Hunting the Ghost: Towards Automatic Mining of IoT Hidden Services
Shuaike Dong, Siyu Shen, Zhou Li, Kehuan Zhang
TL;DR
This work tackles the detection of hidden, potentially malicious services in IoT devices by introducing IoTBolt, a pipeline combining static analysis and symbolic execution to automatically uncover covert functionality in firmware. The approach includes targeted file filtering, endpoint-recognition through API contexts and function tables, and request-recovery guided by multi-stage chopped CFGs with high-level constraint recording to manage path explosion. The evaluation on three real-world firmware demonstrates IoTBolt’s ability to reveal hidden services, including information disclosure and remote code execution pathways, and shows the practicality of automated firmware analysis for security assessment. The contributions advance IoT security by enabling systematic discovery of covert services that are invisible to normal users, improving robustness and attack surface visibility in consumer devices.
Abstract
In this paper, we proposes an automatic firmware analysis tool targeting at finding hidden services that may be potentially harmful to the IoT devices. Our approach uses static analysis and symbolic execution to search and filter services that are transparent to normal users but explicit to experienced attackers. A prototype is built and evaluated against a dataset of IoT firmware, and The evaluation shows our tool can find the suspicious hidden services effectively.
