The security of the IoT has never been so important, especially when millions of devices become parts of everyday life. Most of the IoT devices, however, are vulnerable to cyberattacks, as the hardware resources are limited or the security design is missing during the development. Tencent Anti-Virus Laboratory demonstrates a new worm prototype dubbed UbootKit, which targets the bootloader of IoT devices, to indicate how a worm can propagate between variable devices and why it is difficult to eliminate.
UbootKit attack is a kind of manipulation attack against the bootloader, causing infected devices to be remotely controlled and spread malware to other devices. UbootKit is extremely difficult to remove, even by physically pressing the reset button, and is able to attack various kinds of IoT devices with Linux system.
A demonstration will be introduced to explain how UbootKit is able to propagate between ARM and MIPS based devices. First, the worm rewrites the bootloader to parasite on the host. Second, the modified bootloader hijacks the start procedure of the Linux kernel in memory. The malicious code in the kernel will download a worm program and execute it with the root privilege. Finally, the downloaded worm program attacks other devices through password scanning or remote execution exploits. The experiment affirms that UbootKit is able to infect real IoT products, such as routers and webcams. Just to clarify, all experiments were restricted in the laboratory environment, and no harmful payload has ever been applied.
The reason the UbootKit attack can be launched is that the integrity verification for bootloader is missing for most IoT devices. At the end of the paper, a mitigation solution - which is adding an integrity verification procedure at the on-chip code - is explained to address the vulnerability.