Recent high-profile attacks on the Internet of Things (IoT) have brought to the forefront the vulnerability of “smart” devices. This has resulted in IoT technologies and end devices being subjected to numerous security analyses. One source that has the potential to provide rich and definitive information about an IoT device is the IoT firmware itself. However, analysing IoT firmware is notoriously difficult, as peripheral firmware files are predominantly available as stripped binaries, without the debugging symbols that would simplify reverse engineering. In this talk, we will present an open-source tool, argXtract, that extracts configuration information from Supervisor Calls within a stripped ARM Cortex-M binary file. Through a combination of generic ARM assembly analysis and vendor-specific configurations, argXtract is able to generate call trace chains and statically “execute” a firmware file in order to retrieve and process arguments to Supervisor Calls. This enables automated bulk analysis of firmware files, to derive statistical security information. We will also present a real-world test case in which we configure argXtract to obtain Bluetooth Low Energy security configurations from Nordic Semiconductor firmware files, and execute it against a dataset of 246 firmware binaries. The results demonstrate that privacy and security vulnerabilities are prevalent in IoT.
Pallavi Sivakumaran is a final-year CDT student with the Information Security Group at Royal Holloway, University of London. Her research focuses on security and privacy concerns associated with Bluetooth Low Energy, which is a key enabling technology for the Internet-of-Things (IoT).