Table of Contents
Fetching ...

Hunting the Ghost: Towards Automatic Mining of IoT Hidden Services

Shuaike Dong, Siyu Shen, Zhou Li, Kehuan Zhang

TL;DR

This work tackles the detection of hidden, potentially malicious services in IoT devices by introducing IoTBolt, a pipeline combining static analysis and symbolic execution to automatically uncover covert functionality in firmware. The approach includes targeted file filtering, endpoint-recognition through API contexts and function tables, and request-recovery guided by multi-stage chopped CFGs with high-level constraint recording to manage path explosion. The evaluation on three real-world firmware demonstrates IoTBolt’s ability to reveal hidden services, including information disclosure and remote code execution pathways, and shows the practicality of automated firmware analysis for security assessment. The contributions advance IoT security by enabling systematic discovery of covert services that are invisible to normal users, improving robustness and attack surface visibility in consumer devices.

Abstract

In this paper, we proposes an automatic firmware analysis tool targeting at finding hidden services that may be potentially harmful to the IoT devices. Our approach uses static analysis and symbolic execution to search and filter services that are transparent to normal users but explicit to experienced attackers. A prototype is built and evaluated against a dataset of IoT firmware, and The evaluation shows our tool can find the suspicious hidden services effectively.

Hunting the Ghost: Towards Automatic Mining of IoT Hidden Services

TL;DR

This work tackles the detection of hidden, potentially malicious services in IoT devices by introducing IoTBolt, a pipeline combining static analysis and symbolic execution to automatically uncover covert functionality in firmware. The approach includes targeted file filtering, endpoint-recognition through API contexts and function tables, and request-recovery guided by multi-stage chopped CFGs with high-level constraint recording to manage path explosion. The evaluation on three real-world firmware demonstrates IoTBolt’s ability to reveal hidden services, including information disclosure and remote code execution pathways, and shows the practicality of automated firmware analysis for security assessment. The contributions advance IoT security by enabling systematic discovery of covert services that are invisible to normal users, improving robustness and attack surface visibility in consumer devices.

Abstract

In this paper, we proposes an automatic firmware analysis tool targeting at finding hidden services that may be potentially harmful to the IoT devices. Our approach uses static analysis and symbolic execution to search and filter services that are transparent to normal users but explicit to experienced attackers. A prototype is built and evaluated against a dataset of IoT firmware, and The evaluation shows our tool can find the suspicious hidden services effectively.
Paper Structure (20 sections, 5 figures, 3 tables, 2 algorithms)

This paper contains 20 sections, 5 figures, 3 tables, 2 algorithms.

Figures (5)

  • Figure 1: A typical smart home
  • Figure 2: The workflow of IoTBolt
  • Figure 3: The procedure of processing a network request
  • Figure 4: The overview graph of a typical request processing procedure(by IDA)
  • Figure 5: The high-level constraints collected by IoTBolt