs and patching vulnerabilities. This makes EoL devices susceptible to attacks. For instance, a report showed that an EoL model with thousands of active devices was exploited to redirect web traffic for malicious purposes. In this paper, we conduct the first empirical study to shed light on the (in)security of EoL devices. To this end, our study performs two types of analysis, including the liveness analysis and the vulnerability analysis . The first one aims to detect the scale of EoL devices that are still alive in the wild. The second one is to evaluate the vulnerabilities existing in (active) EoL devices. We applied our approach to a large number of EoL models from three vendors (i.e., D-Link, Tp-Link, and Netgear) and detect the alive devices in a time period of more than two years . Our study reveals some worrisome facts that were unknown by the community. For instance, there exist a large number (more than 3 million) of active EoL devices. Some devices (more than 1 million) are still alive even after five years since EoL. Furthermore, more than half of the vulnerabilities (182 of 294) are discovered after the EoL date. Although vendors may release security patches after the EoL date, the process is ad hoc and incomplete, with only limited functionality. Furthermore, these patches can have side effects, such as providing valuable information to attackers. In summary, more than 2 million active EoL devices are vulnerable, and nearly half of them are threatened by high-risk vulnerabilities. Attackers can achieve a minimum of 8.67 Tbps DDoS attack by exploiting OS command injection vulnerabilities and compromising a large number of active EoL devices. We believe these facts pose a clear call for more attention to deal with the security issues of EoL devices.

Wei Xie,Yikun Jiang,Yong Tang,Yuanming Gao,Ning Ding

DOI: https://doi.org/10.1109/icpads.2017.00104

2017-01-01

Abstract:With the development of Internet of Things(IoT), more and more smart devices are connected into the Internet. The security and privacy issues of IoT devices have received increasingly academic and industrial attentions. Vulnerability detection is the key technology to protect IoT devices from zeroday attacks. However, traditional methods and tools of vulnerability detection cannot be directly used in analyzing IoT firmware. This paper firstly reviews related works on vulnerability detection in IoT firmware, previous researches are classified into four types i.e. static analysis, symbolic execution, fuzzing on emulators and comprehensive testing. Then, this paper points out that the specificity of vulnerability detection in IoT firmware is to detect logical flaws in embedded binaries which are built on the MIPS architecture. Finally, this paper proposes a method based on fuzzing and static analysis to detect authentication bypass flaws in IoT embedded binary servers. The proposed method is proved to be effective by verifying known CVEs as well as discovering unknown ones.

Qiang Li,Xuan Feng,Haining Wang,Zhi Li,Limin Sun

DOI: https://doi.org/10.1109/infocom.2018.8486326

2018-01-01

Abstract:An increasing number of embedded devices are connecting to the Internet at a surprising rate. Those devices usually run firmware and are exposed to the public by device search engines. Firmware in embedded devices comes from different manufacturers and product versions. More importantly, many embedded devices are still using outdated versions of firmware due to compatibility and release-time issues, raising serious security concerns. In this paper, we propose generating fine-grained fingerprints based on the subtle differences between the filesystems of various firmware images. We leverage the natural language processing technique to process the file content and the document object model to obtain the firmware fingerprint. To validate the fingerprints, we have crawled 9,716 firmware images from official websites of device vendors and conducted real-world experiments for performance evaluation. The results show that the recall and precision of the firmware fingerprints exceed 90%. Furthermore, we have deployed the prototype system on Amazon EC2 and collected firmware in online embedded devices across the IPv4 space. Our findings indicate that thousands of devices are still using vulnerable firmware on the Internet.

Xiao Ma,Yu-qian Li,Shu-hui Chen,Jin-shu Su

DOI: https://doi.org/10.12783/dtcse/wcne2016/5146

2016-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:The Internet of Things (IoT) depicts a bright future, where any devices having computing capabilities can interact with each other. However, due to limit of energy, computing, size, and storage, the security mechanisms for IoT is still in its infancy. In this paper, we focus on the security requirements in the device to prevent possible physical attacks to expose the secure data such as user's privacy data from the device. First, we give an architecture model on hardware for the Internet of Things, to defeat the physical attack that compromises the security of the device. Following this, discuss the software support required to enforce the security within the device. We brief on the security enforced in a device by the use of secure bootloader technology and propose several design principles about it. The paper also discusses the security measures taken during the production of the device.

