Abstract

Cyber attacks against the web management interface of Internet of Things (IoT) devices often have serious consequences. Current research uses fuzzing technologies to test the web interfaces of IoT devices. These IoT fuzzers generate messages (a test case sent from the client to the server to test its functionality) without considering their dependency, which is unlikely to bypass the early check of the server. These invalid test cases significantly reduce the efficiency of fuzzing. To overcome this problem, we propose a stateful message generation (SMG) mechanism for IoT web fuzzing. SMG addresses two problems in IoT fuzzing. First, we retrieve the message dependency by using web front-end analysis and status analysis. These dependent messages, which can easily bypass the server check, are used as a valid seed. Second, we adopt a multi-message seed format to preserve the dependency of the messages when mutating the seed to get a valid test case, so that the test case can bypass the state check of the server to make a valid test. Message dependency preservation is implemented by our proposed parameter mutation and structural mutation methods. We implement SMG in our IoT fuzzer, SIoTFuzzer, which applies IoT firmware on the latest Linux-based simulation tool, FirmAE. We test nine IoT devices including a router and an IP camera and adopt a vulnerability detection mechanism. Our evaluation results show that (1) SIoTFuzzer is capable of finding real-world vulnerabilities in IoT devices; (2) our SMG is effective as it enables Boofuzz (a popular protocol fuzzer) to find command injection and cross-site scripting (XSS) vulnerabilities; and (3) compared to FirmFuzz, SIoTFuzzer found all the vulnerabilities in our benchmarks, while FirmFuzz found only four—the efficiency of our tool increased by 20.57% on average.

Highlights

  • SIoTFuzzer traverses the device web pages and obtains normal communication messages. These messages will be used for fuzzing; We evaluated SIoTFuzzer on 9 Internet of Things (IoT) devices and 12 known vulnerabilities were found

  • Compared with FirmFuzz, SIoTFuzzer could detect known vulnerabilities much faster than FirmFuzz, and the vulnerability detection time is reduced by about 20.57% on average

  • We have presented SIoTFuzzer, an automated framework to fuzz the web interface of

Read more

Summary

Introduction

At the 2013 Black Hat Conference, Heffner [2] demonstrated the overflow, hard-coded password, and command injection vulnerabilities of a variety of web cameras, involving D-Link, TP-Link, Linksys, and Trendnet equipment vendors. Attackers can use these vulnerabilities to log in without authorization and hijack the real-time video of the camera. 2. Based on issue 1, we need to maintain the connection between the fuzzer and the device, and ensure that mutated messages are received by the device.

Results
Discussion
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call