Idols with Feet of Clay: On the Security of Bootloaders and Firmware Updaters for the IoT

IoT devices are generally implemented with low-cost embedded solutions, and connectivity and communication capabilities are the raison d’être of such devices. But this is a double-edged sword, since connectivity also implies (1) to open the door to more attack possibilities, and (2) the targeted system, once breached, can be the support for attacks at a larger scale, possibly involving many connected systems. Our observation is that such devices lack proper hardware and software security protections. Bootloader and Firmware Update (BFU) mechanisms are critical components in the software stack of IoT devices. BFUs are a target of choice since they use the highest privileges and are executed before the system's security policy is set up. An attacker able to compromise the BFU can gain full control over the target system. Moreover, the update mechanism often supported by the BFU is essential to ensure devices can be upgraded and maintained for a long time. If not properly secured, the BFU allows an attacker to gain control over a system throughout its whole lifetime, including future upgrades. In this paper, we provide an overview of the threats targeting BFUs, and existing protections. We cover the hardware and software attacks that are known to the scientific literature. Also, we argue that vulnerabilities to physical attacks, in particular to fault injection attacks, are mostly left un-attended.

[1]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[2]  Thomas Unterluggauer,et al.  Sponge-Based Control-Flow Protection for IoT Devices , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[3]  Karine Heydemann,et al.  Software Countermeasures for Control Flow Integrity of Smart Card C Codes , 2014, ESORICS.

[4]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[5]  Gernot Heiser,et al.  A survey of microarchitectural timing attacks and countermeasures on contemporary hardware , 2016, Journal of Cryptographic Engineering.

[6]  Long Lu,et al.  Compiler-Assisted Code Randomization , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[7]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[9]  Marc F. Witteman,et al.  Controlling PC on ARM Using Fault Injection , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[10]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[11]  Johannes Obermaier,et al.  Shedding too much Light on a Microcontroller's Firmware Protection , 2017, WOOT.

[12]  Salvatore J. Stolfo,et al.  When Firmware Modifications Attack: A Case Study of Embedded Exploitation , 2013, NDSS.

[13]  Mauro Conti,et al.  Fitness Trackers: Fit for Health but Unfit for Security and Privacy , 2017, 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE).

[14]  Ahmad-Reza Sadeghi,et al.  C-FLAT: Control-Flow Attestation for Embedded Systems Software , 2016, CCS.

[15]  Jakob Rieck Attacks on fitness trackers revisited: a case-study of unfit firmware security , 2016, Sicherheit.

[16]  Yier Jin,et al.  Privacy and Security in Internet of Things and Wearable Devices , 2015, IEEE Transactions on Multi-Scale Computing Systems.

[17]  Niraj K. Jha,et al.  A Comprehensive Study of Security of Internet-of-Things , 2017, IEEE Transactions on Emerging Topics in Computing.

[18]  Bilgiday Yuce,et al.  Fault Attacks on Secure Embedded Software: Threats, Design, and Evaluation , 2018, Journal of Hardware and Systems Security.

[19]  Alessandro Barenghi,et al.  Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures , 2012, Proceedings of the IEEE.

[20]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[21]  Domenic Forte,et al.  Power-based Side-Channel Instruction-level Disassembler , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[22]  Ingrid Verbauwhede,et al.  A survey of Hardware-based Control Flow Integrity (CFI) , 2017, ArXiv.

[23]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[24]  Herbert Bos,et al.  Framing Signals - A Return to Portable Shellcode , 2014, 2014 IEEE Symposium on Security and Privacy.

[25]  Christopher Krügel,et al.  BootStomp: On the Security of Bootloaders in Mobile Devices , 2017, USENIX Security Symposium.

[26]  Ang Cui,et al.  BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection , 2017, WOOT.

[27]  Karine Heydemann,et al.  Automated Software Protection for the Masses Against Side-Channel Attacks , 2018, IACR Cryptol. ePrint Arch..

[28]  Yuval Elovici,et al.  Reverse Engineering IoT Devices: Effective Techniques and Methods , 2018, IEEE Internet of Things Journal.

[29]  Christof Paar,et al.  Building a Side Channel Based Disassembler , 2010, Trans. Comput. Sci..

[30]  Stefan Mangard,et al.  Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices , 2016, IEEE Communications Surveys & Tutorials.