Abstract
In this paper, we systematically review and categorize different hardware-based firmware extraction techniques, using 24 examples of real, wide-spread products, e.g. smart voice assistants (in particular Amazon Echo devices), alarm and access control systems, as well as home automation devices. We show that in over 45% of the cases, an exposed UART interface is sufficient to obtain a firmware dump, while in other cases, more complicated, yet still low-cost methods (e.g. JTAG or eMMC readout) are needed. In this regard, we perform an in-depth investigation of the security concept of the Amazon Echo Plus, which contains significant protection methods against hardware-level attacks. Based on the results of our study, we give recommendations for countermeasures to mitigate the respective methods.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Zhang, Z.-K., Cho, M.C.Y., Wang, C.-W., Hsu, C.-W., Chen, C.-K., Shieh, S.: IoT security: ongoing challenges and research opportunities. In: SOCA 2014. IEEE, pp. 230–234 (2014)
Riahi, A., Challal, Y., Natalizio, E., Chtourou, Z., Bouabdallah, A.: A systemic approach for IoT security. In: DCOSS 2015. IEEE, pp. 351–355 (2013)
Hwang, Y.H.: IoT security & privacy: threats and challenges. In: IoTPTS 2015. ACM, p. 1 (2015)
Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 95–110. USENIX Association, San Diego (2014)
Thomas, S.L., Chothia, T., Garcia, F.D.: Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 513–531. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_28
Thomas, S.L., Garcia, F.D., Chothia, T.: HumIDIFy: a tool for hidden functionality detection in firmware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 279–300. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_13
Herzberg, B., Bekerman, D., Zeifman, I.: Breaking Down Mirai: An IoT DDoS Botnet Analysis. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html. Accessed 25 May 2018
Zenofex, 0x00string, CJ\(\_\)000, Maximus64: All Your Things Are Belong To Us (2017). Presentation at Defcon 2017
exploitee.rs: Exploitee.rs Wiki. https://www.exploitee.rs/. Accessed 20 May 2018
Shwartz, O., Mathov, Y., Bohadana, M., Elovici, Y., Oren, Y.: Opening Pandora’s box: effective techniques for reverse engineering IoT devices. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 1–21. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_1
Glass, S.: Das U-Boot - the Universal Boot Loader. https://www.denx.de/wiki/U-Boot. Accessed 20 May 2018
Huang, A.: Hacking the Xbox: An Introduction to Reverse Engineering. No Starch Press, San Francisco (2002)
Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: NDSS 2013. The Internet Society (2013)
Basnight, Z., Butts, J., Lopez Jr., J., Dube, T.: Firmware modification attacks on programmable logic controllers. Int. J. Crit. Infrastruct. Prot. 6(2), 76–84 (2013)
Grand, J.: JTAGulator. http://www.grandideastudio.com/jtagulator/. Accessed 20 May 2018
Etemadieh, A., Heres, C., Hoang, K.: Hacking Hardware with a \$10 SD card reader (2017). Presentation at BlackHat USA 2017
EthicalHacker523: Hardware Hacking of Accu-Chek Performa Insight. https://hackaday.io/project/41162-hardware-hacking-of-accu-chek-performa-insight/. Accessed 20 May 2018
Clinton, I., Cook, L., Banik, S.: A survey of various methods for analyzing the Amazon Echo (2016). https://vanderpot.com/Clinton_Cook_Paper.pdf. Accessed 25 May 2018
Hyde, J., Moran, B.: Alexa, are you Skynet? Presentation at SANS DFIR Summit 2017 (2017)
Micaksica: Exploring the Amazon Echo Dot, Part 2: Into MediaTek utility hell. https://medium.com/@micaksica/exploring-the-amazon-echo-dot-part-2-into-mediatek-utility-hell-b452f62e5e87. Accessed 10 May 2018
OpenWRT forum: Philips Hue Bridge v2 hacked (root access). https://forum.openwrt.org/viewtopic.php?id=66346. Accessed 20 May 2018
Texas Instruments: How to Make 3 Partition SD Card. http://processors.wiki.ti.com/index.php/How_to_Make_3_Partition_SD_Card. Accessed 20 May 2018
Barnes, M.: Alexa, are you listening? (2017). https://labs.mwrinfosecurity.com/blog/alexa-are-you-listening. Accessed 25 May 2018
Binwalk (2017). https://github.com/devttys0/binwalk Accessed 20 May 2018
Easylzma. https://github.com/lloyd/easylzma. Accessed 20 May 2018
Segger: J-Link Debug Probes (2017). https://www.segger.com/jlink-debug-probes.html, Accessed 20 May 2018
SELinux Wiki: Guide/Mode – SELinux Wiki. https://selinuxproject.org/w/?title=Guide/Mode&oldid=808. Accessed 28 May 2018
Yuxiang, L., Wenxiang, Q., Huiyu, W.: Breaking Smart Speaker - Exploit Amazon Echo. https://github.com/tencentbladeteam/Exploit-Amazon-Echo. Accessed 10 June 2018
Dullien, T.: Closed, heterogenous platforms and the (defensive) reverse engineers dilemma (2018). Presentation at SSTIC 2018. https://www.sstic.org/2018/presentation/2018_ouverture/
Skorobogatov, S.: Copy protection in modern microcontrollers. https://www.cl.cam.ac.uk/~sps32/mcu_lock.html. Accessed 05 May 2018
Goodspeed, T.: Side channel timing attacks on MSP430 microcontroller firmware (2008). Presentation at BlackHat USA 2008
Strobel, D., Oswald, D., Richter, B., Schellenberg, F., Paar, C.: Microcontrollers as (In)Security devices for pervasive computing applications. In: Proceedings of the IEEE, vol. 102, pp. 1157–1173, August 2014
Obermaier, J., Tatschner, S.: Shedding too much light on a microcontroller’s firmware protection. In: WOOT 2017. USENIX Association (2017)
Pareja, R., Wierma, N.: Automotive microcontrollers. Safety != Security. Presentation at SHA2017 (2017)
Nedospasov, D.: NXP LPC1343 Bootloader Bypass. https://toothless.co/blog/bootloader-bypass-part1/. Accessed 10 May 2018
Scott, M.E.: The FaceWhisperer for USB Glitching; or, Reading RFID with ROP and a Wacom Tablet. PoC\(||\)GTFO 0x13 (2016)
ESP-IDF: ESP32 Flash Encryption. https://esp-idf.readthedocs.io/en/latest/security/flash-encryption.html. Accessed 20 May 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Vasile, S., Oswald, D., Chothia, T. (2019). Breaking All the Things—A Systematic Survey of Firmware Extraction Techniques for IoT Devices. In: Bilgin, B., Fischer, JB. (eds) Smart Card Research and Advanced Applications. CARDIS 2018. Lecture Notes in Computer Science(), vol 11389. Springer, Cham. https://doi.org/10.1007/978-3-030-15462-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-15462-2_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-15461-5
Online ISBN: 978-3-030-15462-2
eBook Packages: Computer ScienceComputer Science (R0)