RIoTFuzzer: Companion App Assisted Remote Fuzzing for Detecting Vulnerabilities in IoT Devices

RIoTFuzzer: Companion App Assisted Remote Fuzzing for Detecting Vulnerabilities in IoT Devices

연구 분야: Strategies

학회: CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

Due to the diversity of architectures and peripherals of Internet of Things (IoT) systems, blackbox fuzzing stands out as a prime option for discovering vulnerabilities of IoT devices. Existing blackbox fuzzing tools often rely on companion apps to generate valid fuzzing packets. However, existing methods encounter the challenges of bypassing the cloud server side validation when it comes to fuzz devices that rely on cloud-based communication. Moreover, they tend to concentrate their efforts on Java components within Android companion apps, limiting their effectiveness in assessing non-Java components such as JavaScript-based mini-apps. In this paper, we introduce a novel blackbox fuzzing method, named RIoTFuzzer, designed to remotely uncover vulnerabilities of IoT devices with the assistance of companion apps, particularly those powered by All-in-one Apps with the JavaScript-based mini-apps feature enabled. Our approach utilizes document-based control command extraction, hybrid analysis for mutation point identification and side-channel-guided fuzzing to effectively address the challenges of fuzzing IoT devices remotely. We apply RIoTFuzzer to 27 IoT devices on prominent platforms and discovered 11 vulnerabilities. All of them have been acknowledged by the corresponding vendors. 8 have been confirmed by the vendors and have been assigned 4 CVE IDs. Our experiment results also demonstrate that side-channel-guided fuzzing can significantly enhance the efficiency of fuzzing packets sent to IoT devices, with an average increase of 76.62% and a maximum increase of 362.62%.