Authentication Bypass Vulnerability Detection For Lightweight IoT Device Firmware

With the rise of the Internet of Things,smart devices play an indispensable role in our daily life.Security vulnerabilities in smart devices not only endanger users' property and privacy,but also threaten users' lives.Among various IoT device vulnerabilities,authentication bypass vulnerabilities have a wide impact and are usually the attack focus of attackers'.Early authentication bypass vulnerabilities were mainly caused by hard coding and weak passwords.Most of the devices with such vulnerabilities are routers,cameras with Web interfaces.However,as the functionality of IoT devices increases,authentication bypass vulnerabilities are mostly caused by logical errors in device authentication.At the same time,with the increasing number and variety of lightweight IoT devices,existing detection frameworks face challenges in analyzing lightweight IoT device firmware.In view of the above problems,this paper conducts a security analysis of the authentication scheme of IoT devices and discovers a new type of authentication bypass vulnerability caused by the hybrid command set.This paper deeply analyzes the causes of the vulnerability and proposes the corresponding defense scheme.In order to explore the scope and harm of such authentication bypass vulnerabilities,this paper designs and implements a vulnerability detection tool named Gerbil for the lightweight IoT device firmware.The innovations and contributions of this paper are mainly in the following three aspects:(1)This paper discovers a new type of authentication bypass vulnerability caused by cloud commands and local commands arriving at the same command set.This type of vulnerability is referred to as a command hybrid authentication bypass vulnerability in this paper.IoT devices typically have multiple interactive objects,including clouds,mobile applications,and other IoT devices.Each interactive object has a command set that it can send to devices.In general,the cloud can send commands that enable the device to perform higher-privileged operations,such as resetting devices and updating the firmware.However,because developers implement the wrong logic of parsing commands in the firmware,the commands that multiple interactive objects can send are mixed in the same command set.The hybrid command set is the essential cause of the vulnerability,while the main reason that the vulnerability can be exploited by attackers is that the devices adopt different authentication policies on cloud interaction objects and local interaction objects.After testing a number of actual devices,this paper finds that most devices do not perform strict authentication on interactive objects in the local area network.Therefore,a device with a command hybrid authentication bypass vulnerability will allow an interactive object that has not been strictly authenticated in the local area network to send a command that should be sent by the cloud,resulting in attacks such as device hijacking and device denial of service.(2)This paper designs and implements an analysis tool named Gerbil for the lightweight IoT device firmware to detect command hybrid authentication bypass vulnerabilities in smart devices.Gerbil has two main advantages.Firstly,Gerbil can effectively analyze lightweight IoT device firmware.When analyzing the lightweight IoT device firmware,existing detection tools encountered problems such as the inability to accurately identify the loading base address,the inability to generate a complete control flow graph,path explosion,and the difficulty in solving complex constraints.In this paper,the corresponding solutions are proposed for these problems.First of all,this paper proposes a firmware analysis method based on identifying the chip type,which can accurately identify the load base address of the lightweight IoT device firmware.In addition,this paper has improved the existing control flow recovery algorithm and can generate a more complete control flow graph.Meanwhile,this paper integrates the library function recognition technology into the symbol execution engine,which not only mitigates the path explosion but also extracts the high-level constraints proposed in this paper.Secondly,Gerbil can effectively detect command hybrid authentication bypassing vulnerabilities in the firmware.Gerbil can recover the authentication paths from the receiving network data to the parsing commands in the firmware and determine whether the network data received by the device from the local area network and the network data received from the cloud arrive at the same command set.In addition,Gerbil is able to solve the possible values of network data that satisfy all constraints on the authentication path to help manually verify the vulnerability.(3)This paper collected 100 lightweight IoT device firmware based on ARM architecture,covering 4 device vendors and 6 chip vendors.This paper evaluates Gerbil's performance including loading base identification,control flow graph recovery,detection time,and detection results through the 100 firmware data.The experimental results show that Gerbil can achieve the loading base address identification of the firmware with the accuracy of 100%.At the same time,compared with the analysis results of Angr,Gerbil's recovery results of the control flow graph for the single firmware increase by 24,822 nodes and 58,625 edges on average.In addition,the average time of Gerbil to analyze all authentication paths for each firmware is only 527.41 seconds,and Gerbil detects the command hybrid authentication bypass vulnerabilities in 37 firmware.This paper verifies the detected vulnerabilities by manually testing 3 smart devices to prove the correctness of the Gerbil detection results.The test results show that the command hybrid authentication bypass vulnerability discovered in this paper allows attackers to implement device hijacking and device denial of service attacks.