Leveraging Firmware Reverse Engineering for Stealthy Sensor Attacks via Binary Modification

The number of Internet of Things (IoT) devices has increased dramatically to the point where they pervade our daily life. These connected devices are equipped with a variety of sensors for applications ranging from simple thermostats to critical medical devices. These devices often directly interact with people and usually lack proper security measures, thus they have become ideal targets for attackers. Herein, we propose Cunning Sensor Attack via Firmware Reverse-Engineering (unSAFE), which is a novel and stealthy sensor attack that attempts to corrupt sensor data by targeting the device's Power Management IC (PMIC) configuration in firmware. The proposed unSAFE explores a class of vulnerabilities in which firmware is used to launch a physical attack against a device's peripherals utilizing power management units as a vector. Our proposed technique consists of reverse-engineering the binary code running on bare-metal IoT devices and targeting the functions that control the PMIC configurations. We demonstrate our attack by modifying the firmware binary to alter the PMIC's output voltage and evaluate it by measuring the changes in the output of the targeted sensors. We demonstrate that supplying a sensor with an incorrect voltage or current configuration can cause data corruption, which can go unnoticed and might have direct repercussions on real-world systems. Moreover, we discuss the stealthy nature of our attack and the fact that it can evade detection during functional testing as it does not change the overall functionality of IoT devices. Finally, we provide potential mitigation suggestions to address this vulnerability.