Taimur Bakhshi,Bogdan Ghita,Ievgeniia Kuzminykh

DOI: https://doi.org/10.3390/s24020708

IF: 3.9

2024-01-23

Sensors

Abstract:In recent years, the Internet of Things (IoT) paradigm has been widely applied across a variety of industrial and consumer areas to facilitate greater automation and increase productivity. Higher dependability on connected devices led to a growing range of cyber security threats targeting IoT-enabled platforms, specifically device firmware vulnerabilities, often overlooked during development and deployment. A comprehensive security strategy aiming to mitigate IoT firmware vulnerabilities would entail auditing the IoT device firmware environment, from software components, storage, and configuration, to delivery, maintenance, and updating, as well as understanding the efficacy of tools and techniques available for this purpose. To this effect, this paper reviews the state-of-the-art technology in IoT firmware vulnerability assessment from a holistic perspective. To help with the process, the IoT ecosystem is divided into eight categories: system properties, access controls, hardware and software re-use, network interfacing, image management, user awareness, regulatory compliance, and adversarial vectors. Following the review of individual areas, the paper further investigates the efficiency and scalability of auditing techniques for detecting firmware vulnerabilities. Beyond the technical aspects, state-of-the-art IoT firmware architectures and respective evaluation platforms are also reviewed according to their technical, regulatory, and standardization challenges. The discussion is accompanied also by a review of the existing auditing tools, the vulnerabilities addressed, the analysis method used, and their abilities to scale and detect unknown attacks. The review also proposes a taxonomy of vulnerabilities and maps them with their exploitation vectors and with the auditing tools that could help in identifying them. Given the current interest in analysis automation, the paper explores the feasibility and impact of evolving machine learning and blockchain applications in securing IoT firmware. The paper concludes with a summary of ongoing and future research challenges in IoT firmware to facilitate and support secure IoT development.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yisen Wang,Ruimin Wang,Jing,Huanwei Wang

DOI: https://doi.org/10.1371/journal.pone.0245098

IF: 3.7

2021-01-01

PLoS ONE

Abstract:The rapid expansion of the open-source community has shortened the software development cycle, but the spread of vulnerabilities has been accelerated, especially in the field of the Internet of Things. In recent years, the frequency of attacks against connected devices is increasing exponentially; thus, the vulnerabilities are more serious in nature. The state-of-the-art firmware security inspection technologies, such as methods based on machine learning and graph theory, find similar applications depending on the known vulnerabilities but cannot do anything without detailed information about the vulnerabilities. Moreover, model training, which is necessary for the machine learning technologies, requires a significant amount of time and data, resulting in low efficiency and poor extensibility. Aiming at the above shortcomings, a high-efficiency similarity analysis approach for firmware code is proposed in this study. First, the function control flow features and data flow features are extracted from the functions of the firmware and of the vulnerabilities, and the features are used to calculate the SimHash of the functions. The mass storage and fast query capabilities of the SimHash are implemented by the pigeonhole principle. Second, the similarity function pairs are analyzed in detail within and among the basic blocks. Within the basic blocks, the symbolic execution is used to generate the basic block semantic information, and the constraint solver is used to determine the semantic equivalence. Among the basic blocks, the local control flow graphs are analyzed to obtain their similarity. Then, we implemented a prototype and present the evaluation. The evaluation results demonstrate that the proposed approach can implement large-scale firmware function similarity analysis. It can also get the location of the real-world firmware patch without vulnerability function information. Finally, we compare our method with existing methods. The comparison results demonstrate that our method is more efficient and accurate than the Gemini and StagedMethod. More than 90% of the firmware functions can be indexed within 0.1 s, while the search time of 100,000 firmware functions is less than 2 s.

