Skip to main content
SpringerLink
Log in

Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10728))

Abstract

With the growth of the Internet of Things, many insecure embedded devices are entering into our homes and businesses. Some of these web-connected devices lack even basic security protections such as secure password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation.

In this paper we analyze the practical security level of 16 popular IoT devices from high-end and low-end manufacturers. We present several low-cost black-box techniques for reverse engineering these devices, including software and fault injection based techniques for bypassing password protection. We use these techniques to recover device firmware and passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these devices. We also discuss how to improve the security of IoT devices without significantly increasing their cost.

O. Shwartz, Y. Mathov and M. Bohadana contributed equally to this paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. crypt(3) Man Page: Linux Programmer’s Manual. http://man7.org/linux/man-pages/man3/crypt.3.html

  2. Firmware-mod-kit Github Repository. https://github.com/mirror/firmware-mod-kit

  3. Hashcat Password Recovery Tool. https://hashcat.net/

  4. John the Ripper Password Cracker. http://www.openwall.com/john/

  5. Mirai Github Repository. https://github.com/jgamblin/Mirai-Source-Code

  6. Alqassem, I., Svetinovic, D.: A taxonomy of security and privacy requirements for the internet of things (IoT). In: 2014 IEEE International Conference on Industrial Engineering and Engineering Management, IEEM 2014, Selangor Darul Ehsan, Malaysia, 9–12 December 2014, pp. 1244–1248. IEEE (2014). https://doi.org/10.1109/IEEM.2014.7058837

  7. Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0028165

    Chapter  Google Scholar 

  8. Anonymous: The author’s github repository. Details omitted for anonymous submission (2017)

    Google Scholar 

  9. Atmel Corporation: ATtiny13A Datasheet, May 2012. http://www.atmel.com/images/doc8126.pdf

  10. Bodenheim, R., Butts, J., Dunlap, S., Mullins, B.E.: Evaluation of the ability of the Shodan search engine to identify internet-facing industrial control devices. IJCIP 7(2), 114–123 (2014). https://doi.org/10.1016/j.ijcip.2014.03.001

    Google Scholar 

  11. Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS (2016)

    Google Scholar 

  12. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 95–110. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin

  13. Courbon, F., Skorobogatov, S., Woods, C.: Reverse engineering flash EEPROM memories using scanning electron microscopy. In: Lemke-Rust, K., Tunstall, M. (eds.) CARDIS 2016. LNCS, vol. 10146, pp. 57–72. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54669-8_4

    Chapter  Google Scholar 

  14. Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013. The Internet Society (2013). http://internetsociety.org/doc/when-firmware-modifications-attack-case-study-embedded-exploitation

  15. DaRolt, J., Das, A., Natale, G.D., Flottes, M., Rouzeyre, B., Verbauwhede, I.: Test versus security: past and present. IEEE Trans. Emerging Topics Comput. 2(1), 50–62 (2014). https://doi.org/10.1109/TETC.2014.2304492

    Article  Google Scholar 

  16. Davis, R., Merriam, N., Tracey, N.: How embedded applications using an RTOS can stay within on-chip memory limits. In: 12th EuroMicro Conference on Real-Time Systems, pp. 71–77 (2000)

    Google Scholar 

  17. Gartner: Gartner says 4.9 Billion Connected “Things” will be in Use in 2015. Gartner.com (2014). http://www.gartner.com/newsroom/id/2905717

  18. Gordon Lyon: Nmap Security Scanner. https://nmap.org/

  19. Goubet, L., Heydemann, K., Encrenaz, E., De Keulenaer, R.: Efficient design and evaluation of countermeasures against fault attacks using formal verification. In: Homma, N., Medwed, M. (eds.) CARDIS 2015. LNCS, vol. 9514, pp. 177–192. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31271-2_11

    Chapter  Google Scholar 

  20. Gubbi, J., Buyya, R., Marusic, S., Palaniswami, M.: Internet of things (IoT): a vision, architectural elements, and future directions. Future Gener. Comput. Syst. 29(7), 1645–1660 (2013). https://doi.org/10.1016/j.future.2013.01.010

    Article  Google Scholar 

  21. Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009). http://doi.acm.org/10.1145/1506409.1506429

    Article  Google Scholar 

  22. Hollabaugh, C.: Embedded Linux: Hardware, Software, and Interfacing. Addison-Wesley, Boston (2002)

    Google Scholar 

  23. Krebs, B.: Krebsonsecurity Hit with Record DDoS. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

  24. Lanet, J.-L., Bouffard, G., Lamrani, R., Chakra, R., Mestiri, A., Monsif, M., Fandi, A.: Memory forensics of a java card dump. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 3–17. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16763-3_1

    Google Scholar 

  25. Ling, Z., Luo, J., Xu, Y., Gao, C., Wu, K., Fu, X.: Security vulnerabilities of internet of things: a case study of the smart plug system. IEEE Internet Things J. 4, 1899–1909 (2017)

