Abstract

Recently, the use of embedded devices such as WiFi APs, IP CAM, and drones in Internet of Things (IoT) applications has become more widespread. These embedded devices are connected to networks and are often used for critical services. Thus, they receive significant attention from hackers who attempt to find a major intrusion vector in IoT applications. Hackers focus on identifying hidden backdoors in embedded devices to gain full remote access; if they gain access, they can cause significant damage to critical infrastructures. Therefore, to improve embedded device security, this study introduces Universal Firmware vulnerability Observer (UFO); UFO is a firmware vulnerability discovery system, which can automatically perform tasks such as reversing firmware embedded filesystem, identifying vulnerability, and exploring password leaks to meet the IoT firmware security verification standards, including OWASP, UL-2900, and ICSA Labs. In addition, we design a Shell Script Dependency algorithm to help identify hidden backdoor problems by discovering suspicious shell script execution paths in the extracted firmware filesystem. We use 237 real-world embedded device firmware files to evaluate UFO. The results indicate that the effectiveness of reversing firmware binary is 96%, which is significantly higher than that of open source tools. Besides, we also conclude that 73% of firmware files contain Common Vulnerabilities and Exposures in their embedded Linux kernel, 22% of firmware files can leak login passwords, and 6% of firmware files contain hidden backdoors. Moreover, we reported hidden backdoor problems to two IoT device vendors in Taiwan and received their confirmation. UFO can be successfully used for verifying firmware security and discovering hidden backdoor threats in commercial IoT devices.