Skip to main content

Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices

Part of the Lecture Notes in Computer Science book series (LNSC,volume 10728)

Abstract

With the growth of the Internet of Things, many insecure embedded devices are entering into our homes and businesses. Some of these web-connected devices lack even basic security protections such as secure password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation.

In this paper we analyze the practical security level of 16 popular IoT devices from high-end and low-end manufacturers. We present several low-cost black-box techniques for reverse engineering these devices, including software and fault injection based techniques for bypassing password protection. We use these techniques to recover device firmware and passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these devices. We also discuss how to improve the security of IoT devices without significantly increasing their cost.

Keywords

  • Reverse Engineering Process
  • Mirai Botnet
  • Universal Asynchronous Receiver Transmitter (UART)
  • UART Ports
  • Supervisory Control And Data Acquisition (SCADA)

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

O. Shwartz, Y. Mathov and M. Bohadana contributed equally to this paper.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-75208-2_1
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-75208-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   72.00
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

References

  1. crypt(3) Man Page: Linux Programmer’s Manual. http://man7.org/linux/man-pages/man3/crypt.3.html

  2. Firmware-mod-kit Github Repository. https://github.com/mirror/firmware-mod-kit

  3. Hashcat Password Recovery Tool. https://hashcat.net/

  4. John the Ripper Password Cracker. http://www.openwall.com/john/

  5. Mirai Github Repository. https://github.com/jgamblin/Mirai-Source-Code

  6. Alqassem, I., Svetinovic, D.: A taxonomy of security and privacy requirements for the internet of things (IoT). In: 2014 IEEE International Conference on Industrial Engineering and Engineering Management, IEEM 2014, Selangor Darul Ehsan, Malaysia, 9–12 December 2014, pp. 1244–1248. IEEE (2014). https://doi.org/10.1109/IEEM.2014.7058837

  7. Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0028165

    CrossRef  Google Scholar 

  8. Anonymous: The author’s github repository. Details omitted for anonymous submission (2017)

    Google Scholar 

  9. Atmel Corporation: ATtiny13A Datasheet, May 2012. http://www.atmel.com/images/doc8126.pdf

  10. Bodenheim, R., Butts, J., Dunlap, S., Mullins, B.E.: Evaluation of the ability of the Shodan search engine to identify internet-facing industrial control devices. IJCIP 7(2), 114–123 (2014). https://doi.org/10.1016/j.ijcip.2014.03.001

    Google Scholar 

  11. Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS (2016)

    Google Scholar 

  12. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 95–110. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin

  13. Courbon, F., Skorobogatov, S., Woods, C.: Reverse engineering flash EEPROM memories using scanning electron microscopy. In: Lemke-Rust, K., Tunstall, M. (eds.) CARDIS 2016. LNCS, vol. 10146, pp. 57–72. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54669-8_4

    CrossRef  Google Scholar 

  14. Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013. The Internet Society (2013). http://internetsociety.org/doc/when-firmware-modifications-attack-case-study-embedded-exploitation

  15. DaRolt, J., Das, A., Natale, G.D., Flottes, M., Rouzeyre, B., Verbauwhede, I.: Test versus security: past and present. IEEE Trans. Emerging Topics Comput. 2(1), 50–62 (2014). https://doi.org/10.1109/TETC.2014.2304492

    CrossRef  Google Scholar 

  16. Davis, R., Merriam, N., Tracey, N.: How embedded applications using an RTOS can stay within on-chip memory limits. In: 12th EuroMicro Conference on Real-Time Systems, pp. 71–77 (2000)

    Google Scholar 

  17. Gartner: Gartner says 4.9 Billion Connected “Things” will be in Use in 2015. Gartner.com (2014). http://www.gartner.com/newsroom/id/2905717

  18. Gordon Lyon: Nmap Security Scanner. https://nmap.org/

  19. Goubet, L., Heydemann, K., Encrenaz, E., De Keulenaer, R.: Efficient design and evaluation of countermeasures against fault attacks using formal verification. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 177–192. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31271-2_11

    CrossRef  Google Scholar 

  20. Gubbi, J., Buyya, R., Marusic, S., Palaniswami, M.: Internet of things (IoT): a vision, architectural elements, and future directions. Future Gener. Comput. Syst. 29(7), 1645–1660 (2013). https://doi.org/10.1016/j.future.2013.01.010

    CrossRef  Google Scholar 

  21. Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009). http://doi.acm.org/10.1145/1506409.1506429

    CrossRef  Google Scholar 

  22. Hollabaugh, C.: Embedded Linux: Hardware, Software, and Interfacing. Addison-Wesley, Boston (2002)

    Google Scholar 

  23. Krebs, B.: Krebsonsecurity Hit with Record DDoS. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

  24. Lanet, J.-L., Bouffard, G., Lamrani, R., Chakra, R., Mestiri, A., Monsif, M., Fandi, A.: Memory forensics of a java card dump. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 3–17. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16763-3_1

