PATRIOT: Anti-Repackaging for IoT Firmware
IoT repackaging refers to an attack devoted to tampering with a legitimate firmware package by modifying its content (e.g., injecting some malicious code) and re-distributing it in the wild. In such a scenario, the firmware delivery and update processes play a central role in ensuring firmware integrity. Unfortunately, most of the existing solutions lack proper integrity verification, leaving firmware exposed to repackaging attacks, such as the one reported in [1]. If this is not the case, they still require an external trust anchor (e.g., a signing certificate), which could limit their adoption in resource-constrained environments. To mitigate such a problem, in this paper, we introduce PATRIOT, a novel self-protecting scheme for IoT that allows the injection of integrity checks, called anti-tampering (AT) controls, directly into the firmware. The AT controls enable the runtime detection of repackaging attempts without the need for external trust anchors or computationally expensive systems. Also, we have implemented this scheme into PATRIOTIC, a prototype to automatically protect C/C++ IoT firmware. The evaluation phase of 33 real-world firmware samples demonstrated the feasibility of the proposed methodology and its robustness against practical repackaging attacks without altering the firmware behavior or severe performance issues.
READ FULL TEXT