argXtract: Deriving IoT Security Configurations via Automated Static Analysis of Stripped ARM Cortex-M Binaries

Abstract

Recent high-profile attacks on the Internet of Things (IoT) have brought to the forefront the vulnerabilities in “smart” devices, and have revealed poor device configuration to be the root cause in many cases. This has resulted in IoT technologies and devices being subjected to numerous security analyses. For the most part, automated analyses have been confined to IoT hub or gateway devices, which tend to feature traditional operating systems such as Linux or VxWorks. However, most IoT peripherals, by their very nature of being resource-constrained, lacking traditional operating systems, implementing a wide variety of communication technologies, and (increasingly) featuring the ARM Cortex-M architecture, have only been the subject of smaller-scale analyses, typically confined to a certain class or brand of device. We bridge this gap with argXtract, a framework for performing automated static analysis of stripped Cortex-M binaries, to enable bulk extraction of security-relevant configuration data. Through a case study of 200+ Bluetooth Low Energy binaries targeting Nordic Semiconductor chipsets, as well as smaller studies against STMicroelectronics BlueNRG binaries and Nordic ANT binaries, argXtract has discovered widespread security and privacy issues in IoT, including minimal or no protection for data, weakened pairing mechanisms, and potential for device and user tracking.