research-article

Firmware Update Attacks and Security for IoT Devices: Survey

Authors:

Meriem Bettayeb,

Manar Abu TalibAuthors Info & Claims

ArabWIC 2019: Proceedings of the ArabWIC 6th Annual International Conference Research Track

Article No.: 4, Pages 1 - 6

https://doi.org/10.1145/3333165.3333169

Published: 07 March 2019 Publication History

Abstract

The increasing vulnerabilities found in Internet of Things (IoT) devices have raised the need for a solid mechanism of securing the firmware update of these connected objects, since firmware updates are one way to patch vulnerabilities and add security features. This survey analyses the types of attacks that target the firmware update operation in IoT devices and the available secure firmware update methods for IoT devices in the literature between 2004 and 2018. In addition, several popular firmware analysis and vulnerability detection tools are presented. We believe this paper will open the possibility for firmware analysis, attacks and security and therefore help researchers to develop new mechanisms to protect the embedded systems.

References

[1]

L. Da Xu, W. He, and S. Li, "Internet of things in industries: A survey," IEEE Trans. Ind. informatics, vol. 10, no. 4, pp. 2233--2243, 2014.

[2]

S. M. Chowdhury, A. Hossain, and S. Debnath, "Impact of Error Control Code on Characteristic Distance in Wireless Sensor Network," Wirel. Pers. Commun., 2017.

Digital Library

[3]

L. Kvarda, P. Hnyk, L. Vojtech, and M. Neruda, "Software implementation of secure firmware update in IoT concept," Adv. Electr. Electron. Eng., vol. 15, no. 4 Special Issue, pp. 626--632, 2017.

[4]

S. Schmidt, M. Tausig, M. Hudler, and G. Simhandl, "Secure Firmware Update Over the Air in the Internet of Things Focusing on Flexibility and Feasibility Proposal for a Design," in Internet of Things Software Update Workshop (IoTSU), At Dublin, 2016, no. June.

[5]

H. Mansor, K. Markantonakis, R. N. Akram, and K. Mayes, "Don't Brick Your Car: Firmware Confidentiality and Rollback for Vehicles," in Availability, Reliability and Security (ARES), 2015 10th International Conference, IEEE, 2015, pp. 139--148.

Digital Library

[6]

T. Rad, "Vulnerabilities in Correctional Facilities," 2011.

[7]

Dronebl, "Network Bluepill," 2008.

[8]

B. Jack, "Jackpotting Automated Teller Machines Redux," Black Hat USA, 2010.

[9]

C. Miller, "Battery firmware hacking," Black Hat USA, pp. 3--4, 2011.

[10]

A. Costin, "PostScript(um--you've been hacked)," 28C3, 2011.

[11]

A. Cui, M. Costello, and S. J. Stolfo, "When Firmware Modifications Attack: A Case Study of Embedded Exploitation," 2013.

[12]

Z. Ling, J. Luo, Y. Xu, C. Gao, K. Wu, and X. Fu, "Security Vulnerabilities of Internet of Things: A Case Study of the Smart Plug System," IEEE Internet Things J., vol. 4, no. 6, pp. 1899--1909, 2017.

[13]

C. Hawk, J. Hyland, R. Rupert, M. Colonvega, and S. Hall, "Defending Against Firmware Cyber Attacks on Safety-Critical Systems," Chiropr. Osteopat., vol. 14, no. 1, p. 3, 2006.

[14]

J. Rieck, "Attacks on Fitness Trackers Revisited: A Case-Study of Unfit Firmware Security," pp. 33--44, 2016.

[15]

H. A. Abdul-ghani, D. Konstantas, and M. Mahyoub, "A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model," no. April, 2018.

[16]

G. Jurković and V. Sruk, "Remote firmware update for constrained embedded systems," 2014 37th Int. Conv. Inf. Commun. Technol. Electron. Microelectron. MIPRO 2014 - Proc., no. May, pp. 1019--1023, 2014.

[17]

H. Yaling, "The design of monitoring system based on GPRS," pp. 1--4, 2016.

[18]

S. Dalai, B. Chatterjee, D. Dey, S. Chakravorti, and K. Bhattacharya, "Microcontroller based remote updating system using voice channel of cellular network," 2015 IEEE Power, Commun. Inf. Technol. Conf., pp. 11--16, 2015.

[19]

B. C. Choi, S. H. Lee, J. C. Na, and J. H. Lee, "Secure firmware validation and update for consumer devices in home networking," IEEE Trans. Consum. Electron., vol. 62, no. 1, pp. 39--44, 2016.

Digital Library

[20]

P. G. Zaware, "Wireless Monitoring, Controlling and Firmware upgradation of embedded devices using Wi-Fi," pp. 2--7, 2014.

[21]

S. G. Hong, N. S. Kim, and T. Heo, "A smartphone connected software updating framework for IoT devices," Proc. Int. Symp. Consum. Electron. ISCE, vol. 2015--Augus, pp. 2--3, 2015.

