Opening Pandora’s box: Effective techniques for reverse engineering IoT devices

Omer Shwartz, Yael Mathov, Michael Bohadana, Yuval Elovici, Yossi Oren

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

10 Scopus citations

Abstract

With the growth of the Internet of Things, many insecure embedded devices are entering into our homes and businesses. Some of these web-connected devices lack even basic security protections such as secure password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation. In this paper we analyze the practical security level of 16 popular IoT devices from high-end and low-end manufacturers. We present several low-cost black-box techniques for reverse engineering these devices, including software and fault injection based techniques for bypassing password protection. We use these techniques to recover device firmware and passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these devices. We also discuss how to improve the security of IoT devices without significantly increasing their cost.

Original languageEnglish
Title of host publicationSmart Card Research and Advanced Applications - 16th International Conference, CARDIS 2017,Revised Selected Papers
EditorsThomas Eisenbarth, Yannick Teglia
PublisherSpringer Verlag
Pages1-21
Number of pages21
ISBN (Print)9783319752075
DOIs
StatePublished - 1 Jan 2018
Event16th International Conference on Smart Card Research and Advanced Applications, CARDIS 2017 - Lugano, Switzerland
Duration: 13 Nov 201715 Nov 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10728 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference16th International Conference on Smart Card Research and Advanced Applications, CARDIS 2017
Country/TerritorySwitzerland
CityLugano
Period13/11/1715/11/17

Fingerprint

Dive into the research topics of 'Opening Pandora’s box: Effective techniques for reverse engineering IoT devices'. Together they form a unique fingerprint.

Cite this