Pallavi Sivakumaran
Jorge Blasco
ABSTRACT
Recent high-profile attacks on the Internet of Things (IoT) have brought to the forefront the vulnerabilities in “smart” devices, and have revealed poor device configuration to be the root cause in many cases. This has resulted in IoT technologies and devices being subjected to numerous security analyses. For the most part, automated analyses have been confined to IoT hub or gateway devices, which tend to feature traditional operating systems such as Linux or VxWorks. However, most IoT peripherals, by their very nature of being resource-constrained, lacking traditional operating systems, implementing a wide variety of communication technologies, and (increasingly) featuring the ARM Cortex-M architecture, have only been the subject of smaller-scale analyses, typically confined to a certain class or brand of device. We bridge this gap with argXtract, a framework for performing automated static analysis of stripped Cortex-M binaries, to enable bulk extraction of security-relevant configuration data. Through a case study of 200+ Bluetooth Low Energy binaries targeting Nordic Semiconductor chipsets, as well as smaller studies against STMicroelectronics BlueNRG binaries and Nordic ANT binaries, argXtract has discovered widespread security and privacy issues in IoT, including minimal or no protection for data, weakened pairing mechanisms, and potential for device and user tracking.
- Kevin Allix, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. 2016. Androzoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories. ACM, 468–471.Google Scholar
Digital Library
- Sergi Alvarez. 2021. radare2. https://github.com/radareorg/radare2.Google Scholar
- Jim Alves-Foss and Jia Song. 2019. Function boundary detection in stripped binaries. In Proceedings of the 35th Annual Computer Security Applications Conference. 84–96.Google ScholarDigital Library
- Dennis Andriesse, Asia Slowinska, and Herbert Bos. 2017. Compiler-agnostic function detection in binaries. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 177–189.Google ScholarCross Ref
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, 2017. Understanding the Mirai botnet. In 26th USENIX security symposium (USENIX Security 17). 1093–1110.Google Scholar
- Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2020. Key Negotiation Downgrade Attacks on Bluetooth and Bluetooth Low Energy. ACM Trans. Priv. Secur. 23, 3, Article 14 (June 2020).Google ScholarDigital Library
- ARM. 2012. Supervisor calls. Available: https://developer.arm.com/documentation/dui0471/g/handling-processor-exceptions/supervisor-calls[Accessed: 28 July 2020].Google Scholar
- ARM. 2016. Calling SVCs from an application. Available: https://developer.arm.com/documentation/dui0471/m/handling-processor-exceptions/calling-svcs-from-an-application [Accessed: 28 July 2020].Google Scholar
- Arm. 2020. Record shipments of Arm-based chips in previous quarter. Available: https://www.arm.com/company/news/2020/02/record-shipments-of-arm-based-chips-in-previous-quarter[Accessed: 28 June 2020].Google Scholar
- ARM. 2021. Vector table. Available: https://developer.arm.com/documentation/dui0552/a/the-cortex-m3-processor/exception-model/vector-table[Accessed: 03 July 2020].Google Scholar
- Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to recognize functions in binary code. In 23rd USENIX Security Symposium (USENIX Security 14). 845–860.Google Scholar
- Johannes K Becker, David Li, and David Starobinski. 2019. Tracking anonymized Bluetooth devices. Proceedings on Privacy Enhancing Technologies (2019), 50–65.Google ScholarCross Ref
- Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator.. In USENIX Annual Technical Conference, FREENIX Track, Vol. 41. 46.Google Scholar
- Bluetooth Special Interest Group. 2019. 2019 Bluetooth Market Update. Available: https://www.bluetooth.com/bluetooth-resources/2019-bluetooth-market-update[Accessed 01-Feb-2021].Google Scholar