[22]

T. Thanh, T. H. Vu, N. Van Cuong, and P. N. Nam, "A protocol for secure remote update of run-time partially reconfigurable systems based on FPGA," 2013 Int. Conf. Control. Autom. Inf. Sci. ICCAIS 2013, no. November 2013, pp. 295--299, 2013.

[23]

S. Schmidt, M. Tausig, M. Hudler, and G. Simhandl, "Secure Firmware Update Over the Air in the Internet of Things Focusing on Flexibility and Feasibility," no. August, 2016.

[24]

A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla, "SCUBA: Secure Code Update By Attestation in sensor networks," WiSe '06 Proc. 5th ACM Work. Wirel. Secur., 2006.

Digital Library

[25]

D. Perito and G. Tsudik, "Secure code update for embedded devices via proofs of secure erasure," in Springer, 2010.

[26]

G. O. Karame and W. Li, "Secure erasure and code update in legacy sensors," in Springer, 2015.

[27]

N. Karvelas and A. Kiayias, "Efficient proofs of secure erasure," SCN, Springer, 2014.

[28]

N. Asokan, T. Nyman, A. Sadeghi, G. Tsudik, and T. U. Darmstadt, "ASSURED: Architecture for Secure Software Update of Realistic Embedded Devices," IEEE.

[29]

B. L. B, S. Malik, S. Wi, and J. Lee, "Firmware Verification of Embedded Devices Based on a Blockchain," Springer, vol. 199, pp. 52--61, 2017.

[30]

B. L. J. Lee, "Blockchain-based secure firmware update for embedded devices in an Internet of Things environment," J. Supercomput. Springer, 2016.

Digital Library

[31]

A. Yohan, N. Lo, and S. Achawapong, "Blockchain-based Firmware Update Framework for Internet-of-Things Environment," in Conf. Information and Knowledge Engineering, pp. 151--155.

[32]

G. Gabriel, R. Roy, and S. B. R. Kumar, "International Conference on Computer Networks and Communication Technologies," in International Conference on Computer Networks and Communication Technologies, Springer (to appear), 2019, vol. 15, pp. 671--679.

[33]

Y. Gupta, R. Shorey, D. Kulkarni, and J. Tew, "The Applicability of Blockchain in the Internet of Things," pp. 561--564.

[34]

"Awesome Firmware Security." {Online}. Available: https://github.com/PreOS-Security/awesome-firmware-security/blob/master/README.md.

[35]

"Binwalk." {Online}. Available: https://github.com/ReFirmLabs/binwalk.

[36]

A. Cui, "Embedded Device Firmware Vulnerability Hunting Using FRAK," Black Hat USA, 2012.

[37]

"FACT." {Online}. Available: https://github.com/fkie-cad/FACT_core.

[38]

D. D. Chen, M. Egele, M. Woo, and D. Brumley, "Towards Automated Dynamic Analysis for Linux-based Embedded Firmware," no. February, pp. 21--24, 2016.

[39]

"Firmware Mod Kit." {Online}. Available: https://github.com/rampageX/firmware-mod-kit/wiki.

[40]

"Firmwalker." {Online}. Available: https://github.com/craigz28/firmwalker.

[41]

Attify, "Firmware Analysis Toolkit." {Online}. Available: https://github.com/attify/firmware-analysis-toolkit.

[42]

"BIN2BMP." {Online}. Available: https://sourceforge.net/projects/bin2bmp/files/bin2bmp/.

[43]

"Radare2." {Online}. Available: https://github.com/radare/radare2.

[44]

"IDA." {Online}. Available: https://hex-rays.com/.

[45]

"Firminator." {Online}. Available: https://github.com/misterch0c/firminator_backend.

[46]

J. Zaddach, L. Bruno, and D. Balzarotti, "Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems ' Firmwares."

[47]

D. Davidson, T. Ristenpart, and W. Madison, "F IE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution."

[48]

"Firmware.Re." {Online}. Available: http://firmware.re/.

[49]

Y. David and E. Yahav, "FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware," ASPLOS'18, 2018.

Digital Library

[50]

"Angr." {Online}. Available: https://github.com/angr/angr.

[51]

"ReFirm Labs." {Online}. Available: https://www.refirmlabs.com/.

Cited By

Ye JDe Carnavalet XZhao LZhang MWu LZhang WQuek TGao DZhou JCardenas A(2024)Exposed by Default: A Security Analysis of Home Router Default SettingsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637671(63-79)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637671
Kondeti VBahsi H(2024)Mapping Cyber Attacks on the Internet of Medical Things: A Taxonomic Review2024 19th Annual System of Systems Engineering Conference (SoSE)10.1109/SOSE62659.2024.10620925(84-91)Online publication date: 23-Jun-2024
https://doi.org/10.1109/SOSE62659.2024.10620925
Surianarayanan CChelliah P(2023)Integration of the Internet of Things and CloudInternational Journal of Cloud Applications and Computing10.4018/IJCAC.32562413:1(1-30)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.4018/IJCAC.325624
Show More Cited By

