Startup Program Identification for Efficient and Accurate IoT Security Investigations

Abstract

The mainstream of existing security investigation for Internet of Things (IoT) devices is vulnerability testing based on the availability of security features and version numbers for all programs extracted from the firmware. However, it is known that IoT devices contain many programs in the file system that are never executed. Therefore, if many programs on IoT devices are not executed, a method that examines all programs may not allow for an accurate investigation of the programs that are actually used. This paper proposes an analysis method that combines static analysis and emulation to identify programs that are automatically executed in the startup process of IoT devices to conduct an efficient and accurate security investigation of IoT devices. This allows us to prioritize the programs for security feature investigation that are executed when IoT devices are started up. As a result of the evaluation, we confirmed that we could identify automatically executed programs in the startup process with high accuracy by the proposed method. In addition, we investigated 201 IoT devices firmware that use OpenWrt and found that prioritizing inspection targets greatly improves the efficiency of investigation and has a significant impact on accurate security investigations.