- Bluetooth Special Interest Group. 2019. Bluetooth Core Specification v5.2.Google Scholar
- Bluetooth Special Interest Group. 2019. Intro to Bluetooth Low Energy. Available: https://www.bluetooth.com/bluetooth-resources/intro-to-bluetooth-low-energy/[Accessed: 27 July 2020].Google Scholar
- Martial Bourquin, Andy King, and Edward Robbins. 2013. Binslayer: accurate comparison of binary executables. In Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop. 1–10.Google ScholarDigital Library
- David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J Schwartz. 2011. BAP: A binary analysis platform. In International Conference on Computer Aided Verification. Springer, 463–469.Google ScholarCross Ref
- Guillaume Celosia and Mathieu Cunche. 2019. Saving private addresses: an analysis of privacy issues in the bluetooth-low-energy advertising mechanism. In Proceedings of the 16th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services. 444–453.Google ScholarDigital Library
- Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In NDSS, Vol. 16. 1–16.Google Scholar
- Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing.. In NDSS.Google Scholar
- Richard Chirgwin. 2016. Finns chilling as DDoS knocks out building control system. Available: https://www.theregister.com/2016/11/09/finns_chilling_as_ddos_knocks_out_building_control_system. [Accessed: 11 June 2020].Google Scholar
- Jiska Classen, Daniel Wegemer, Paul Patras, Tom Spink, and Matthias Hollick. 2018. Anatomy of a vulnerable fitness tracking system: Dissecting the Fitbit cloud, app, and firmware. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2, 1 (2018), 1–24.Google ScholarDigital Library
- Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. In 23rd USENIX Security Symposium (USENIX Security 14). 95–110.Google ScholarDigital Library
- Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2016. Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 437–448.Google ScholarDigital Library
- Britt Cyr, Webb Horn, Daniela Miao, and Michael Specter. 2014. Security Analysis of Wearable Fitness Devices (Fitbit). Massachusetts Institute of Technology(2014).Google Scholar
- Aveek K Das, Parth H Pathak, Chen-Nee Chuah, and Prasant Mohapatra. 2016. Uncovering privacy leakage in BLE network traffic of wearable fitness trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications. 99–104.Google ScholarDigital Library
- Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In 22nd USENIX Security Symposium (USENIX Security 13). 463–478.Google Scholar
- Alessandro Di Federico, Mathias Payer, and Giovanni Agosta. [n. d.]. rev. ng: a unified binary analysis framework to recover CFGs and function boundaries. In Proceedings of the 26th International Conference on Compiler Construction.Google Scholar
- Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. 2014. Blanket execution: Dynamic similarity testing for program binaries and components. In 23rd {USENIX} Security Symposium ({USENIX} Security 14). 303–317.Google Scholar
- Kassem Fawaz, Kyu-Han Kim, and Kang G Shin. 2016. Protecting privacy of {BLE} device users. In 25th {USENIX} Security Symposium ({USENIX} Security 16). 1205–1221.Google Scholar
- Jan Friebertshäuser, Florian Kosterhon, Jiska Classen, and Matthias Hollick. 2020. Polypyus–The Firmware Historian.Google Scholar
- Garmin Canada Inc.2020. What is ANT+. Available: https://www.thisisant.com/consumer/ant-101/what-is-ant [Accessed: 27 July 2020].Google Scholar
- Garmin Canada Inc.2020. What kind of security does ANT provide?Available: https://www.thisisant.com/developer/resources/tech-faq/what-kind-of-security-does-ant-provide-1[Accessed: 07 Dec 2020].Google Scholar
- Liam Goudge and Simon Segars. 1996. Thumb: reducing the cost of 32-bit RISC performance in portable and consumer applications. In COMPCON’96. Technologies for the Information Superhighway Digest of Papers. IEEE, 176–181.Google Scholar
