Malicious IoT Implants: Tampering with Serial Communication over the Internet

  • Philipp MorgnerEmail author
  • Stefan Pfennig
  • Dennis Salzner
  • Zinaida Benenson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)


The expansion of the Internet of Things (IoT) promotes the roll-out of low-power wide-area networks (LPWANs) around the globe. These technologies supply regions and cities with Internet access over the air, similarly to mobile telephony networks, but they are specifically designed for low-power applications and tiny computing devices. Forecasts predict that major countries will be broadly covered with LPWAN connectivity in the near future. In this paper, we investigate how the expansion of the LPWAN infrastructure facilitates new attack vectors in hardware security. In particular, we investigate the threat of malicious modifications in electronic products during the physical distribution process in the supply chain. We explore to which extent such modifications allow attackers to take control over devices after deployment by tampering with the serial communication between processors, sensors, and memory. To this end, we designed and built a malicious IoT implant, a small electronic system that can be inserted in arbitrary electronic products. In our evaluation on real-world products, we show the feasibility of leveraging malicious IoT implants for hardware-level attacks on safety- and security-critical products.


IoT LPWAN Implant Serial communication Hardware attack 



We thank Tobias Gro\({\ss }\) for helpful comments. This work was supported by the Federal Ministry of Education and Research, Germany, as part of the BMBF DINGfest project.


