14-829: Mobile and IoT Security

14-829 / 18-638: Mobile and IoT Security - Fall 2019



Assignment #3 - Analyzing IoT Device Software/Firmware/Services

Due: Nov 14, 2019

Description: In this assignment, you'll analyze the software and service landscape of particular IoT devices. This will include studying the software and firmware running on the device, any corresponding cloud services, and any companion mobile applications. Your study will include the use of common firmware analysis tools to identify potential vulnerabilities in real-world IoT devices. A subset of the software tools available to you will be discussed in class.

Tasks:
  1. Choose your IoT devices to study - Identify at least two (2) sufficiently different, commercially-available IoT devices that you will be able to study and characterize, subject to the constraints that:
    • the primary tasks of the IoT devices should be different,
    • the devices should come from different vendors,
    • the devices should provide interesting functionality that people are likely to use,
    • the firmware images are not obfuscated to the point that makes your analysis trivial and uninteresting,
    • the devices, firmware, and software that you study should be up-to-date versions (i.e., not older models or versions with known issues).
  2. Analyze the collected firmware images and component software - Use whatever tools you want to analyze the firmware images that you collected in order to identify potential vulnerabilities. If the corresponding IoT devices can be controlled via Android applications or web/cloud services, study how the other software interacts with the device to fully understand the system functionality. However, you should not focus only on app vulnerabilities; instead, you should put more focus on potential information leakage from the devices, potential backdoors in firmware, the integrity of the firmware update processes, device interactions, etc. The OWASP IoT Project may provide helpful guidance.

  3. Recommend security or privacy improvements - For each device/system that you analyze, provide at least one recommendation that you would make to the development team in order to help them improve the security or privacy posture of their IoT device. Make sure that your recommendations are clear and complete, while also keeping in mind the typical business considerations and trade-offs that may compete against security or privacy.

Deliverables: Each student will submit a written summary of their efforts for the above tasks. Your report should include:
  • A description of the structure of each device / system that you studied, including firmware images that you collected, component software, and other system aspects. For firmware images, detail the process that you followed to obtain the firmware image, and justify how all of the constraints of the assignment are satisfied.
  • A detailed description of the various vulnerabilities or issues that you identified for each IoT device in your collection, including relevant details of the type of issue, whether it appears to be accidental or the result of an explicit design decision, the severity of the issue in regard to security or privacy protections, and potential impact of the issue for the developer or their users.
  • A step-by-step explanation of the process that you followed in order to identify the vulnerabilities or issues described for each IoT device, including any analysis or coding tools that you used and screenshots of interesting findings. As with the last assignment, be sure to explain what the tools are doing, rather than just pasting the output.
  • A detailed explanation and justification of your recommendations to the developers of each device.
The written summary should be formatted as a single-column document using font size 11 or greater, converted to a .pdf document for submission.

Submission Instructions: Each student should submit a .pdf version of their written summary via Canvas, using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment is allowed and encouraged, but all analysis and writing components must be done individually.

Grading: This assignment is worth 40 points: eight (8) points for the description of the chosen IoT devices and their various software and firmware components, ten (10) points for the discussion of the identified vulnerabilities including severity, impact, etc., eight (8) points for the step-by-step description of the process used to study system interactions and identify vulnerabilities, nine (9) points for the description and justification of your recommendations to the developers, and five (5) points for discussion of trade-offs and decisions from a business perspective. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.