- Laune C Harris and Barton P Miller. 2005. Practical analysis of stripped binary code. ACM SIGARCH Computer Architecture News 33, 5 (2005), 63–68.Google ScholarDigital Library
- Jingxuan He, Pesho Ivanov, Petar Tsankov, Veselin Raychev, and Martin Vechev. [n. d.]. Debin: Predicting debug information in stripped binaries. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.Google Scholar
- Hex-Rays. 2021. IDA pro disassembler. Available: https://www.hex-rays.com/products/ida/support/download_freeware/. [Accessed: 31 Jan 2021].Google Scholar
- Andrew Hilts, Christopher Parsons, and Jeffrey Knockel. 2016. Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security. (2016).Google Scholar
- Taher Issoufaly and Pierre Ugo Tournoux. 2017. BLEB: Bluetooth Low Energy Botnet for large scale individual tracking. In 2017 1st International Conference on Next Generation Computing Applications (NextComp). IEEE, 115–120.Google ScholarCross Ref
- Muhui Jiang, Yajin Zhou, Xiapu Luo, Ruoyu Wang, Yang Liu, and Kui Ren. 2020. An Empirical Study on ARM Disassembly Tools. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual Event, USA) (ISSTA 2020). Association for Computing Machinery, New York, NY, USA, 401–414. https://doi.org/10.1145/3395363.3397377Google ScholarDigital Library
- Anastasis Keliris and Michail Maniatakos. 2018. ICSREF: A framework for automated reverse engineering of industrial control systems binaries. arXiv preprint arXiv:1812.03478(2018).Google Scholar
- Gerhard Klostermeier and Matthias Deeg. 2018. Case Study: Security of Modern Bluetooth Keyboards. (2018). Available: https://www.syss.de/fileadmin/dokumente/Publikationen/2018/Security_of_Modern_Bluetooth_Keyboards.pdf[Accessed: 30 Nov 2020].Google Scholar
- Jesse Kornblum, Helmut Grohne, and Tsukasa OI. 2021. ssdeep - Fuzzy hashing program. Available: https://ssdeep-project.github.io/ssdeep/index.html[Accessed 16-Mar-2021].Google Scholar
- Selena Larson. 2017. FDA confirms that St. Jude’s cardiac devices can be hacked. Available: https://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack. [Accessed: 11 June 2020].Google Scholar
- Yeo Reum Lee, BooJoong Kang, and Eul Gyu Im. 2013. Function matching-based binary-level software similarity calculation. In Proceedings of the 2013 Research in Adaptive and Convergent Systems. 322–327.Google ScholarDigital Library
- Franco Loi, Arunan Sivanathan, Hassan Habibi Gharakheili, Adam Radford, and Vijay Sivaraman. 2017. Systematically evaluating security and privacy for consumer IoT devices. In Proceedings of the 2017 Workshop on Internet of Things Security and Privacy. 1–6.Google ScholarDigital Library
- Dennis Mantz, Jiska Classen, Matthias Schulz, and Matthias Hollick. 2019. InternalBlue-Bluetooth binary patching and experimentation framework. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services. 79–90.Google ScholarDigital Library
- Luca Massarelli, Giuseppe Antonio Di Luna, Fabio Petroni, Roberto Baldoni, and Leonardo Querzoni. 2019. Safe: Self-attentive function embeddings for binary similarity. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 309–329.Google ScholarCross Ref
- Sanjay M Mishra. 2015. Wearable Android: Android Wear and Google Fit app development. John Wiley & Sons.Google ScholarCross Ref
- Mitre. 2015. CVE-2015-2880. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2880 [Accessed: 14 July 2020].Google Scholar
- Mitre. 2018. CVE-2018-10825. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10825[Accessed: 14 July 2020].Google Scholar
- Mitre. 2019. CVE-2019-16518. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16518[Accessed: 14 July 2020].Google Scholar
- Ginger Myles and Christian Collberg. 2005. K-gram based software birthmarks. In Proceedings of the 2005 ACM symposium on Applied computing. 314–318.Google ScholarDigital Library
- National Security Agency. 2020. Ghidra. https://github.com/NationalSecurityAgency/ghidra.Google Scholar
