Research On Key Techniques Of Smart Home Firmware Security Analysis

In recent years,with the rapid development of the smart home industry,smart home devices such as smart door locks,smart gateways,and smart sockets are more common in people’s daily life.However,the lack of security awareness of developers has led to an increase of cyberattacks targeting at smart home devices.In these incidents,attackers mostly exploited the security vulnerabilities in device firmware,so the security analysis of smart home firmware is one of the important means to improve the security of smart home devices.However,there are still many problems in the field of firmware security analysis,such as the difficulty of reverse analysis and the complexity and variety of communication protocols.In order to solve these problems,this paper investigates several key technologies in the process of smart home firmware security analysis.The main work is as follows:1.In many cases,the function name is related to the functionality of the function,and some sensitive functions can be located according to the function name,which improves the efficiency of firmware security analysis.But some smart home firmware without an operating system or based on Real Time Operating System(RTOS)usually does not contain the information of function name,and security researchers can only use time-consuming and laborious reverse engineering to analyze the function code to infer its function.In order to solve this problem,this paper proposes a function name restore method of firmware library functions based on binary code similarity comparison.The first step of this method is to construct an open-source function signature library by collecting commonly used open-source library function.The second step is to identify the firmware compilation environment according to the initialization function characteristics of the compiler,and identify the RTOS type of the firmware according to the RTOS characteristic string and some system functions.The last step is to call the corresponding open-source function signature library according to the information,and use the existing binary comparison tools to identify the open-source library functions contained in the firmware,so as to restore the function name.This paper implements a prototype system based on this method and conducts experimental evaluation.The experimental results show that the system can correctly identify the compilation environment and RTOS type of most wild firmware on the test set,and the best effect of library function name restore reaches 73.1%;it can correctly identify the compilation environment and RTOS of all self-compiled firmware,the average restore effect of library function names reaches 41.1%,and the average accuracy rate is 91.7%.2.Some smart home manufacturers use private communication protocols to realize the interaction between devices.These private protocols usually have much potential danger,but the radio frequency parameters of the protocols are not public,which makes it difficult for security researchers to capture the communication data packets,and will hinder the reverse analysis and vulnerability mining of the protocol.In order to solve this problem,this paper proposes a method for extracting radio frequency parameters of firmware private communication protocol.This method is aimed at the two situations that the communication chip in the device has built-in Flash and no built-in Flash.Firstly,it uses the function name restore method of firmware library functions to identify the function responsible for configuring the radio frequency parameters in the firmware,and the second step is to extract the assembly instructions from its calling function,the third step uses the simulation execution and dynamic debugging technology to extract the parameters of the function(including the memory address where the radio frequency parameters are stored),and the last step uses the radio frequency parameter format information of the communication chip to automatically parse the content of each field of the radio frequency parameters from the function parameters.In order to verify the effectiveness of this method,this paper utilizes a certain brand of smart door locks and security equipment that use a private communication protocol as the target,and successfully extracts the radio frequency parameters.3.Using the method of restoring the function name of the firmware library functions and extracting the radio frequency parameters of the firmware private communication protocol proposed above,and combined with the existing firmware security analysis method,we carried out a case study on a certain brand of smart door locks,including firmware extraction,firmware unpacking,disassembly,static analysis,dynamic debugging,protocol reverse and other smart home firmware analysis work,and obtained the workflow of and the information of the temporary password mechanism of the smart door lock,which established the foundation of the follow-up vulnerability mining work on the smart door lock,and proved the effectiveness and practicability of the method we put forward in this paper at the same time.