Abstract
IoT devices implement firmware update mechanisms to fix security issues and deploy new features. These mechanisms are often triggered and mediated by mobile companion apps running on the users' smartphones. While it is crucial to update devices, these mechanisms may cause critical security flaws if they are not implemented correctly. Given their relevance, in this paper, we perform a systematic security analysis of the firmware update mechanisms adopted by IoT devices via their companion apps. First, we define a threat model for IoT firmware updates, and we categorize the different potential security issues affecting them. Then, we analyze 23 popular IoT devices (and corresponding companion apps) to identify vulnerable devices and the SDKs that such devices use to implement the update functionality. Our analysis reveals that 6 popular SDKs present dangerous security flaws. Additionally, we fingerprint each vulnerable SDK and we leverage our fingerprints to perform a large-scale analysis of companion apps from the Google Play Store. Our results show that 61 popular devices and 1,356 apps rely on vulnerable SDKs, thus, they potentially adopt an insecure firmware update mechanism.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023 |
| Publisher | IEEE |
| Pages | 1047-1064 |
| Number of pages | 18 |
| ISBN (Electronic) | 9781665465120 |
| DOIs | |
| Publication status | Published - 3 Jul 2023 |
| Event | 8th IEEE European Symposium on Security and Privacy - TU Delft Echo, Delft, Netherlands Duration: 3 Jul 2023 → 7 Jul 2023 Conference number: 8 https://eurosp2023.ieee-security.org/index.html |
Conference
| Conference | 8th IEEE European Symposium on Security and Privacy |
|---|---|
| Abbreviated title | Euro S&P |
| Country/Territory | Netherlands |
| City | Delft |
| Period | 3/07/23 → 7/07/23 |
| Internet address |
Keywords
- cybersecurity