- Nordic Semiconductor. 2020. nRF Connect for Mobile. https://www.nordicsemi.com/Software-and-tools/Development-Tools/nRF-Connect-for-mobile.Google Scholar
- Nordic Semiconductor ASA. 2020. SoftDevices. Available: https://infocenter.nordicsemi.com/index.jsp?topic=%2Fug_gsg_ses%2FUG%2Fgsg%2Fsoftdevices.html[Accessed: 03 July 2020].Google Scholar
- James Patrick-Evans, Lorenzo Cavallaro, and Johannes Kinder. 2020. Probabilistic Naming of Functions in Stripped Binaries. In Annual Computer Security Applications Conference. 373–385.Google Scholar
- Manish Prasad and Tzi-cker Chiueh. 2003. A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks.. In USENIX Annual Technical Conference, General Track. 211–224.Google Scholar
- Abdullah Qasem, Paria Shirani, Mourad Debbabi, Lingyu Wang, Bernard Lebel, and Basile L Agba. 2021. Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies. ACM Computing Surveys (CSUR) 54, 2 (2021), 1–42.Google ScholarDigital Library
- Rui Qiao and R Sekar. [n. d.]. Function interface analysis: A principled approach for function recognition in COTS binaries. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).Google Scholar
- Nguyen Anh Quynh. 2020. Capstone: The Ultimate Disassembler. https://www.capstone-engine.org.Google Scholar
- Nguyen Anh Quynh. 2020. Unicorn The Ultimate CPU emulator. Available: https://www.unicorn-engine.org [Accessed:25 Oct 2020].Google Scholar
- Radware. 2006. ‘BrickerBot’ Results In PDoS Attack. Available: https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/. [Accessed: 11 June 2020].Google Scholar
- Giridhar Ravipati, Andrew R Bernat, Nate Rosenblum, Barton P Miller, and Jeffrey K Hollingsworth. 2007. Toward the deconstruction of Dyninst. Univ. of Wisconsin, technical report(2007), 32.Google Scholar
- Nathan E Rosenblum, Xiaojin Zhu, Barton P Miller, and Karen Hunt. 2008. Learning to Analyze Binary Computer Code.. In AAAI. 798–804.Google Scholar
- Vinay Sachidananda, Suhas Bhairav, and Yuval Elovici. 2019. Spill the Beans: Extrospection of Internet of Things by Exploiting Denial of Service. EAI Endorsed Transactions on Security and Safety 6, 20 (2019).Google Scholar
- Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing functions in binaries with neural networks. In 24th USENIX Security Symposium (USENIX Security 15). 611–626.Google Scholar
- Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware.. In NDSS.Google Scholar
- Pallavi Sivakumaran and Jorge Blasco. 2019. A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape. In 28th USENIX Security Symposium (USENIX Security 19). 1–18.Google Scholar
- Pallavi Sivakumaran and Jorge Blasco Alis. 2017. ATT Profiler. https://github.com/projectbtle/att-profiler.Google Scholar
- Pallavi Sivakumaran and Jorge Blasco Alis. 2018. A Low Energy Profile: Analysing Characteristic Security on BLE Peripherals. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. 152–154.Google ScholarDigital Library
- Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, and Mathias Payer. 2019. FirmFuzz: automated IoT firmware introspection and analysis. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. 15–21.Google ScholarDigital Library
- Mark Stanislav and Tod Beardsley. 2015. Hacking IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities. Available: https://www.rapid7.com/globalassets/external/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf. [Accessed: 11 June 2020].Google Scholar
- Statista Research Department. 2019. IoT connected devices worldwide 2030. Available: https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/. [Accessed: 29 June 2020].Google Scholar
- STMicroelectronics. 2018. AN4869: The BlueNRG-1, BlueNRG-2 BLE OTA (over-the-air) firmware upgrade.Google Scholar
- STMicroelectronics. 2019. PM0257: BlueNRG-1, BlueNRG-2 BLE stack v2.x programming guidelines.Google Scholar
- Texas Instruments. 2020. Bluetooth Low Energy software stack. Available: https://www.ti.com/tool/BLE-STACK [Accessed: 02 July 2020].Google Scholar