Index Terms

Firmware Update Attacks and Security for IoT Devices: Survey
1. Security and privacy
  1. Security in hardware
2. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. System management
        Centralization / decentralization

Recommendations

Hyperledger-Based Secure Firmware Update Delivery for IoT Devices
ArabWIC 2021: The 7th Annual International Conference on Arab Women in Computing in Conjunction with the 2nd Forum of Women in Research

The increase of relying on intelligent and connected devices in our home, company, and everyday life aspect leads to the rapid growth of the Internet of Things (IoT) technology. While some IoT devices communicate without the involvement of users, their ...
Version Control System Gateway to Optimize Firmware over the Air (FOTA) Update for IoT Wireless Devices
Abstract
IoT (Internet of Things) use cases cover all the verticals of industry/organization. From manufacturing unit to building management, from X protocol to Y protocol, from A device to Z device; everywhere it is using. The number of IoT devices is ...
FOTB: a secure blockchain-based firmware update framework for IoT environment
Abstract
Recently, numerous exploitations and attacks in IoT environment occurred all over the world. One of the major attacking channels is utilizing the firmware of IoT devices as the access interface to compromise the targeted IoT devices. Therefore, it ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ArabWIC 2019: Proceedings of the ArabWIC 6th Annual International Conference Research Track

March 2019

136 pages

ISBN:9781450360890

DOI:10.1145/3333165

Conference Chairs:
Kaoutar El Maghraoui,
Dalila Chiadmi,
Program Chairs:
Laila Benhlima,
Nariman Ammar

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Google Inc.
Microsoft: Microsoft
Facebook: Facebook
ORACLE: ORACLE
IBM: IBM

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 March 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ArabWIC 2019

ArabWIC 2019: ArabWIC 6th Annual International Conference Research Track

March 7 - 9, 2019

Rabat, Morocco

Acceptance Rates

ArabWIC 2019 Paper Acceptance Rate 20 of 36 submissions, 56%;

Overall Acceptance Rate 20 of 36 submissions, 56%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
1,870
Total Downloads

Downloads (Last 12 months)318
Downloads (Last 6 weeks)17

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ye JDe Carnavalet XZhao LZhang MWu LZhang WQuek TGao DZhou JCardenas A(2024)Exposed by Default: A Security Analysis of Home Router Default SettingsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637671(63-79)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637671
Kondeti VBahsi H(2024)Mapping Cyber Attacks on the Internet of Medical Things: A Taxonomic Review2024 19th Annual System of Systems Engineering Conference (SoSE)10.1109/SOSE62659.2024.10620925(84-91)Online publication date: 23-Jun-2024
https://doi.org/10.1109/SOSE62659.2024.10620925
Surianarayanan CChelliah P(2023)Integration of the Internet of Things and CloudInternational Journal of Cloud Applications and Computing10.4018/IJCAC.32562413:1(1-30)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.4018/IJCAC.325624
Abdulghani HCollen ANijdam N(2023)Guidance Framework for Developing IoT-Enabled Systems’ CybersecuritySensors10.3390/s2308417423:8(4174)Online publication date: 21-Apr-2023
https://doi.org/10.3390/s23084174
Zhao QZheng DZhang YRen Y(2023)Fine-Grained Forward Secure Firmware Update in Smart HomeMathematics10.3390/math1114308411:14(3084)Online publication date: 12-Jul-2023
https://doi.org/10.3390/math11143084
Lola JSerrão CCasal J(2023)Towards Transparent and Secure IoT: Improving the Security and Privacy through a User-Centric Rules-Based SystemElectronics10.3390/electronics1212258912:12(2589)Online publication date: 8-Jun-2023
https://doi.org/10.3390/electronics12122589
Liu SLv MZhang WJiang XGu CYang TYi WGuan N(2023)Light Flash Write for Efficient Firmware Update on Energy-harvesting IoT Devices2023 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE56975.2023.10136990(1-6)Online publication date: Apr-2023
https://doi.org/10.23919/DATE56975.2023.10136990
Saiki AOmori YKimura K(2023)Parallel Verification in RISC-V Secure Boot2023 IEEE 16th International Symposium on Embedded Multicore/Many-core Systems-on-Chip (MCSoC)10.1109/MCSoC60832.2023.00089(568-575)Online publication date: 18-Dec-2023
https://doi.org/10.1109/MCSoC60832.2023.00089
Ayavaca-Vallejo LAvila-Pesantez D(2023)Smart Home IoT Cybersecurity Survey: A Systematic Mapping2023 Conference on Information Communications Technology and Society (ICTAS)10.1109/ICTAS56421.2023.10082751(1-6)Online publication date: Mar-2023
https://doi.org/10.1109/ICTAS56421.2023.10082751
Zhang MZhang YLi SWan Q(2023)Software Trusted Startup and Update Protection Scheme of IoT Devices2023 IEEE 9th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS)10.1109/BigDataSecurity-HPSC-IDS58521.2023.00035(147-152)Online publication date: May-2023
https://doi.org/10.1109/BigDataSecurity-HPSC-IDS58521.2023.00035
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents