Meriem Bettayeb
ABSTRACT
The increasing vulnerabilities found in Internet of Things (IoT) devices have raised the need for a solid mechanism of securing the firmware update of these connected objects, since firmware updates are one way to patch vulnerabilities and add security features. This survey analyses the types of attacks that target the firmware update operation in IoT devices and the available secure firmware update methods for IoT devices in the literature between 2004 and 2018. In addition, several popular firmware analysis and vulnerability detection tools are presented. We believe this paper will open the possibility for firmware analysis, attacks and security and therefore help researchers to develop new mechanisms to protect the embedded systems.
- L. Da Xu, W. He, and S. Li, "Internet of things in industries: A survey," IEEE Trans. Ind. informatics, vol. 10, no. 4, pp. 2233--2243, 2014.Google Scholar
Cross Ref
- S. M. Chowdhury, A. Hossain, and S. Debnath, "Impact of Error Control Code on Characteristic Distance in Wireless Sensor Network," Wirel. Pers. Commun., 2017. Google ScholarDigital Library
- L. Kvarda, P. Hnyk, L. Vojtech, and M. Neruda, "Software implementation of secure firmware update in IoT concept," Adv. Electr. Electron. Eng., vol. 15, no. 4 Special Issue, pp. 626--632, 2017.Google Scholar
- S. Schmidt, M. Tausig, M. Hudler, and G. Simhandl, "Secure Firmware Update Over the Air in the Internet of Things Focusing on Flexibility and Feasibility Proposal for a Design," in Internet of Things Software Update Workshop (IoTSU), At Dublin, 2016, no. June.Google Scholar
- H. Mansor, K. Markantonakis, R. N. Akram, and K. Mayes, "Don't Brick Your Car: Firmware Confidentiality and Rollback for Vehicles," in Availability, Reliability and Security (ARES), 2015 10th International Conference, IEEE, 2015, pp. 139--148. Google ScholarDigital Library
- T. Rad, "Vulnerabilities in Correctional Facilities," 2011.Google Scholar
- Dronebl, "Network Bluepill," 2008.Google Scholar
- B. Jack, "Jackpotting Automated Teller Machines Redux," Black Hat USA, 2010.Google Scholar
- C. Miller, "Battery firmware hacking," Black Hat USA, pp. 3--4, 2011.Google Scholar
- A. Costin, "PostScript(um--you've been hacked)," 28C3, 2011.Google Scholar
- A. Cui, M. Costello, and S. J. Stolfo, "When Firmware Modifications Attack: A Case Study of Embedded Exploitation," 2013.Google Scholar
- Z. Ling, J. Luo, Y. Xu, C. Gao, K. Wu, and X. Fu, "Security Vulnerabilities of Internet of Things: A Case Study of the Smart Plug System," IEEE Internet Things J., vol. 4, no. 6, pp. 1899--1909, 2017.Google ScholarCross Ref
- C. Hawk, J. Hyland, R. Rupert, M. Colonvega, and S. Hall, "Defending Against Firmware Cyber Attacks on Safety-Critical Systems," Chiropr. Osteopat., vol. 14, no. 1, p. 3, 2006.Google ScholarCross Ref
- J. Rieck, "Attacks on Fitness Trackers Revisited: A Case-Study of Unfit Firmware Security," pp. 33--44, 2016.Google Scholar
- H. A. Abdul-ghani, D. Konstantas, and M. Mahyoub, "A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model," no. April, 2018.Google Scholar
- G. Jurković and V. Sruk, "Remote firmware update for constrained embedded systems," 2014 37th Int. Conv. Inf. Commun. Technol. Electron. Microelectron. MIPRO 2014 - Proc., no. May, pp. 1019--1023, 2014.Google Scholar
- H. Yaling, "The design of monitoring system based on GPRS," pp. 1--4, 2016.Google Scholar
- S. Dalai, B. Chatterjee, D. Dey, S. Chakravorti, and K. Bhattacharya, "Microcontroller based remote updating system using voice channel of cellular network," 2015 IEEE Power, Commun. Inf. Technol. Conf., pp. 11--16, 2015.Google Scholar
- B. C. Choi, S. H. Lee, J. C. Na, and J. H. Lee, "Secure firmware validation and update for consumer devices in home networking," IEEE Trans. Consum. Electron., vol. 62, no. 1, pp. 39--44, 2016.Google ScholarDigital Library
- P. G. Zaware, "Wireless Monitoring, Controlling and Firmware upgradation of embedded devices using Wi-Fi," pp. 2--7, 2014.Google Scholar
- S. G. Hong, N. S. Kim, and T. Heo, "A smartphone connected software updating framework for IoT devices," Proc. Int. Symp. Consum. Electron. ISCE, vol. 2015--Augus, pp. 2--3, 2015.Google Scholar
- T. Thanh, T. H. Vu, N. Van Cuong, and P. N. Nam, "A protocol for secure remote update of run-time partially reconfigurable systems based on FPGA," 2013 Int. Conf. Control. Autom. Inf. Sci. ICCAIS 2013, no. November 2013, pp. 295--299, 2013.Google Scholar
- S. Schmidt, M. Tausig, M. Hudler, and G. Simhandl, "Secure Firmware Update Over the Air in the Internet of Things Focusing on Flexibility and Feasibility," no. August, 2016.Google Scholar