- Texas Instruments. 2020. A fully compliant Zigbee 3.x solution: Z-Stack. Available: https://www.ti.com/tool/Z-STACK [Accessed: 02 July 2020].Google Scholar
- Iain Thomson. 2016. Wi-Fi baby heart monitor may have the worst IoT security of 2016. Available: https://www.theregister.com/2016/10/13/possibly_worst_iot_security_failure_yet. [Accessed: 11 June 2020].Google Scholar
- Thread Group. 2019. What is Thread. Available: https://www.threadgroup.org/what-Is-thread[Accessed: 27 July 2020].Google Scholar
- Jörn Tillmanns, Jiska Classen, Felix Rohrbach, and Matthias Hollick. 2020. Firmware Insider: Bluetooth Randomness is Mostly Random. In 14th {USENIX} Workshop on Offensive Technologies ({WOOT} 20).Google Scholar
- Fish Wang and Yan Shoshitaishvili. 2017. Angr-the next generation of binary analysis. In 2017 IEEE Cybersecurity Development (SecDev). IEEE, 8–9.Google Scholar
- Jiliang Wang, Feng Hu, Ye Zhou, Yunhao Liu, Hanyi Zhang, and Zhe Liu. 2020. BlueDoor: breaking the secure information flow via BLE vulnerability. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services. 286–298.Google ScholarDigital Library
- KC Wang. 2017. Embedded real-time operating systems. In Embedded and Real-Time Operating Systems. Springer, 401–475.Google Scholar
- Xueqiang Wang, Yuqiong Sun, Susanta Nanda, and XiaoFeng Wang. [n. d.]. Looking from the mirror: evaluating IoT device security through mobile companion apps. In 28th USENIX Security Symposium (USENIX Security 19).Google Scholar
- Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. 2020. FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware. (2020).Google Scholar
- Jianliang Wu, Ruoyu Wu, Daniele Antonioli, Mathias Payer, Nils Ole Tippenhauer, Dongyan Xu, Dave Jing Tian, and Antonio Bianchi. 2021. LIGHTBLUE: Automatic Profile-Aware Debloating of Bluetooth Stacks. In Proceedings of the USENIX Security Symposium (USENIX Security).Google Scholar
- Xiaojun Xu, Chang Liu, Qian Feng, Heng Yin, Le Song, and Dawn Song. 2017. Neural network-based graph embedding for cross-platform binary code similarity detection. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 363–376.Google ScholarDigital Library
- Xiaokang Yin, Shengli Liu, Long Liu, and Da Xiao. 2018. Function recognition in stripped binary of embedded devices. IEEE Access 6(2018), 75682–75694.Google ScholarCross Ref
- Kim Zetter. 2015. Hackers Can Seize Control of Electric Skateboards and Toss Riders. Available: https://www.wired.com/2015/08/hackers-can-seize-control-of-electric-skateboards-and-toss-riders-boosted-revo/[Accessed: 27 July 2020].Google Scholar
- Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1133–1150.Google Scholar
- Zigbee Alliance. 2019. What is Zigbee?Available: https://Zigbeealliance.org/solution/Zigbee/[Accessed: 27 July 2020].Google Scholar
- Chaoshun Zuo, Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. 2019. Automatic fingerprinting of vulnerable BLE IoT devices with static uuids from mobile apps. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1469–1483.Google ScholarDigital Library
Index Terms
- argXtract: Deriving IoT Security Configurations via Automated Static Analysis of Stripped ARM Cortex-M Binaries
Index terms have been assigned to the content through auto-classification.
Recommendations
A taxonomy of IoT firmware security and principal firmware analysis techniques
AbstractInternet of Things (IoT) has come a long way since its inception. However, the standardization process in IoT systems for a secure IoT solution is still in its early days. Numerous quality review articles have been contributed by ...
Graphical abstractDisplay Omitted
Landscape of IoT security
AbstractThe last two decades have experienced a steady rise in the production and deployment of sensing-and-connectivity-enabled electronic devices, replacing “regular” physical objects. The resulting Internet-of-Things (IoT) will soon become ...
Comments