Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Research in Attacks, Intrusions, and Defenses

RAID 2018: Research in Attacks, Intrusions, and Defenses pp 535–555Cite as

Malicious IoT Implants: Tampering with Serial Communication over the Internet

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11050))

Abstract

The expansion of the Internet of Things (IoT) promotes the roll-out of low-power wide-area networks (LPWANs) around the globe. These technologies supply regions and cities with Internet access over the air, similarly to mobile telephony networks, but they are specifically designed for low-power applications and tiny computing devices. Forecasts predict that major countries will be broadly covered with LPWAN connectivity in the near future. In this paper, we investigate how the expansion of the LPWAN infrastructure facilitates new attack vectors in hardware security. In particular, we investigate the threat of malicious modifications in electronic products during the physical distribution process in the supply chain. We explore to which extent such modifications allow attackers to take control over devices after deployment by tampering with the serial communication between processors, sensors, and memory. To this end, we designed and built a malicious IoT implant, a small electronic system that can be inserted in arbitrary electronic products. In our evaluation on real-world products, we show the feasibility of leveraging malicious IoT implants for hardware-level attacks on safety- and security-critical products.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Adelantado, F., Vilajosana, X., Tuset-Peiró, P., Martínez, B., Melià-Seguí, J., Watteyne, T.: Understanding the limits of LoRaWAN. IEEE Commun. Mag. 55(9) (2017). https://doi.org/10.1109/MCOM.2017.1600613

  2. Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using IC fingerprinting. In: IEEE Symposium on Security and Privacy. S&P 2007 (2007)

    Google Scholar 

  3. Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium. USENIX Security 2017 (2017)

    Google Scholar 

  4. Appelbaum, J., Horchert, J., Stöcker, C.: Shopping for spy gear: catalog advertises NSA toolbox. Spieg. Online Int. 29 (2013). http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

  5. Becker, G.T., Regazzoni, F., Paar, C., Burleson, W.P.: Stealthy dopant-level hardware trojans. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 197–214. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_12

    Chapter  Google Scholar 

  6. Boyens, J., Paulsen, C., Moorthy, R., Bartol, N., Shankles, S.A.: Supply chain risk management practices for federal information systems and organizations. In: NIST SP, vol. 800, no. 161 (2015). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf

  7. Datko, J., Reed, T.: NSA Playset: DIY hardware implant over I2C. In: DEF CON 22 (2014)

    Google Scholar 

  8. Fern, N., San, I., Koç, Ç.K., Cheng, K.: Hardware trojans in incompletely specified on-chip bus systems. In: Design, Automation & Test in Europe Conference & Exhibition (2016)

    Google Scholar 

  9. Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: IEEE Symposium on Security and Privacy. S&P 2016 (2016)

    Google Scholar 

  10. FitzPatrick, J.: The Tao of hardware, the Te of implants. Black Hat, USA (2016)

    Google Scholar 

  11. Gartner: Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016, February 2017. http://www.gartner.com/newsroom/id/3598917

  12. Gomez-Bravo, F., Jiménez Naharro, R., Medina García, J., Gómez Galán, J., Raya, M.S.: Hardware attacks on mobile robots: I2C clock attacking. In: Reis, L., Moreira, A., Lima, P., Montano, L., Muñoz-Martinez, V. (eds.) Robot 2015: Second Iberian Robotics Conference. AISC, vol. 417, pp. 147–159. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-27146-0_12

    Chapter  Google Scholar 

  13. Hicks, M., Finnicum, M., King, S.T., Martin, M.M.K., Smith, J.M.: Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: IEEE Symposium on Security and Privacy. S&P 2010 (2010)

    Google Scholar 

  14. HopeRF Electronic: RFM95/96/97/98(W) - low power long range transceiver module V1.0 datasheet. http://www.hoperf.com/upload/rf/RFM95_96_97_98W.pdf

  15. Hunt, G., Letey, G., Nightingale, E.: The seven properties of highly secure devices. Technical report, March 2017

    Google Scholar 

  16. IC Insights: NXP acquires Freescale, becomes top MCU supplier in 2016, April 2017

    Google Scholar 

  17. Kerlink: Kerlink continues global expansion with subsidiary in India for rollout of world’s largest LoRaWAN IoT network, September 2017

    Google Scholar 

  18. King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats. LEET 2008 (2008)

    Google Scholar 

  19. Kleber, S., Nölscher, H.F., Kargl, F.: Automated PCB reverse engineering. In: 11th USENIX Workshop on Offensive Technologies. WOOT 2017 (2017)

    Google Scholar 

  20. Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.M.: DDoS in the IoT: Mirai and other botnets. IEEE Comput. 50(7), 80–84 (2017). https://doi.org/10.1109/MC.2017.201

    Article  Google Scholar 

  21. Kooijman, M.: Arduino LoraMAC-in-C (LMiC) library. https://github.com/matthijskooijman/arduino-lmic

  22. Kumar, R., Jovanovic, P., Burleson, W.P., Polian, I.: Parametric trojans for fault-injection attacks on cryptographic hardware. In: Workshop on Fault Diagnosis and Tolerance in Cryptography. FDTC 2014 (2014)