- A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla, "SCUBA: Secure Code Update By Attestation in sensor networks," WiSe '06 Proc. 5th ACM Work. Wirel. Secur., 2006. Google ScholarDigital Library
- D. Perito and G. Tsudik, "Secure code update for embedded devices via proofs of secure erasure," in Springer, 2010.Google Scholar
- G. O. Karame and W. Li, "Secure erasure and code update in legacy sensors," in Springer, 2015.Google Scholar
- N. Karvelas and A. Kiayias, "Efficient proofs of secure erasure," SCN, Springer, 2014.Google Scholar
- N. Asokan, T. Nyman, A. Sadeghi, G. Tsudik, and T. U. Darmstadt, "ASSURED: Architecture for Secure Software Update of Realistic Embedded Devices," IEEE.Google Scholar
- B. L. B, S. Malik, S. Wi, and J. Lee, "Firmware Verification of Embedded Devices Based on a Blockchain," Springer, vol. 199, pp. 52--61, 2017.Google Scholar
- B. L. J. Lee, "Blockchain-based secure firmware update for embedded devices in an Internet of Things environment," J. Supercomput. Springer, 2016. Google ScholarDigital Library
- A. Yohan, N. Lo, and S. Achawapong, "Blockchain-based Firmware Update Framework for Internet-of-Things Environment," in Conf. Information and Knowledge Engineering, pp. 151--155.Google Scholar
- G. Gabriel, R. Roy, and S. B. R. Kumar, "International Conference on Computer Networks and Communication Technologies," in International Conference on Computer Networks and Communication Technologies, Springer (to appear), 2019, vol. 15, pp. 671--679.Google Scholar
- Y. Gupta, R. Shorey, D. Kulkarni, and J. Tew, "The Applicability of Blockchain in the Internet of Things," pp. 561--564.Google Scholar
- "Awesome Firmware Security." {Online}. Available: https://github.com/PreOS-Security/awesome-firmware-security/blob/master/README.md.Google Scholar
- "Binwalk." {Online}. Available: https://github.com/ReFirmLabs/binwalk.Google Scholar
- A. Cui, "Embedded Device Firmware Vulnerability Hunting Using FRAK," Black Hat USA, 2012.Google Scholar
- "FACT." {Online}. Available: https://github.com/fkie-cad/FACT_core.Google Scholar
- D. D. Chen, M. Egele, M. Woo, and D. Brumley, "Towards Automated Dynamic Analysis for Linux-based Embedded Firmware," no. February, pp. 21--24, 2016.Google Scholar
- "Firmware Mod Kit." {Online}. Available: https://github.com/rampageX/firmware-mod-kit/wiki.Google Scholar
- "Firmwalker." {Online}. Available: https://github.com/craigz28/firmwalker.Google Scholar
- Attify, "Firmware Analysis Toolkit." {Online}. Available: https://github.com/attify/firmware-analysis-toolkit.Google Scholar
- "BIN2BMP." {Online}. Available: https://sourceforge.net/projects/bin2bmp/files/bin2bmp/.Google Scholar
- "Radare2." {Online}. Available: https://github.com/radare/radare2.Google Scholar
- "IDA." {Online}. Available: https://hex-rays.com/.Google Scholar
- "Firminator." {Online}. Available: https://github.com/misterch0c/firminator_backend.Google Scholar
- J. Zaddach, L. Bruno, and D. Balzarotti, "Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems ' Firmwares."Google Scholar
- D. Davidson, T. Ristenpart, and W. Madison, "F IE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution."Google Scholar
- "Firmware.Re." {Online}. Available: http://firmware.re/.Google Scholar
- Y. David and E. Yahav, "FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware," ASPLOS'18, 2018. Google ScholarDigital Library
- "Angr." {Online}. Available: https://github.com/angr/angr.Google Scholar
- "ReFirm Labs." {Online}. Available: https://www.refirmlabs.com/.Google Scholar
Index Terms
- Firmware Update Attacks and Security for IoT Devices: Survey
Recommendations
Hyperledger-Based Secure Firmware Update Delivery for IoT Devices
ArabWIC 2021: The 7th Annual International Conference on Arab Women in Computing in Conjunction with the 2nd Forum of Women in ResearchThe increase of relying on intelligent and connected devices in our home, company, and everyday life aspect leads to the rapid growth of the Internet of Things (IoT) technology. While some IoT devices communicate without the involvement of users, their ...
Version Control System Gateway to Optimize Firmware over the Air (FOTA) Update for IoT Wireless Devices
AbstractIoT (Internet of Things) use cases cover all the verticals of industry/organization. From manufacturing unit to building management, from X protocol to Y protocol, from A device to Z device; everywhere it is using. The number of IoT devices is ...
FOTB: a secure blockchain-based firmware update framework for IoT environment
AbstractRecently, numerous exploitations and attacks in IoT environment occurred all over the world. One of the major attacking channels is utilizing the firmware of IoT devices as the access interface to compromise the targeted IoT devices. Therefore, it ...
Comments