    Google Scholar 

  25. Ling, Z., Luo, J., Xu, Y., Gao, C., Wu, K., Fu, X.: Security vulnerabilities of internet of things: a case study of the smart plug system. IEEE Internet Things J. 4, 1899–1909 (2017)

    CrossRef  Google Scholar 

  26. Liu, M., Zhang, Y., Li, J., Shu, J., Gu, D.: Security analysis of vendor customized code in firmware of embedded device. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds.) SecureComm 2016. LNICST, vol. 198, pp. 722–739. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59608-2_40

    CrossRef  Google Scholar 

  27. Lund, D., MacGillivray, C., Turner, V., Morales, M.: Worldwide and regional internet of things (IoT) 2014–2020 forecast: a virtuous circle of proven value and demand. International Data Corporation (IDC), Technical report (2014)

    Google Scholar 

  28. Mahmoud, R., Yousuf, T., Aloul, F.A., Zualkernan, I.A.: Internet of Things (IoT) security: current status, challenges and prospective measures. In: 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, London, United Kingdom, 14–16 December 2015, pp. 336–341. IEEE (2015). https://doi.org/10.1109/ICITST.2015.7412116

  29. Nest Labs: Nest Learning Smart Thermostat. https://nest.com/thermostat/meet-nest-thermostat/

  30. Obermaier, J., Hutle, M.: Analyzing the security and privacy of cloud-based video surveillance systems. In: Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security, pp. 22–28. ACM (2016)

    Google Scholar 

  31. Patton, M.W., Gross, E., Chinn, R., Forbis, S., Walker, L., Chen, H.: Uninvited connections: a study of vulnerable devices on the Internet of Things (IoT). In: IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014, The Hague, The Netherlands, 24–26 September 2014, pp. 232–235. IEEE (2014). https://doi.org/10.1109/JISIC.2014.43

  32. San Pedro, M., Soos, M., Guilley, S.: FIRE: fault injection for reverse engineering. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 280–293. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21040-2_20

    CrossRef  Google Scholar 

  33. Philips: Philips In.Sight Wireless HD Baby Monitor. http://www.philips.co.uk/c-p/B120N_10/in.sight-wireless-hd-baby-monitor/overview

  34. Rosenfeld, K., Karri, R.: Attacks and defenses for JTAG. IEEE Design Test Comput. 27(1), 36–47 (2010). https://doi.org/10.1109/MDT.2010.9

    CrossRef  Google Scholar 

  35. Shodan: Shodan is the world’s first search engine for internet-connected devices. https://www.shodan.io/

  36. Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A.: Security, privacy and trust in internet of things: the road ahead. Comput. Netw. 76, 146–164 (2015). https://doi.org/10.1016/j.comnet.2014.11.008

    CrossRef  Google Scholar 

  37. Tellez, M., El-Tawab, S., Heydari, H.M.: Improving the security of wireless sensor networks in an IoT environmental monitoring system. In: Systems and Information Engineering Design Symposium (SIEDS), pp. 72–77. IEEE (2016)

    Google Scholar 

  38. Vlasenko, D.: BusyBox: The Swiss Army Knife of Embedded Linux. https://busybox.net/

  39. Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In: de Oliveira, J., Smith, J., Argyraki, K.J., Levis, P. (eds.) Proceedings of the 14th ACM Workshop on Hot Topics in Networks, Philadelphia, PA, USA, 16–17 November 2015, pp. 5:1–5:7. ACM (2015). http://doi.acm.org/10.1145/2834050.2834095

  40. Zhang, Z., Cho, M.C.Y., Wang, C., Hsu, C., Chen, C.K., Shieh, S.: IoT security: ongoing challenges and research opportunities. In: 7th IEEE International Conference on Service-Oriented Computing and Applications, SOCA 2014, Matsue, Japan, 17–19 November 2014, pp. 230–234. IEEE Computer Society (2014). https://doi.org/10.1109/SOCA.2014.58

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Omer Shwartz , Yael Mathov , Michael Bohadana or Yossi Oren .

Editor information

Editors and Affiliations

Appendix

Appendix

Table 3. A list of hardware and software tools used
Fig. 3.
figure 3

UART discovery assistant module

Table 4. Inspected devices and the techniques effective on them
Fig. 4.
figure 4

Examples of UART terminals

Fig. 5.
figure 5

Password recovery duration using the GPU server described in Table 3. Each marking on the graph is a successfully recovered password belonging to a device inspected.

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Shwartz, O., Mathov, Y., Bohadana, M., Elovici, Y., Oren, Y. (2018). Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices. In: Eisenbarth, T., Teglia, Y. (eds) Smart Card Research and Advanced Applications. CARDIS 2017. Lecture Notes in Computer Science(), vol 10728. Springer, Cham. https://doi.org/10.1007/978-3-319-75208-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-75208-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-75207-5

  • Online ISBN: 978-3-319-75208-2

  • eBook Packages: Computer ScienceComputer Science (R0)