    Article  Google Scholar 

  26. Liu, M., Zhang, Y., Li, J., Shu, J., Gu, D.: Security analysis of vendor customized code in firmware of embedded device. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds.) SecureComm 2016. LNICST, vol. 198, pp. 722–739. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59608-2_40

    Chapter  Google Scholar 

  27. Lund, D., MacGillivray, C., Turner, V., Morales, M.: Worldwide and regional internet of things (IoT) 2014–2020 forecast: a virtuous circle of proven value and demand. International Data Corporation (IDC), Technical report (2014)

    Google Scholar 

  28. Mahmoud, R., Yousuf, T., Aloul, F.A., Zualkernan, I.A.: Internet of Things (IoT) security: current status, challenges and prospective measures. In: 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, London, United Kingdom, 14–16 December 2015, pp. 336–341. IEEE (2015). https://doi.org/10.1109/ICITST.2015.7412116

  29. Nest Labs: Nest Learning Smart Thermostat. https://nest.com/thermostat/meet-nest-thermostat/

  30. Obermaier, J., Hutle, M.: Analyzing the security and privacy of cloud-based video surveillance systems. In: Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security, pp. 22–28. ACM (2016)

    Google Scholar 

  31. Patton, M.W., Gross, E., Chinn, R., Forbis, S., Walker, L., Chen, H.: Uninvited connections: a study of vulnerable devices on the Internet of Things (IoT). In: IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014, The Hague, The Netherlands, 24–26 September 2014, pp. 232–235. IEEE (2014). https://doi.org/10.1109/JISIC.2014.43

  32. San Pedro, M., Soos, M., Guilley, S.: FIRE: fault injection for reverse engineering. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 280–293. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21040-2_20

    Chapter  Google Scholar 

  33. Philips: Philips In.Sight Wireless HD Baby Monitor. http://www.philips.co.uk/c-p/B120N_10/in.sight-wireless-hd-baby-monitor/overview

  34. Rosenfeld, K., Karri, R.: Attacks and defenses for JTAG. IEEE Design Test Comput. 27(1), 36–47 (2010). https://doi.org/10.1109/MDT.2010.9

    Article  Google Scholar 

  35. Shodan: Shodan is the world’s first search engine for internet-connected devices. https://www.shodan.io/

  36. Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A.: Security, privacy and trust in internet of things: the road ahead. Comput. Netw. 76, 146–164 (2015). https://doi.org/10.1016/j.comnet.2014.11.008

    Article  Google Scholar 

  37. Tellez, M., El-Tawab, S., Heydari, H.M.: Improving the security of wireless sensor networks in an IoT environmental monitoring system. In: Systems and Information Engineering Design Symposium (SIEDS), pp. 72–77. IEEE (2016)

    Google Scholar 

  38. Vlasenko, D.: BusyBox: The Swiss Army Knife of Embedded Linux. https://busybox.net/

  39. Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In: de Oliveira, J., Smith, J., Argyraki, K.J., Levis, P. (eds.) Proceedings of the 14th ACM Workshop on Hot Topics in Networks, Philadelphia, PA, USA, 16–17 November 2015, pp. 5:1–5:7. ACM (2015). http://doi.acm.org/10.1145/2834050.2834095

  40. Zhang, Z., Cho, M.C.Y., Wang, C., Hsu, C., Chen, C.K., Shieh, S.: IoT security: ongoing challenges and research opportunities. In: 7th IEEE International Conference on Service-Oriented Computing and Applications, SOCA 2014, Matsue, Japan, 17–19 November 2014, pp. 230–234. IEEE Computer Society (2014). https://doi.org/10.1109/SOCA.2014.58

Download references

Author information

Authors and Affiliations

  1. Ben-Gurion University of the Negev, Beersheba, Israel

    Omer Shwartz, Yael Mathov, Michael Bohadana, Yuval Elovici & Yossi Oren

Authors
  1. Omer Shwartz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yael Mathov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Bohadana
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yuval Elovici
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yossi Oren
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Omer Shwartz , Yael Mathov , Michael Bohadana or Yossi Oren .

Editor information

Editors and Affiliations

  1. University of Lübeck and WPI, Lübeck, Germany

    Thomas Eisenbarth

  2. Gemalto, La Ciotat, France

    Yannick Teglia

Appendix

Appendix

Table 3. A list of hardware and software tools used
Full size table
Fig. 3.
figure 3

UART discovery assistant module

Full size image
Table 4. Inspected devices and the techniques effective on them
Full size table
Fig. 4.
figure 4

Examples of UART terminals

Full size image
Fig. 5.
figure 5

Password recovery duration using the GPU server described in Table 3. Each marking on the graph is a successfully recovered password belonging to a device inspected.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shwartz, O., Mathov, Y., Bohadana, M., Elovici, Y., Oren, Y. (2018). Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices. In: Eisenbarth, T., Teglia, Y. (eds) Smart Card Research and Advanced Applications. CARDIS 2017. Lecture Notes in Computer Science(), vol 10728. Springer, Cham. https://doi.org/10.1007/978-3-319-75208-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-75208-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-75207-5

  • Online ISBN: 978-3-319-75208-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation