Protocol guided mutation fuzzing to automatically discover vulnerability in commercial IoT devices
摘要
Protocol fuzzing is a scalable and cost-effective technique for identifying security vulnerabilities in deployed Internet of Things (IoT) devices. After the registration phase, IoT devices often run lightweight servers to handle user interactions, such as video streaming or image capturing in smart cameras, in their operational phases. Implementation flaws in transport or application-layer security mechanisms can expose IoT devices to a range of threats, including unauthorized access and data leakage. This paper addresses the challenge of uncovering such vulnerabilities by leveraging protocol fuzzing techniques that inject crafted transport and application-layer packets into IoT communications. We present a mutation-based fuzzing tool, named IoTFuzzSentry, to identify protocol-specific non-trivial vulnerabilities in commercial IoT devices. We further demonstrate how attackers could exploit these vulnerabilities in real-world scenarios. We integrate our fuzzing tool into a well-known IoT protocol fuzzer, called Cotopaxi, and evaluated the efficacy of the updated tool using commercial-off-the-shelf (COTS) IoT devices, such as IP cameras and Smart Plugs. The newly discovered vulnerabilities are categorised into four types, namely IoT Access Credential Leakage, Sneak IoT Live Video Stream, Creep IoT Live Image, IoT Command Injection, and were exploited extensively on two IoT cameras and one smart plug. We have responsibly disclosed all these vulnerabilities to the respective vendors, followed by publishing two CVEs, CVE-2024-41623 and CVE-2024-42531, and one is awaiting. To extend the applicability of IoTFuzzSentry, we have investigated the traffic of six additional IoT devices and our analysis shows that these devices can have similar vulnerabilities, due to the presence of a similar set of payloads in the application protocols. We believe that our IoTFuzzSentry has the potential to discover unconventional security threats and allow IoT vendors to strengthen the security of their commercialized IoT devices automatically with negligible overhead.