Automated Security Analysis of IoT Software Updates

Dejon, Nicolas; Caputo, Davide; Verderame, Luca; Armando, Alessandro; Merlo, Alessio

doi:10.1007/978-3-030-41702-4_14

Cited by 3 publications

(2 citation statements)

References 20 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The most common reverse engineering techniques employed for IoT security analysis rely on network packets inspection or on more complex analysis of device firmware images. Several methodologies have been proposed in recent years to automate the analysis of device firmware, leveraging on techniques such as formal methods, fuzzing, static analysis and signature matching [13,14,27,29]. Recently, in addition to the analysis of firmware images, the automatic inspection of companion applications also proved to be an effective strategy [19,26].…”

Section: Esp-touch: Methodology Of Analysismentioning

confidence: 99%

A (in)Secure-by-Design IoT Protocol

Salzillo

Rak

2020

Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy

View full text Add to dashboard Cite

The number of IoT devices designed and marketed in these last years is continuously growing. These smart things are more often managed through the cloud, therefore more and more devices are connected both to the customer's local networks and to the Internet. Among the several network pairing mechanisms designed for the IoT domain, we examined the Smart Config family of protocols, a clever technology that allows an IoT device to be associated with an existing WiFi network by receiving special packets from an already network-paired smartphone. We investigate the threats and the technical details behind the ESP Touch protocol, a Smart Config implementation developed by Espressif Systems for its ESP32/8266 family of chips. Additionally, we present a security analysis of the same protocol implemented by the ITEAD Sonoff smart switches (and also by many other ESP-based devices), that we conducted by reverse-engineering the eWeLink mobile companion application. In conclusion, we describe a vulnerability (published as CVE-2020-12702) we found in the Quick Pairing mode of the eWeLink SDK that leads to a full WiFi credential disclosure during the device pairing process.

show abstract

Section: Esp-touch: Methodology Of Analysismentioning

confidence: 99%

A (in)Secure-by-Design IoT Protocol

Salzillo

Rak

2020

Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy

View full text Add to dashboard Cite

show abstract

“…As the firmware has a central role in the life cycle of an IoT device, its security has raised serious concerns from the scientific and industrial community. To this aim, several works were proposed to evaluate the security of the firmware bundle (like [4] or [5]) and enforce the update mechanisms (e.g., [6] and [7]).…”

Section: Introductionmentioning

confidence: 99%

PARIOT: Anti-Repackaging for IoT Firmware Integrity

Verderame¹,

Ruggia²,

Merlo³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

IoT repackaging refers to an attack devoted to tampering with a legitimate firmware package by modifying its content (e.g., injecting some malicious code) and re-distributing it in the wild. In such a scenario, the firmware delivery and update processes play a central role in ensuring firmware integrity. Unfortunately, most of the existing solutions lack proper integrity verification, leaving firmware exposed to repackaging attacks, such as the one reported in [1]. If this is not the case, they still require an external trust anchor (e.g., a signing certificate), which could limit their adoption in resource-constrained environments.To mitigate such a problem, in this paper, we introduce PATRIOT, a novel self-protecting scheme for IoT that allows the injection of integrity checks, called anti-tampering (AT) controls, directly into the firmware. The AT controls enable the runtime detection of repackaging attempts without the need for external trust anchors or computationally expensive systems. Also, we have implemented this scheme into PATRIOTIC, a prototype to automatically protect C/C++ IoT firmware. The evaluation phase of 33 real-world firmware samples demonstrated the feasibility of the proposed methodology and its robustness against practical repackaging attacks without altering the firmware behavior or severe performance issues.

show abstract