Maoyu Yang,Xu Zhou,Danjun Liu,Lei Zhou,Yong Tang

DOI: https://doi.org/10.1109/eiect60552.2023.10442540

2023-01-01

Abstract:Dynamic taint analysis is a common and efficient technique in program analysis. IoT devices are widespread and generally have weak protection, making them a hotspot for vulnerabilities. Although some dynamic taint analysis tools and frameworks have been proposed for IoT firmware, they all suffer from one or more issues: performance degradation, lack of generality, or being limited to user mode only. We propose a cross-platform, full-system simulation dynamic taint analysis framework for IoT firmware, Firmware Dynamic Taint Analysis Framework (FDTAF). FDTAF provides a novel Virtual Machine Introspection (VMI) combined with bit-level taint propagation at TCG layer of QEMU. Additionally, we provide analysis tools for the generated taint data flow to improve the usability of dynamic taint analysis when analyzing IoT devices. The implementation of FDTAF includes 1680 lines of C++ code, 9490 lines of C code, and 320 lines of Python code. We present a comparison of the applicability of FDTAF and DECAF in firmware analysis and validate the practicality of the analysis framework using real-world vulnerabilities.

Akashdeep Bhardwaj,Keshav Kaushik,Salil Bharany,SeongKi Kim

DOI: https://doi.org/10.1016/j.eij.2023.100409

IF: 4.195

2023-10-21

Egyptian Informatics Journal

Abstract:Ease of flexibility, convenience, and smartness have made the Internet of Things (IoT) the industry, and user favorite device has recently piqued the industry's interest. With the widespread use of this technology, an unprecedented number of IoT endpoints, including devices in our homes, are now connected to external networks. Firmware of this type is typically heterogeneous and closed source. At the firmware level, it is harder to detect and evaluate security vulnerabilities since their effects are faster and larger. In recent years, several similarity-based firmware security detection techniques and tools have become research hotspots. Security concerns and attacks have risen to the top of the list for IoT security equipment, particularly IoT cameras. Firmware has historically been one of the most neglected areas of device security, leaving it exposed to malicious actors. This research proposes a unique twelve-step process to perform firmware analysis and security assessment of Smart IoT-based Camera devices.

computer science, information systems, artificial intelligence

Yisen Wang,Jianjing Shen,Jian Lin,Rui Lou

DOI: https://doi.org/10.1109/access.2019.2893733

IF: 3.9

2019-01-01

IEEE Access

Abstract:The security situation of the Internet of Things (IoT) is more serious than ever, and there is an urgent need to detect and patch device vulnerability rapidly. With the astronomical numbers of IoT devices, it is very difficult to execute regular security inspections. Existing vulnerability detection technology based on simple feature matching cannot reach high accuracy to detect firmware vulnerabilities while using a control flow graph matching directly has proven to be too expensive. To address the problem of accurate and efficient, we present a method of staged firmware vulnerability detection based on code similarity. The first stage, function embedding based on neural network is used to analyze the similarities among functions, and large-scale firmware security inspection can be achieved efficiently. The second stage, the similarity among function local call flow graphs is calculated for fine-grained firmware security analysis, and this stage can improve the accuracy of vulnerability detection. We compared our method with state-of-the-art approaches, and the experimental results demonstrate that our method is more accurate. The average retraining time of our method is 1 h, and the real-world firmware vulnerability detection experiment of our method demonstrates that the true positive rate of the top 30 is as high as 86%.

Bo Yu,Ying Zhang,Yongyi Zhang,Qiang Yang

DOI: https://doi.org/10.1109/GLOBECOM54140.2023.10437669

2023-01-01

Abstract:With the development and widespread application of IoT technology, the impact of N-day vulnerabilities on IoT firmware has become increasingly serious. Detection technology for IoT firmware vulnerabilities plays an increasingly important role in IoT security. However, existing approaches for firmware vulnerability detection did not consider the issue of vulnerabilities between components, which are introduced in a supply chain's business process, such as library reuse and collaboration development. Meanwhile, they did not consider the component changes across the evolution of firmware versions, which is not conducive to analysts timely patching and managing vulnerable components, resulting in the duplication of analysis of components and inefficient analysis. Thus, feasible methods for analysing version evolution and discovering component vulnerabilities are urgently needed. In this paper, we design and implement FirmVEA, which discovers IOT component vulnerabilities via version evolution analysis. To evaluate our approach, we collect 10161 real-world firmware with 1053 firmware components (shortened as FC) from 11 different vendors, which cover various architectures such as MIPS, ARM, X86, PowerPC, and various OSs such as Linux, and FreeBSD (32/64-bit). The experiments show that FirmVEA can analyze the relationship between complex components, expose components and vulnerabilities change in adjacent firmware versions, and is on average 10 times more efficient than the state-of-the-art tool FACT while ensuring no loss of accuracy, making it suitable for large-scale IoT firmware N-day vulnerability analysis.

Ying Zhang,Bo Yu

DOI: https://doi.org/10.1109/icpads60453.2023.00137

2023-01-01

Abstract:In recent years, numerous attacks on IoT device firmware caused by component vulnerabilities have occurred, they has attracted a great deal of attention from security researchers. Thus, identifying the component and version information in IoT device firmware is of great significance for conducting large-scale IoT device firmware vulnerability correlation analysis, security risk assessment and emergency response of the IoT. Existing methods may not dig deeper into the features of version information, resulting in missing recognition information, leading to insufficient recognition accuracy. Alternatively, existing methods rely on features such as CFG, which makes it difficult to accurately match components between different versions, leading to recognition errors. For these reasons, in this paper, we propose a taint analysis-based version identification method for IoT firmware components. Firstly, we use the feature information extracted from the binary file as the source point for taint analysis, then we perform reverse flow analysis based on the data flow of function calls, and then we find the memory address of the version information as the sink to identify the version information of the component. To evaluate our approach, we collected 312,330 firmware components from 10161 real firmware from 11 different vendors covering various architectures such as MIPS, ARM, X86, and PowerPC and various operating systems such as Linux and FreeBSD (32/64 bit). The experiments demonstrate that the FirmCVI does not require manually building a large-scale database, and achieves an average identification accuracy of up to 96.07% for IoT device firmware component versions, false positives within 5%. And the average time taken to identify component versions is about 0.19 seconds, which is 10 times more efficient than existing version identification tools. It provides powerful data and technical support for IOT device firmware vulnerability correlation analysis.

Yao Yao,Wei Zhou,Yan Jia,Lipeng Zhu,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.1007/978-3-030-29959-0_31

2019-01-01

Abstract:With the rapid proliferation of IoT devices, we have witnessed increasing security breaches targeting IoT devices. To address this, considerable attention has been drawn to the vulnerability discovery of IoT firmware. However, in contrast to the traditional firmware bugs/vulnerabilities (e.g. memory corruption), the privilege separation model in IoT firmware has not yet been systematically investigated. In this paper, we conducted an in-depth security analysis of the privilege separation model of IoT firmware and identified a previously unknown vulnerability called privilege separation vulnerability. By combining loading information extraction, library function recognition and symbolic execution, we developed Gerbil, a firmware-analysis-specific extension of the Angr framework for analyzing binaries to effectively identify privilege separation vulnerabilities in IoT firmware. So far, we have evaluated Gerbil on 106 real-world IoT firmware images (100 of which are bare-metal and RTOS-based device firmware. Gerbil have successfully detected privilege separation vulnerabilities in 69 of them. We have also verified and exploited the privilege separation vulnerabilities in several popular smart devices including Xiaomi smart gateway, Changdi smart oven and TP-Link smart WiFi plug. Our research demonstrates that an attacker can leverage the privilege separation vulnerability to launch a border spectrum of attacks such as malicious firmware replacement and denial of service.

Muqing Liu,Yuanyuan Zhang,Juanru Li,Junliang Shu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-59608-2_40

2017-01-01

Abstract:Despite the increased concerning about embedded system security, the security assessment of commodity embedded devices is far from being adequate. The lack of assessment is mainly due to the tedious, time-consuming, and the very ad hoc reverse engineering procedure of the embedded device firmware. To simplify this procedure, we argue that only a particular part of the entire embedded device’s firmware, as we called vendor customized code, should be thoroughly analyzed. Vendor customized code is usually developed to deal with external inputs and is especially sensitive to attacks compared to other parts of the system. Moreover, vendor customized code is often highly specific and proprietary, which lacks security implementation guidelines. Therefore, the security demands of analyzing this kind of code is urgent.