14-829: Mobile and IoT Security

14-829 / 18-638: Mobile and IoT Security - Fall 2018



Assignment #4 - Analyzing the Firmware of IoT Devices

Due: November 8, 2018

Description: Similar to the previous assignment that asked you to analyze Android applications, this assignment asks you to analyze the firmware of IoT devices. The goal of this assignment is to familiarize yourself with firmware analysis tools and to identify vulnerabilities in the firmware of real-world IoT devices. A subset of the software tools that you can use for your analysis will be discussed in class.

Tasks:
  1. Collect firmware images - You must obtain at least two (2) firmware images that satisfy the following constraints:
    • The firmware images should correspond to different types of IoT devices.
    • The firmware images should correspond to IoT devices from different vendors.
    • The firmware images should correspond to IoT devices that provide interesting functionality that people are likely to use.
    • The firmware images should not be obfuscated to the point that makes your analysis trivial and uninteresting.
  2. Analyze the collected firmware images - Use whatever tools you want to analyze the firmware images that you collected in order to identify potential vulnerabilities. If the corresponding IoT devices can be controlled via Android applications, you may analyze them as well in order to gain a better understanding of their functionality. However, you should not focus on vulnerabilities that are unique to the Android applications. Instead, you should focus on potential information leakage from the devices, potential backdoors in their firmware, the integrity of the firmware update processes, etc.
  3. Recommend security or privacy improvements - For each firmware image that you analyzed, provide at least one recommendation that you would make to the development team in order to help them improve the security or privacy posture of their IoT device. Make sure that your recommendations are clear and complete, while also keeping in mind the typical business considerations that may compete against security or privacy.

Deliverables: Each student will submit a written summary of their efforts for the above tasks. Your report should include:
  • A description of the structure of each firmware image that you collected as well as the process that you followed in order to obtain them, the functionality of the corresponding IoT devices, and a justification for why these firmware images meet the constraints of this assignment.
  • A detailed description of the various vulnerabilities or issues that you identified for each firmware image in your collection, including relevant details of the type of issue, whether it appears to be accidental or the result of an explicit design decision, the severity of the issue in regard to security or privacy protections, and potential impact of the issue for the developer or their users.
  • A step-by-step explanation of the process that you followed in order to identify the vulnerabilities or issues described for each firmware image, including any analysis or coding tools that you used and screenshots of interesting findings.
  • A detailed explanation and justification of your recommendations to the developers of each firmware image.
The written summary should be formatted as a single-column document using font size 11 or greater, converted to a .pdf document for submission.

Submission Instructions: Each student should submit a .pdf version of their written summary via Canvas, using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment is allowed and encouraged, but all analysis and writing components must be done individually.

Grading: This assignment is worth 35 points: eight (8) points for the description of the affected IoT devices and the structure of the collected firmware images, ten (10) points for the discussion of the identified vulnerabilities including severity, impact, etc., eight (8) points for the step-by-step description of the process used to identify vulnerabilities, and nine (9) points for the description and justification of your recommendations to the developers of each firmware image. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.