Go to DBLP homepageNo More Companion Apps Hacking but One Dongle: Hub-Based Blackbox Fuzzing of IoT Firmware
Abstract: Given the massive difficulty in emulating IoT firmware, blackbox fuzzing of IoT devices for vulnerability discovery has become an attractive option. However, existing blackbox IoT fuzzers need much time and tedious effort to reverse engineer the IoT companion app (or manually collect test scripts) of each IoT device, which is unscalable when analyzing many devices. Moreover, fuzzing through a companion app is impeded by the input sanitization inside the app and limited to the manually revealed functions. We notice that IoT devices are typically able to connect a hub using standard wireless protocols (such as ZigBee, Z-Wave, and WiFi). We thus propose a uniform hub-based architecture for fuzzing various IoT devices, without reverse engineering any companion apps. It exploits the messages exchanged between a hub and an IoT device to automatically discover all the functions, and then launches systematic function-oriented message-semantics-guided fuzzing. It avoids sanitization imposed by a companion app. In addition, it conducts device state-sensitive fuzzing, which we find very effective in finding IoT bugs. We implement the system named HubFuzzer. The evaluation shows that HubFuzzer leads to much higher coverage than prior state of the art. We test 21 IoT devices and find 23 zero-day vulnerabilities. Four CVEs have been assigned.
Loading