  1. 1.
    Adelantado, F., Vilajosana, X., Tuset-Peiró, P., Martínez, B., Melià-Seguí, J., Watteyne, T.: Understanding the limits of LoRaWAN. IEEE Commun. Mag. 55(9) (2017).
  2. 2.
    Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using IC fingerprinting. In: IEEE Symposium on Security and Privacy. S&P 2007 (2007)Google Scholar
  3. 3.
    Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium. USENIX Security 2017 (2017)Google Scholar
  4. 4.
    Appelbaum, J., Horchert, J., Stöcker, C.: Shopping for spy gear: catalog advertises NSA toolbox. Spieg. Online Int. 29 (2013).
  5. 5.
    Becker, G.T., Regazzoni, F., Paar, C., Burleson, W.P.: Stealthy dopant-level hardware trojans. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 197–214. Springer, Heidelberg (2013). Scholar
  6. 6.
    Boyens, J., Paulsen, C., Moorthy, R., Bartol, N., Shankles, S.A.: Supply chain risk management practices for federal information systems and organizations. In: NIST SP, vol. 800, no. 161 (2015).
  7. 7.
    Datko, J., Reed, T.: NSA Playset: DIY hardware implant over I2C. In: DEF CON 22 (2014)Google Scholar
  8. 8.
    Fern, N., San, I., Koç, Ç.K., Cheng, K.: Hardware trojans in incompletely specified on-chip bus systems. In: Design, Automation & Test in Europe Conference & Exhibition (2016)Google Scholar
  9. 9.
    Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: IEEE Symposium on Security and Privacy. S&P 2016 (2016)Google Scholar
  10. 10.
    FitzPatrick, J.: The Tao of hardware, the Te of implants. Black Hat, USA (2016)Google Scholar
  11. 11.
    Gartner: Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016, February 2017.
  12. 12.
    Gomez-Bravo, F., Jiménez Naharro, R., Medina García, J., Gómez Galán, J., Raya, M.S.: Hardware attacks on mobile robots: I2C clock attacking. In: Reis, L., Moreira, A., Lima, P., Montano, L., Muñoz-Martinez, V. (eds.) Robot 2015: Second Iberian Robotics Conference. AISC, vol. 417, pp. 147–159. Springer, Cham (2016). Scholar
  13. 13.
    Hicks, M., Finnicum, M., King, S.T., Martin, M.M.K., Smith, J.M.: Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: IEEE Symposium on Security and Privacy. S&P 2010 (2010)Google Scholar
  14. 14.
    HopeRF Electronic: RFM95/96/97/98(W) - low power long range transceiver module V1.0 datasheet.
  15. 15.
    Hunt, G., Letey, G., Nightingale, E.: The seven properties of highly secure devices. Technical report, March 2017Google Scholar
  16. 16.
    IC Insights: NXP acquires Freescale, becomes top MCU supplier in 2016, April 2017Google Scholar
  17. 17.
    Kerlink: Kerlink continues global expansion with subsidiary in India for rollout of world’s largest LoRaWAN IoT network, September 2017Google Scholar
  18. 18.
    King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats. LEET 2008 (2008)Google Scholar
  19. 19.
    Kleber, S., Nölscher, H.F., Kargl, F.: Automated PCB reverse engineering. In: 11th USENIX Workshop on Offensive Technologies. WOOT 2017 (2017)Google Scholar
  20. 20.
    Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.M.: DDoS in the IoT: Mirai and other botnets. IEEE Comput. 50(7), 80–84 (2017). Scholar
  21. 21.
    Kooijman, M.: Arduino LoraMAC-in-C (LMiC) library.
  22. 22.
    Kumar, R., Jovanovic, P., Burleson, W.P., Polian, I.: Parametric trojans for fault-injection attacks on cryptographic hardware. In: Workshop on Fault Diagnosis and Tolerance in Cryptography. FDTC 2014 (2014)Google Scholar
  23. 23.
    Lázaro, J., Astarloa, A., Zuloaga, A., Bidarte, U., Jimenez, J.: I2CSec: a secure serial chip-to-chip communication protocol. J. Syst. Arch.-Embed. Syst. Des. 57(2), 206–213 (2011). Scholar
  24. 24.
    Lin, L., Kasper, M., Güneysu, T., Paar, C., Burleson, W.: Trojan side-channels: lightweight hardware trojans through side-channel engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 382–395. Springer, Heidelberg (2009). Scholar
  25. 25.
    LoRa Alliance: LoRa Alliance surpasses 500 member mark and drives strong LoRaWAN protocol deployments, June 2017Google Scholar
  26. 26.
    LoRa Alliance: LoRaWAN global networks - where are we today? October 2017Google Scholar
  27. 27.
    Machina Research: With 3 billion connections, LPWA will dominate wide area wireless connectivity for M2M by 2023, February 2015Google Scholar
  28. 28.
    Margulies, J.: Garage door openers: an internet of things case study. IEEE Secur. Priv. 13(4), 80–83 (2015). Scholar
  29. 29.
    Min, H., Zhou, G.: Supply chain modeling: past, present and future. Comput. Ind. Eng. 43(1), 231–249 (2002). Scholar
  30. 30.
    Morgner, P., Mattejat, S., Benenson, Z., Müller, C., Armknecht, F.: Insecure to the touch: attacking ZigBee 3.0 via touchlink commissioning. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2017 (2017)Google Scholar
  31. 31.
    NXP: The I2C-bus specification and user manual - UM10204, April 2014Google Scholar
  32. 32.
    Reichert, C.: NNN Co and Actility announce LoRaWAN network rollout across Australia, February 2017Google Scholar
  33. 33.
    Ronen, E., O’Flynn, C., Shamir, A., Weingarten, A.: IoT goes nuclear: creating a ZigBee chain reaction. In: IEEE Symposium on Security and Privacy. S&P 2017 (2017)Google Scholar
  34. 34.
    Rostami, M., Koushanfar, F., Rajendran, J., Karri, R.: Hardware security: threat models and metrics. In: The IEEE/ACM International Conference on Computer-Aided Design (2013)Google Scholar
  35. 35.
    Safavi-Naini, R.: Digital Rights Management: Technologies, Issues, Challenges and Systems, vol. 3919. Springer, Heidelberg (2006). Scholar
  36. 36.
    Shiyanovskii, Y., Wolff, F.G., Rajendran, A., Papachristou, C.A., Weyer, D.J., Clay, W.: Process reliability based trojans through NBTI and HCI effects. In: 2010 NASA/ESA Conference on Adaptive Hardware and Systems. AHS 2010 (2010)Google Scholar
  37. 37.
    Shwartz, O., Cohen, A., Shabtai, A., Oren, Y.: Shattered trust: when replacement smartphone components attack. In: 11th USENIX Workshop on Offensive Technologies. WOOT 2017 (2017)Google Scholar
  38. 38.
    Sigfox: SIGFOX expanding IoT network in 100 U.S. cities, February 2017Google Scholar
  39. 39.
    STMicroelectronics: STM32F303CB datasheet, May 2016Google Scholar
  40. 40.
    STMicroelectronics: STM32Cube initialization code generator datasheet, July 2017Google Scholar
  41. 41.
    Sturton, C., Hicks, M., Wagner, D.A., King, S.T.: Defeating UCI: building stealthy and malicious hardware. In: IEEE Symposium on Security and Privacy. S&P 2011 (2011)Google Scholar
  42. 42.
    Yang, K., Hicks, M., Dong, Q., Austin, T.M., Sylvester, D.: A2: analog malicious hardware. In: IEEE Symposium on Security and Privacy. S&P 2016 (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Philipp Morgner
    • 1
    Email author
  • Stefan Pfennig
    • 1
  • Dennis Salzner
    • 1
  • Zinaida Benenson
    • 1
  1. 1.Friedrich-Alexander-Universität Erlangen-NürnbergErlangenGermany

Personalised recommendations