PARIOT: Anti-Repackaging for IoT Firmware Integrity

TL;DR

PARIOT is a self-protecting scheme for IoT firmware that injects anti-tampering controls directly into firmware to detect repackaging attacks at runtime, avoiding external trust anchors and ensuring compatibility.

Contribution

Introduces PARIOT, a novel self-protecting scheme that embeds integrity checks into IoT firmware to detect repackaging without external trust anchors.

Findings

Feasibility demonstrated on 50 real-world firmware samples

Robust against practical repackaging attacks

No significant overhead or behavior alteration

Abstract

IoT repackaging refers to an attack devoted to tampering with a legitimate firmware package by modifying its content (e.g., injecting some malicious code) and re-distributing it in the wild. In such a scenario, the firmware delivery and update processes play a central role in ensuring firmware integrity. Unfortunately, several existing solutions lack proper integrity verification, exposing firmware to repackaging attacks. If this is not the case, they still require an external trust anchor (e.g., signing keys or secure storage technologies), which could limit their adoption in resource-constrained environments. In addition, state-of-the-art frameworks do not cope with the entire firmware production and delivery process, thereby failing to protect the content generated by the firmware producers through the whole supply chain. To mitigate such a problem, in this paper, we introduce PARIOT, a novel self-protecting scheme for IoT that allows the injection of integrity checks, called anti-tampering (AT) controls, directly into the firmware. The AT controls enable the runtime detection of repackaging attempts without needing external trust anchors or computationally expensive systems. PARIOT can be adopted on top of existing state-of-the-art solutions ensuring the widest compatibility with current IoT ecosystems and update frameworks. Also, we have implemented this scheme into PARIOTIC, a prototype to automatically protect C/C++ IoT firmware. The evaluation phase of 50 real-world firmware samples demonstrated the feasibility of the proposed methodology and its robustness against practical repackaging attacks without altering the firmware behavior or severe overheads.