FirmUpdate: Automated multi-phase static analysis for detecting firmware update vulnerabilities in IoT Linux-based firmware

As the Internet has changed the way people communicate with each other in everyday life, the number of home Wi-Fi access routers has grown up significantly over the past few years. However, the security of routers used in every household is still in the low level. The common vulnerabilities in routers can be easily exploited by an attacker in order to obtain user’s sensitive information or even compromise the devices to be a part of the botnet network. Therefore, we developed one-stop service firmware analysis tool that can perform both static and dynamic analysis for the router firmware called “Firmaster”. textbfThe program is operated under graphical user interface (GUI) of Qt creator running on the Ubuntu Linux machine. textbfVulnerabilities of firmware analyzed by Firmaster program are based on OWASP’s Top 10 IoT Vulnerabilities 2014. Firmaster contains seven main functions: password cracking, SSL scanning, web static analysis, firmware update analysis, web dynamic analysis, port scanning and the summary report.

Android firmware updates are typically managed by the so-called FOTA (Firmware Over-the-Air) apps. Such apps are highly privileged and play a critical role in maintaining devices secured and updated. The Android operating system offers standard mechanisms—available to Original Equipment Manufacturers (OEMs)—to implement their own FOTA apps but such vendor-specific implementations could be a source of security and privacy issues due to poor software engineering practices. This paper performs the first large-scale and systematic analysis of the FOTA ecosystem through a dataset of 2,013 FOTA apps detected with a tool designed for this purpose over 422,121 pre-installed apps. We classify the different stakeholders developing and deploying FOTA apps on the Android update ecosystem, showing that 43% of FOTA apps are developed by third parties. We report that some devices can have as many as 5 apps implementing FOTA capabilities. By means of static analysis of the code of FOTA apps, we show that some apps present behaviors that can be considered privacy intrusive, such as the collection of sensitive user data (e.g., geolocation linked to unique hardware identifiers), and a significant presence of third-party trackers. We also discover implementation issues leading to critical vulnerabilities, such as the use of public AOSP test keys both for signing FOTA apps and for update verification, thus allowing any update signed with the same key to be installed. Finally, we study telemetry data collected from real devices by a commercial security tool. We demonstrate that FOTA apps are responsible for the installation of non-system apps (e.g., entertainment apps and games), including malware and Potentially Unwanted Programs (PUP). Our findings suggest that FOTA development practices are misaligned with Google’s recommendations.