Skip to main content
SpringerLink
Log in

Breaking All the Things—A Systematic Survey of Firmware Extraction Techniques for IoT Devices

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11389))

Abstract

In this paper, we systematically review and categorize different hardware-based firmware extraction techniques, using 24 examples of real, wide-spread products, e.g. smart voice assistants (in particular Amazon Echo devices), alarm and access control systems, as well as home automation devices. We show that in over 45% of the cases, an exposed UART interface is sufficient to obtain a firmware dump, while in other cases, more complicated, yet still low-cost methods (e.g. JTAG or eMMC readout) are needed. In this regard, we perform an in-depth investigation of the security concept of the Amazon Echo Plus, which contains significant protection methods against hardware-level attacks. Based on the results of our study, we give recommendations for countermeasures to mitigate the respective methods.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://easy-jtag.com/.

  2. 2.

    http://www.riffbox.org/.

  3. 3.

    http://minipro.txt.si/.

  4. 4.

    https://source.android.com/security/verifiedboot/dm-verity.

References

  1. Zhang, Z.-K., Cho, M.C.Y., Wang, C.-W., Hsu, C.-W., Chen, C.-K., Shieh, S.: IoT security: ongoing challenges and research opportunities. In: SOCA 2014. IEEE, pp. 230–234 (2014)

    Google Scholar 

  2. Riahi, A., Challal, Y., Natalizio, E., Chtourou, Z., Bouabdallah, A.: A systemic approach for IoT security. In: DCOSS 2015. IEEE, pp. 351–355 (2013)

    Google Scholar 

  3. Hwang, Y.H.: IoT security & privacy: threats and challenges. In: IoTPTS 2015. ACM, p. 1 (2015)

    Google Scholar 

  4. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 95–110. USENIX Association, San Diego (2014)

    Google Scholar 

  5. Thomas, S.L., Chothia, T., Garcia, F.D.: Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 513–531. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_28

    Chapter  Google Scholar 

  6. Thomas, S.L., Garcia, F.D., Chothia, T.: HumIDIFy: a tool for hidden functionality detection in firmware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 279–300. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_13

    Chapter  Google Scholar 

  7. Herzberg, B., Bekerman, D., Zeifman, I.: Breaking Down Mirai: An IoT DDoS Botnet Analysis. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html. Accessed 25 May 2018

  8. Zenofex, 0x00string, CJ\(\_\)000, Maximus64: All Your Things Are Belong To Us (2017). Presentation at Defcon 2017

    Google Scholar 

  9. exploitee.rs: Exploitee.rs Wiki. https://www.exploitee.rs/. Accessed 20 May 2018

  10. Shwartz, O., Mathov, Y., Bohadana, M., Elovici, Y., Oren, Y.: Opening Pandora’s box: effective techniques for reverse engineering IoT devices. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 1–21. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_1

    Chapter  Google Scholar 

  11. Glass, S.: Das U-Boot - the Universal Boot Loader. https://www.denx.de/wiki/U-Boot. Accessed 20 May 2018

  12. Huang, A.: Hacking the Xbox: An Introduction to Reverse Engineering. No Starch Press, San Francisco (2002)

    Google Scholar 

  13. Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: NDSS 2013. The Internet Society (2013)

    Google Scholar 

  14. Basnight, Z., Butts, J., Lopez Jr., J., Dube, T.: Firmware modification attacks on programmable logic controllers. Int. J. Crit. Infrastruct. Prot. 6(2), 76–84 (2013)

    Article  Google Scholar 

  15. Grand, J.: JTAGulator. http://www.grandideastudio.com/jtagulator/. Accessed 20 May 2018

  16. Etemadieh, A., Heres, C., Hoang, K.: Hacking Hardware with a \$10 SD card reader (2017). Presentation at BlackHat USA 2017

    Google Scholar 

  17. EthicalHacker523: Hardware Hacking of Accu-Chek Performa Insight. https://hackaday.io/project/41162-hardware-hacking-of-accu-chek-performa-insight/. Accessed 20 May 2018

  18. Clinton, I., Cook, L., Banik, S.: A survey of various methods for analyzing the Amazon Echo (2016). https://vanderpot.com/Clinton_Cook_Paper.pdf. Accessed 25 May 2018

  19. Hyde, J., Moran, B.: Alexa, are you Skynet? Presentation at SANS DFIR Summit 2017 (2017)

    Google Scholar 

  20. Micaksica: Exploring the Amazon Echo Dot, Part 2: Into MediaTek utility hell. https://medium.com/@micaksica/exploring-the-amazon-echo-dot-part-2-into-mediatek-utility-hell-b452f62e5e87. Accessed 10 May 2018

  21. OpenWRT forum: Philips Hue Bridge v2 hacked (root access). https://forum.openwrt.org/viewtopic.php?id=66346. Accessed 20 May 2018

  22. Texas Instruments: How to Make 3 Partition SD Card. http://processors.wiki.ti.com/index.php/How_to_Make_3_Partition_SD_Card. Accessed 20 May 2018

  23. Barnes, M.: Alexa, are you listening? (2017). https://labs.mwrinfosecurity.com/blog/alexa-are-you-listening. Accessed 25 May 2018

  24. Binwalk (2017). https://github.com/devttys0/binwalk Accessed 20 May 2018

  25. Easylzma. https://github.com/lloyd/easylzma. Accessed 20 May 2018

  26. Segger: J-Link Debug Probes (2017). https://www.segger.com/jlink-debug-probes.html, Accessed 20 May 2018

  27. SELinux Wiki: Guide/Mode – SELinux Wiki. https://selinuxproject.org/w/?title=Guide/Mode&oldid=808. Accessed 28 May 2018

  28. Yuxiang, L., Wenxiang, Q., Huiyu, W.: Breaking Smart Speaker - Exploit Amazon Echo. https://github.com/tencentbladeteam/Exploit-Amazon-Echo. Accessed 10 June 2018

  29. Dullien, T.: Closed, heterogenous platforms and the (defensive) reverse engineers dilemma (2018). Presentation at SSTIC 2018. https://www.sstic.org/2018/presentation/2018_ouverture/

  30. Skorobogatov, S.: Copy protection in modern microcontrollers. https://www.cl.cam.ac.uk/~sps32/mcu_lock.html. Accessed 05 May 2018

  31. Goodspeed, T.: Side channel timing attacks on MSP430 microcontroller firmware (2008). Presentation at BlackHat USA 2008

    Google Scholar 

  32. Strobel, D., Oswald, D., Richter, B., Schellenberg, F., Paar, C.: Microcontrollers as (In)Security devices for pervasive computing applications. In: Proceedings of the IEEE, vol. 102, pp. 1157–1173, August 2014

    Google Scholar 

  33. Obermaier, J., Tatschner, S.: Shedding too much light on a microcontroller’s firmware protection. In: WOOT 2017. USENIX Association (2017)

    Google Scholar 

  34. Pareja, R., Wierma, N.: Automotive microcontrollers. Safety != Security. Presentation at SHA2017 (2017)

    Google Scholar 

  35. Nedospasov, D.: NXP LPC1343 Bootloader Bypass. https://toothless.co/blog/bootloader-bypass-part1/. Accessed 10 May 2018

  36. Scott, M.E.: The FaceWhisperer for USB Glitching; or, Reading RFID with ROP and a Wacom Tablet. PoC\(||\)GTFO 0x13 (2016)

    Google Scholar 

  37. ESP-IDF: ESP32 Flash Encryption. https://esp-idf.readthedocs.io/en/latest/security/flash-encryption.html. Accessed 20 May 2018

Download references

Author information

Authors and Affiliations

  1. University of Birmingham, Birmingham, UK

    Sebastian Vasile, David Oswald & Tom Chothia

Authors
  1. Sebastian Vasile
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Oswald
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tom Chothia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sebastian Vasile .

Editor information

Editors and Affiliations

  1. Rambus - Cryptography Research, Rotterdam, Zuid-Holland, The Netherlands

    Begül Bilgin

  2. Nagravision, Cheseaux-sur-Lausanne, Vaud, Switzerland

    Jean-Bernard Fischer

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Vasile, S., Oswald, D., Chothia, T. (2019). Breaking All the Things—A Systematic Survey of Firmware Extraction Techniques for IoT Devices. In: Bilgin, B., Fischer, JB. (eds) Smart Card Research and Advanced Applications. CARDIS 2018. Lecture Notes in Computer Science(), vol 11389. Springer, Cham. https://doi.org/10.1007/978-3-030-15462-2_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-15462-2_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-15461-5

  • Online ISBN: 978-3-030-15462-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation