Black-box fuzzing is often the only viable automated testing option in several scenarios. This is particularly important in the domain of Internet of Things (IoT) and embedded devices, due to the difficulties in obtaining or extracting custom firmware. Unfortunately, when applied naively, black-box fuzzing mostly produces invalid inputs, which are quickly discarded by the targeted device and do not penetrate its code. When dealing with IoT devices, another alternative is to leverage the companion apps (i.e., the mobile apps used to control an IoT device) to generate well-structured fuzzing inputs. This solution leads to better results but it is still ineffective as it produces fuzzing inputs that are constrained by app-side validation code, thus significantly limiting the range of discovered vulnerabilities.
In this talk, we first present our approach for IoT black-box fuzzing, overcoming the limitations of existing tools. Our key observation is that there exist functions inside the companion apps that can be leveraged to generate optimal (i.e., valid yet under-constrained) fuzzing inputs. Such functions, which we call fuzzing triggers, are executed before any data-transforming functions (e.g., network serialization), but after the input validation code. Consequently, they generate inputs that are not constrained by app-side sanitization code, and, at the same time, are not discarded by the analyzed IoT device due to their invalid format.
We developed and present Diane, a black-box fuzzer that combines static and dynamic analysis of Android apps to identify fuzzing triggers and use them to fuzz IoT devices automatically. Diane is independent of the network medium used by the analyzed app/IoT device and can fuzz devices that communicate with their companion apps both over WiFi and Bluetooth. We used Diane to analyze 11 popular IoT devices, and we identified 11 bugs, 9 of which are zero-day vulnerabilities, which we responsibly disclosed to the affected vendors. The results of our experiments show that without using fuzzing triggers, it is not possible to generate bug-triggering inputs for many devices and that our tool outperforms existing solutions.
Finally, we present other use cases where our high-level approach can be applied for effective security testing of embedded devices, such as for identifying vulnerable update mechanisms and auditing trusted execution environments.