A framework for intelligent IoT firmware compliance testing

The recent mass production and usage of the Internet of Things (IoT) have posed serious concerns due to the unavoidable security complications. The firmware of IoT systems is a critical component of IoT security. Although multiple organizations have released security guidelines, few IoT vendors are following these guidelines properly, either due to a lack of accountability or the availability of appropriate resources. Some tools for this purpose can use static, dynamic, or fuzzing techniques to test the security of IoT firmware, which may result in false positives or failure to discover vulnerabilities. Furthermore, the vast majority of resources are devoted to a single subject, such as networking protocols, web interfaces, or Internet of Things computer applications. This paper aims to present a novel method for conducting compliance testing and vulnerability evaluation on IoT system firmware, communication interfaces, and networking services using static and dynamic analysis. The proposed system detects a broad range of security bugs across a wide range of platforms and hardware architectures. To test and validate our prototype, we ran tests on 4300 firmware images and discovered 13,000+ compliance issues. This work, we believe, will be the first step toward developing a reliable automated compliance testing framework for the IoT manufacturing industry and other stakeholders.