Defense and Hardening of Billions of End-of-Life Internet-of-Things Devices—Solutions and Challenges (I22b)
Internet-Of-Things (IoT) devices and their firmware are notorious for their lifelong vulnerabilities. As device infection increases, vendors also fail to release patches at a competitive pace. Despite security in IoT being an active area of research, prior work has mainly focused on vulnerability detection and exploitation, threat modelling, and protocol security. However, these methods are ineffective in preventing attacks against legacy and End-Of-Life devices that are already vulnerable. Current research mainly focuses on implementing and demonstrating the potential of malicious modifications. Hardening emerges as an effective solution to provide IoT devices with an additional layer of defense. This talk will bridge these gaps through the design of a generically applicable systematic approach to HArdening LEgacy IoT non-low-end devices by retrofitting defensive firmware modifications without access to the original source code. This talk will approach this non-trivial task via binary firmware reversing and modification while being underpinned by a semi-automated toolset that aims to keep cybersecurity of such devices in a hale state. The focus is on both modern and, especially, legacy or obsolete IoT devices as they become increasingly prevalent. This talk will show that this approach works well on a large number of devices, scales well, successfully runs on protected and quite constrained (I)IoT devices with as low as 32MB of RAM and 8MB of storage. This talk is important from EU Cyber Act perspective, as it addresses one of the core challenges of cybersecurity (defense harder than offense), and in for (I)IoT in particular (how to port known classical defensive solutions to diverse and constrained (I)IoT world). Defensive measure for (I)IoT are a good mitigation strategy for the cases where EU Cyber Act requires cybersecurity, but vendors cannot/do not offer any.