Update If You Dare: Demystifying Bare-Metal Device Firmware Update Security of Appified IoT Systems

Due to the economy and low power consumption features, bare-metal IoT devices have been widely used in various areas of our life, and they are usually paired with companion mobile apps to configure them and view their states (a.k.a., appified IoT system). The IoT systems have already become the lucrative and profitable targets for attackers because the compromised IoT devices will pose severe threats to IoT security and reliability. This problem become worse on bare-metal IoT devices since the tradeoff among price, functionality, performance, and energy efficiency usually results in insufficient security protection. Such bare-metal IoT devices usually adopt OTA (Over-The-Air) methods to update firmware, which is managed by the companion apps running on smartphones. Despite the prevalence of these appified IoT systems, there is a lack of systematic research on the security of bare-metal IoT device firmware update (DFU), although recent studies have reported security flaws in such systems. In this article, we propose a holistic approach to investigate DFU security of these appified IoT systems through collaborative analyzing the bare-metal firmware and the companion app. Additionally, we have developed an IoT system analysis framework named BareDFU to automate the complex and time-consuming analysis tasks and facilitate the investigation. After applying BareDFU to analyze 1,637 companion IoT apps, we found 710 of them contained security flaws spanning all three DFU stages: authentication, firmware acquisition, and firmware verification. Furthermore, we leveraged BareDFU to investigate the bare-metal DFU security of six commercial appified IoT systems, and discovered they all had DFU flaws, which we successfully exploited to launch proof-of-concept firmware modification attacks. The affected vendors have acknowledged our findings and addressed the security flaws.