The rest of the dissertation is organized as follows:
• In Chapter2we survey the state of the art relevant to our work, in which we provide a description of the existing publications, tools and experiments presented by both academia and industry.
• In Chapter3we present an end-to-end case study of the (in)security ana-lysis of wireless pyrotechnic systems. We use this case study as a motivating example for our main work in the following chapters.
1.2. ORGANIZATION 5
• In Chapter 4 we introduce our methodology and describe the large scale analysis framework that we implemented. We also provide early insights on results and challenges.
• In Chapter5, based on the established framework, we focus on the analysis of the embedded web interfaces using firmware emulation combined with static and dynamic techniques. We show how our framework can be used in practice to quickly find new vulnerabilities in embedded web interfaces.
• In Chapter 6 we further focus on the automated and accurate classifica-tion of both firmware files and online embedded devices. We present our experience with exploring possible feature sets and fingerprint metrics. We also discuss applying Machine Learning (ML) and multi-metric score fusion techniques for automated and accurate classification at large scale.
• Finally, Chapter7 concludes the dissertation and presents possible further improvements of our work.
Large Scale Security Analysis of Embedded Devices’ Firmware
Chapter 2
State of The Art
During the last few years the problem of systematically securing the embedded devices and their firmware generated an increasing interest from both academia and industry.
This problem is complex due to several factors. For example, different embedded devices and firmware images have different security requirements and protections, operating environments, hardware architectures and software support. Addition-ally, they may have different security expectations, and might implement (or not) the security requirements in a variety of ways.
For these reasons, we present in this chapter a survey of research directions, methodologies and tools that have been designed to perform security analyses of embedded devices and firmware images from an interdisciplinary perspective.
2.1 Real-World Studies
2.1.1 Large Scale Studies of Embedded Devices and Firmware Images (In-the-Wild Approach)
Several studies have been proposed to asses the security of embedded devices by scanning the Internet. Cui et al. [83] presented a wide-scale Internet scan to recognize devices that are known to be shipped with default credentials, and subsequently to confirm that the discovered devices are indeed still vulnerable by attempting to login into them. Similarly, the (in)famous Internet Census 2012 [26] is an anonymous research project that took advantage of insecure embedded devices to build a large scale distributed botnet [65]. The authors (ab)used the devices in the botnet to perform an entire IPv4 scan using stack fingerprinting based on (or similar to) NMAP [114]. Unfortunately, it is not completely clear how ethical and legal these Internet surveys were. Heninger et
7
al. [124] performed the largest ever network survey of TLS/SSL and SSH servers.
Their survey showed that vulnerable or weak keys are surprisingly widespread and that the vast majority appear to belong to headless or embedded devices.
ZMap [102] is an efficient and fast network scanner, that allows to scan the complete Internet IPv4 address space in less than one hour. Even though the scans are not especially targeting embedded devices, many such devices are present in this dataset. In Chapter4we reuse the HTTPS/SSL certificates scans that were performed using ZMap [101].
Some online services like Shodan [155] perform regular Internet scans and pro-vide a global view on publicly available devices and web services. This easy-to-use research tool allows security researchers to identify systems worldwide that are potentially exposed or exploitable. At the same time, many existing projects scanned the Internet, or parts of it, to discover vulnerabilities in embedded sys-tems [26,83,124,155,159,159]. Such wide scale scans are mainly aiming to discover online devices affected by already known vulnerabilities. Although, in some cases they can help discover new flaws [124], many categories of vulnera-bilities cannot be in principle discovered by such scans.
Zheng et al. [207] performed the first large scale analysis of customized An-droid firmware images. They used both static and dynamic analyses to evaluate the firmware security on both the application and system levels The authors collected 250 customized Android firmware images containing around 24K pre-installed applications. They also investigated a real-world large scale attack on around 348K Android devices involving a pre-installed zero-day malware known as CEPlugnew.
2.1.2 Small Scale Studies of Supervised Embedded Devices (In-the-Lab Approach)
Large scale and in-the-wild studies have many benefits and can provide unique insights, as outlined above. However, one main limitation is the lack of complete control over the embedded devices or the experimental environment. On the contrary, small scale and in-the-lab controlled environments are much easier to manage and observe. They allow in-depth analysis and thus are able to provide more detailed results.
To date, several reports exist that document in-the-lab small scale studies per-formed on live embedded devices. First, Bojinov et al. [58] conducted an assess-ment of the security of current embedded manageassess-ment interfaces. The study was conducted on real physical devices. The authors found vulnerabilities in 21 devices from 16 different brands, including network switches, cameras, photo frames, and Lights-Out Management (LOM) modules. In a similar study, a secu-rity lab manually analyzed ten Small-Office Home-Office (SOHO) routers [132]
and they discovered at least two vulnerabilities per device. Their research revealed