AoT - Attack on Things: A security analysis of IoT firmware updates

Muhammad Ibrahim*, Andrea Continella, Antonio Bianchi

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

4 Citations (Scopus)
1670 Downloads (Pure)

Abstract

IoT devices implement firmware update mechanisms to fix security issues and deploy new features. These mechanisms are often triggered and mediated by mobile companion apps running on the users' smartphones. While it is crucial to update devices, these mechanisms may cause critical security flaws if they are not implemented correctly. Given their relevance, in this paper, we perform a systematic security analysis of the firmware update mechanisms adopted by IoT devices via their companion apps. First, we define a threat model for IoT firmware updates, and we categorize the different potential security issues affecting them. Then, we analyze 23 popular IoT devices (and corresponding companion apps) to identify vulnerable devices and the SDKs that such devices use to implement the update functionality. Our analysis reveals that 6 popular SDKs present dangerous security flaws. Additionally, we fingerprint each vulnerable SDK and we leverage our fingerprints to perform a large-scale analysis of companion apps from the Google Play Store. Our results show that 61 popular devices and 1,356 apps rely on vulnerable SDKs, thus, they potentially adopt an insecure firmware update mechanism.

Original languageEnglish
Title of host publicationProceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
PublisherIEEE
Pages1047-1064
Number of pages18
ISBN (Electronic)9781665465120
DOIs
Publication statusPublished - 3 Jul 2023
Event8th IEEE European Symposium on Security and Privacy - TU Delft Echo, Delft, Netherlands
Duration: 3 Jul 20237 Jul 2023
Conference number: 8
https://eurosp2023.ieee-security.org/index.html

Conference

Conference8th IEEE European Symposium on Security and Privacy
Abbreviated titleEuro S&P
Country/TerritoryNetherlands
CityDelft
Period3/07/237/07/23
Internet address

Keywords

  • cybersecurity

Fingerprint

Dive into the research topics of 'AoT - Attack on Things: A security analysis of IoT firmware updates'. Together they form a unique fingerprint.

Cite this