    Google Scholar 

  23. Lázaro, J., Astarloa, A., Zuloaga, A., Bidarte, U., Jimenez, J.: I2CSec: a secure serial chip-to-chip communication protocol. J. Syst. Arch.-Embed. Syst. Des. 57(2), 206–213 (2011). https://doi.org/10.1016/j.sysarc.2010.12.001

    Article  Google Scholar 

  24. Lin, L., Kasper, M., Güneysu, T., Paar, C., Burleson, W.: Trojan side-channels: lightweight hardware trojans through side-channel engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 382–395. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04138-9_27

    Chapter  Google Scholar 

  25. LoRa Alliance: LoRa Alliance surpasses 500 member mark and drives strong LoRaWAN protocol deployments, June 2017

    Google Scholar 

  26. LoRa Alliance: LoRaWAN global networks - where are we today? October 2017

    Google Scholar 

  27. Machina Research: With 3 billion connections, LPWA will dominate wide area wireless connectivity for M2M by 2023, February 2015

    Google Scholar 

  28. Margulies, J.: Garage door openers: an internet of things case study. IEEE Secur. Priv. 13(4), 80–83 (2015). https://doi.org/10.1109/MSP.2015.80

    Article  Google Scholar 

  29. Min, H., Zhou, G.: Supply chain modeling: past, present and future. Comput. Ind. Eng. 43(1), 231–249 (2002). https://doi.org/10.1016/S0360-8352(02)00066-9

    Article  MathSciNet  Google Scholar 

  30. Morgner, P., Mattejat, S., Benenson, Z., Müller, C., Armknecht, F.: Insecure to the touch: attacking ZigBee 3.0 via touchlink commissioning. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2017 (2017)

    Google Scholar 

  31. NXP: The I2C-bus specification and user manual - UM10204, April 2014

    Google Scholar 

  32. Reichert, C.: NNN Co and Actility announce LoRaWAN network rollout across Australia, February 2017

    Google Scholar 

  33. Ronen, E., O’Flynn, C., Shamir, A., Weingarten, A.: IoT goes nuclear: creating a ZigBee chain reaction. In: IEEE Symposium on Security and Privacy. S&P 2017 (2017)

    Google Scholar 

  34. Rostami, M., Koushanfar, F., Rajendran, J., Karri, R.: Hardware security: threat models and metrics. In: The IEEE/ACM International Conference on Computer-Aided Design (2013)

    Google Scholar 

  35. Safavi-Naini, R.: Digital Rights Management: Technologies, Issues, Challenges and Systems, vol. 3919. Springer, Heidelberg (2006). https://doi.org/10.1007/11787952

    Book  Google Scholar 

  36. Shiyanovskii, Y., Wolff, F.G., Rajendran, A., Papachristou, C.A., Weyer, D.J., Clay, W.: Process reliability based trojans through NBTI and HCI effects. In: 2010 NASA/ESA Conference on Adaptive Hardware and Systems. AHS 2010 (2010)

    Google Scholar 

  37. Shwartz, O., Cohen, A., Shabtai, A., Oren, Y.: Shattered trust: when replacement smartphone components attack. In: 11th USENIX Workshop on Offensive Technologies. WOOT 2017 (2017)

    Google Scholar 

  38. Sigfox: SIGFOX expanding IoT network in 100 U.S. cities, February 2017

    Google Scholar 

  39. STMicroelectronics: STM32F303CB datasheet, May 2016

    Google Scholar 

  40. STMicroelectronics: STM32Cube initialization code generator datasheet, July 2017

    Google Scholar 

  41. Sturton, C., Hicks, M., Wagner, D.A., King, S.T.: Defeating UCI: building stealthy and malicious hardware. In: IEEE Symposium on Security and Privacy. S&P 2011 (2011)

    Google Scholar 

  42. Yang, K., Hicks, M., Dong, Q., Austin, T.M., Sylvester, D.: A2: analog malicious hardware. In: IEEE Symposium on Security and Privacy. S&P 2016 (2016)

    Google Scholar 

Download references

Acknowledgement

We thank Tobias Gro\({\ss }\) for helpful comments. This work was supported by the Federal Ministry of Education and Research, Germany, as part of the BMBF DINGfest project.

Author information

Authors and Affiliations

  1. Friedrich-Alexander-Universität Erlangen-Nürnberg, Erlangen, Germany

    Philipp Morgner, Stefan Pfennig, Dennis Salzner & Zinaida Benenson

Authors
  1. Philipp Morgner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Pfennig
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dennis Salzner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zinaida Benenson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philipp Morgner .

Editor information

Editors and Affiliations

  1. University of Illinois at Urbana-Champaign, Urbana, IL, USA

    Michael Bailey

  2. Ruhr-Universität Bochum, Bochum, Germany

    Thorsten Holz

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Manolis Stamatogiannakis

  4. Foundation for Research & Technology – Hellas, Heraklion, Crete, Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Morgner, P., Pfennig, S., Salzner, D., Benenson, Z. (2018). Malicious IoT Implants: Tampering with Serial Communication over the Internet. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation