On Manually Reverse Engineering Communication Protocols of Linux-Based IoT Systems

IoT security and privacy has raised grave concerns. Efforts have been made to design tools to identify and understand vulnerabilities of IoT systems. Most of the existing protocol security analysis techniques rely on a well understanding of the underlying communication protocols. In this paper, we systematically present the first manual reverse engineering framework for discovering communication protocols of embedded Linux based IoT systems. We have successfully applied our framework to reverse engineer a number of IoT systems. As an example, we present a detailed use of the framework reverse-engineering the WeMo smart plug communication protocol by extracting the firmware from the flash, performing static and dynamic analysis of the firmware and analyzing network traffic. The discovered protocol exposes severe design flaws that allow attackers to control or deny the service of victim plugs. Our manual reverse engineering framework is generic and can be applied to both read-only and writable Embedded Linux filesystems.

[1]  John C. S. Lui,et al.  DroidTrace: A ptrace based Android dynamic analysis system with forward execution capability , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[2]  Peng Liu,et al.  Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution , 2019, ESORICS.

[3]  Haoyu Wang,et al.  Reevaluating Android Permission Gaps with Static and Dynamic Analysis , 2014, 2015 IEEE Global Communications Conference (GLOBECOM).

[4]  Yang Liu,et al.  3P Framework: Customizable Permission Architecture for Mobile Applications , 2017, WASA.

[5]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Megan Kline,et al.  Towards Firmware Analysis of Industrial Internet of Things (IIoT) - Applying Symbolic Analysis to IIoT Firmware Vetting , 2017, IoTBDS.

[7]  Benjamin Aziz,et al.  A formal model and analysis of an IoT protocol , 2016, Ad Hoc Networks.

[8]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[9]  Radovan Miucic,et al.  Firmware Update Over The Air (FOTA) for Automotive Industry , 2007 .

[10]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[11]  Christopher Krügel,et al.  Toward the Analysis of Embedded Firmware through Automated Re-hosting , 2019, RAID.

[12]  Patrick D. McDaniel,et al.  Sensitive Information Tracking in Commodity IoT , 2018, USENIX Security Symposium.

[13]  Eran Yahav,et al.  FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware , 2018, ASPLOS.

[14]  Xiapu Luo,et al.  DexHunter: Toward Extracting Hidden Code from Packed Android Applications , 2015, ESORICS.

[15]  William Allen Simpson,et al.  PPP Challenge Handshake Authentication Protocol (CHAP) , 1996, RFC.

[16]  Aurélien Francillon,et al.  Avatar2: A Multi-Target Orchestration Platform , 2018 .

[17]  Yuval Elovici,et al.  Reverse Engineering IoT Devices: Effective Techniques and Methods , 2018, IEEE Internet of Things Journal.

[18]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[19]  Aurélien Francillon,et al.  Inception: System-Wide Security Testing of Real-World Embedded Systems Software , 2018, USENIX Security Symposium.

[20]  Fabio Martinelli,et al.  I find your behavior disturbing: Static and dynamic app behavioral analysis for detection of Android malware , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[21]  Frank T. Willmore,et al.  Debugging with gdb , 2016 .

[22]  Wenke Lee,et al.  Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting , 2015, NDSS.

[23]  Rui Wang,et al.  Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services , 2016, NDSS.

[24]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[25]  Other Contributors Are Indicated Where They Contribute The Free Software Foundation , 2017 .

[26]  Behrouz Tork Ladani,et al.  VAnDroid: A framework for vulnerability analysis of Android applications using a model‐driven reverse engineering technique , 2018, Softw. Pract. Exp..

[27]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[28]  Kehuan Zhang,et al.  Your IoTs Are (Not) Mine: On the Remote Binding Between IoT Devices and Users , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[29]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[30]  Lei Xue,et al.  Adaptive Unpacking of Android Apps , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[31]  Rajaram Regupathy,et al.  Android Debug Bridge (ADB) , 2014 .

[32]  Long Lu,et al.  P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version) , 2019, USENIX Security Symposium.

[33]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[34]  Peng Liu,et al.  Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms , 2018, USENIX Security Symposium.

[35]  Levente Buttyán,et al.  IoT Hacking – A Primer , 2019, Infocommunications journal.

[36]  Thomas Schreck,et al.  Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques , 2015, International Journal of Information Security.

[37]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[38]  Zhen Ling,et al.  SecT: A Lightweight Secure Thing-Centered IoT Communication System , 2018, 2018 IEEE 15th International Conference on Mobile Ad Hoc and Sensor Systems (MASS).

[39]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[40]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[41]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[42]  Juanru Li,et al.  AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware , 2015, RAID.

[43]  Yan Jia,et al.  Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[44]  Helmut Veith,et al.  Jakstab: A Static Analysis Platform for Binaries , 2008, CAV.

[45]  Yue Zhang,et al.  On the Security and Data Integrity of Low-Cost Sensor Networks for Air Quality Monitoring , 2018, Sensors.

[46]  Elisa Bertino,et al.  Data Security and Privacy in the IoT , 2016, EDBT.

[47]  Elisa Bertino,et al.  Detecting mobile malware threats to homeland security through static analysis , 2014, J. Netw. Comput. Appl..

[48]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[49]  小林 明大,et al.  楽々!Android Studioはじめの一歩 , 2015 .

[50]  Ali Mesbah,et al.  Reverse Engineering iOS Mobile Applications , 2012, 2012 19th Working Conference on Reverse Engineering.

[51]  Chao Gao,et al.  Microcontroller Based IoT System Firmware Security: Case Studies , 2019, 2019 IEEE International Conference on Industrial Internet (ICII).

[52]  Steven Arzt Static Data Flow Analysis for Android Applications , 2017 .

[53]  Vasaka Visoottiviseth,et al.  Firmaster: Analysis Tool for Home Router Firmware , 2018, 2018 15th International Joint Conference on Computer Science and Software Engineering (JCSSE).

[54]  Chao Gao,et al.  Security Vulnerabilities of Internet of Things: A Case Study of the Smart Plug System , 2017, IEEE Internet of Things Journal.

[55]  Matthias Büchler,et al.  CRiOS: Toward Large-Scale iOS Application Analysis , 2016, SPSM@CCS.

[56]  V. N. Venkatakrishnan,et al.  Practical Exploit Generation for Intent Message Vulnerabilities in Android , 2015, CODASPY.

[57]  Sanjay Jha,et al.  Automated Analysis of Secure Internet of Things Protocols , 2017, ACSAC.

[58]  Ehab Al-Shaer,et al.  IoTSAT: A formal framework for security analysis of the internet of things (IoT) , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[59]  Zhen Ling,et al.  An End-to-End View of IoT Security and Privacy , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[60]  Jonathan D. Rosenberg,et al.  Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations , 2010, RFC.

[61]  Pankaj Jalote,et al.  Integrating Static and Dynamic Analysis for Detecting Vulnerabilities , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[62]  Rigel Gjomemo,et al.  Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications , 2015 .