Advertisement

Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10728)

Abstract

With the growth of the Internet of Things, many insecure embedded devices are entering into our homes and businesses. Some of these web-connected devices lack even basic security protections such as secure password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation.

In this paper we analyze the practical security level of 16 popular IoT devices from high-end and low-end manufacturers. We present several low-cost black-box techniques for reverse engineering these devices, including software and fault injection based techniques for bypassing password protection. We use these techniques to recover device firmware and passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these devices. We also discuss how to improve the security of IoT devices without significantly increasing their cost.

References

  1. 1.
    crypt(3) Man Page: Linux Programmer’s Manual. http://man7.org/linux/man-pages/man3/crypt.3.html
  2. 2.
    Firmware-mod-kit Github Repository. https://github.com/mirror/firmware-mod-kit
  3. 3.
    Hashcat Password Recovery Tool. https://hashcat.net/
  4. 4.
    John the Ripper Password Cracker. http://www.openwall.com/john/
  5. 5.
  6. 6.
    Alqassem, I., Svetinovic, D.: A taxonomy of security and privacy requirements for the internet of things (IoT). In: 2014 IEEE International Conference on Industrial Engineering and Engineering Management, IEEM 2014, Selangor Darul Ehsan, Malaysia, 9–12 December 2014, pp. 1244–1248. IEEE (2014). https://doi.org/10.1109/IEEM.2014.7058837
  7. 7.
    Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0028165 CrossRefGoogle Scholar
  8. 8.
    Anonymous: The author’s github repository. Details omitted for anonymous submission (2017)Google Scholar
  9. 9.
    Atmel Corporation: ATtiny13A Datasheet, May 2012. http://www.atmel.com/images/doc8126.pdf
  10. 10.
    Bodenheim, R., Butts, J., Dunlap, S., Mullins, B.E.: Evaluation of the ability of the Shodan search engine to identify internet-facing industrial control devices. IJCIP 7(2), 114–123 (2014). https://doi.org/10.1016/j.ijcip.2014.03.001 Google Scholar
  11. 11.
    Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS (2016)Google Scholar
  12. 12.
    Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 95–110. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin
  13. 13.
    Courbon, F., Skorobogatov, S., Woods, C.: Reverse engineering flash EEPROM memories using scanning electron microscopy. In: Lemke-Rust, K., Tunstall, M. (eds.) CARDIS 2016. LNCS, vol. 10146, pp. 57–72. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-54669-8_4 CrossRefGoogle Scholar
  14. 14.
    Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013. The Internet Society (2013). http://internetsociety.org/doc/when-firmware-modifications-attack-case-study-embedded-exploitation
  15. 15.
    DaRolt, J., Das, A., Natale, G.D., Flottes, M., Rouzeyre, B., Verbauwhede, I.: Test versus security: past and present. IEEE Trans. Emerging Topics Comput. 2(1), 50–62 (2014). https://doi.org/10.1109/TETC.2014.2304492 CrossRefGoogle Scholar
  16. 16.
    Davis, R., Merriam, N., Tracey, N.: How embedded applications using an RTOS can stay within on-chip memory limits. In: 12th EuroMicro Conference on Real-Time Systems, pp. 71–77 (2000)Google Scholar
  17. 17.
    Gartner: Gartner says 4.9 Billion Connected “Things” will be in Use in 2015. Gartner.com (2014). http://www.gartner.com/newsroom/id/2905717
  18. 18.
    Gordon Lyon: Nmap Security Scanner. https://nmap.org/
  19. 19.
    Goubet, L., Heydemann, K., Encrenaz, E., De Keulenaer, R.: Efficient design and evaluation of countermeasures against fault attacks using formal verification. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 177–192. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31271-2_11 CrossRefGoogle Scholar
  20. 20.
    Gubbi, J., Buyya, R., Marusic, S., Palaniswami, M.: Internet of things (IoT): a vision, architectural elements, and future directions. Future Gener. Comput. Syst. 29(7), 1645–1660 (2013). https://doi.org/10.1016/j.future.2013.01.010 CrossRefGoogle Scholar
  21. 21.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009). http://doi.acm.org/10.1145/1506409.1506429 CrossRefGoogle Scholar
  22. 22.
    Hollabaugh, C.: Embedded Linux: Hardware, Software, and Interfacing. Addison-Wesley, Boston (2002)Google Scholar
  23. 23.
    Krebs, B.: Krebsonsecurity Hit with Record DDoS. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  24. 24.
    Lanet, J.-L., Bouffard, G., Lamrani, R., Chakra, R., Mestiri, A., Monsif, M., Fandi, A.: Memory forensics of a java card dump. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 3–17. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16763-3_1 Google Scholar
  25. 25.
    Ling, Z., Luo, J., Xu, Y., Gao, C., Wu, K., Fu, X.: Security vulnerabilities of internet of things: a case study of the smart plug system. IEEE Internet Things J. 4, 1899–1909 (2017)CrossRefGoogle Scholar
  26. 26.
    Liu, M., Zhang, Y., Li, J., Shu, J., Gu, D.: Security analysis of vendor customized code in firmware of embedded device. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds.) SecureComm 2016. LNICST, vol. 198, pp. 722–739. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59608-2_40 CrossRefGoogle Scholar
  27. 27.
    Lund, D., MacGillivray, C., Turner, V., Morales, M.: Worldwide and regional internet of things (IoT) 2014–2020 forecast: a virtuous circle of proven value and demand. International Data Corporation (IDC), Technical report (2014)Google Scholar
  28. 28.
    Mahmoud, R., Yousuf, T., Aloul, F.A., Zualkernan, I.A.: Internet of Things (IoT) security: current status, challenges and prospective measures. In: 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, London, United Kingdom, 14–16 December 2015, pp. 336–341. IEEE (2015). https://doi.org/10.1109/ICITST.2015.7412116
  29. 29.
    Nest Labs: Nest Learning Smart Thermostat. https://nest.com/thermostat/meet-nest-thermostat/
  30. 30.
    Obermaier, J., Hutle, M.: Analyzing the security and privacy of cloud-based video surveillance systems. In: Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security, pp. 22–28. ACM (2016)Google Scholar
  31. 31.
    Patton, M.W., Gross, E., Chinn, R., Forbis, S., Walker, L., Chen, H.: Uninvited connections: a study of vulnerable devices on the Internet of Things (IoT). In: IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014, The Hague, The Netherlands, 24–26 September 2014, pp. 232–235. IEEE (2014). https://doi.org/10.1109/JISIC.2014.43
  32. 32.
    San Pedro, M., Soos, M., Guilley, S.: FIRE: fault injection for reverse engineering. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 280–293. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-21040-2_20 CrossRefGoogle Scholar
  33. 33.
  34. 34.
    Rosenfeld, K., Karri, R.: Attacks and defenses for JTAG. IEEE Design Test Comput. 27(1), 36–47 (2010). https://doi.org/10.1109/MDT.2010.9 CrossRefGoogle Scholar
  35. 35.
    Shodan: Shodan is the world’s first search engine for internet-connected devices. https://www.shodan.io/
  36. 36.
    Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A.: Security, privacy and trust in internet of things: the road ahead. Comput. Netw. 76, 146–164 (2015). https://doi.org/10.1016/j.comnet.2014.11.008 CrossRefGoogle Scholar
  37. 37.
    Tellez, M., El-Tawab, S., Heydari, H.M.: Improving the security of wireless sensor networks in an IoT environmental monitoring system. In: Systems and Information Engineering Design Symposium (SIEDS), pp. 72–77. IEEE (2016)Google Scholar
  38. 38.
    Vlasenko, D.: BusyBox: The Swiss Army Knife of Embedded Linux. https://busybox.net/
  39. 39.
    Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In: de Oliveira, J., Smith, J., Argyraki, K.J., Levis, P. (eds.) Proceedings of the 14th ACM Workshop on Hot Topics in Networks, Philadelphia, PA, USA, 16–17 November 2015, pp. 5:1–5:7. ACM (2015). http://doi.acm.org/10.1145/2834050.2834095
  40. 40.
    Zhang, Z., Cho, M.C.Y., Wang, C., Hsu, C., Chen, C.K., Shieh, S.: IoT security: ongoing challenges and research opportunities. In: 7th IEEE International Conference on Service-Oriented Computing and Applications, SOCA 2014, Matsue, Japan, 17–19 November 2014, pp. 230–234. IEEE Computer Society (2014). https://doi.org/10.1109/SOCA.2014.58

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Ben-Gurion University of the NegevBeershebaIsrael

Personalised recommendations