Static analysis of IoT Firmware: identifying systemic vulnerabilities with RMMIDL

Ahmad Al-Zuraiqi*, Desmond Greer*

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The unprecedented surge in Internet of Things (IoT) device deployment has brought forth significant security challenges, primarily arising from vulnerabilities within firmware that facilitate unauthorized access, data exfiltration, and network exploitation. This study undertakes a comprehensive static analysis of 1,520 IoT firmware samples using the Firmware Analysis and Comparison Tool (FACT) alongside metadata from the WikiDevi archive to systematically identify inherent security flaws. Among the key vulnerabilities discovered are improper
handling of format strings (CWE-134, 10.07%), memory mismanagement issues
CWE-416, 10.06%; CWE-415, 10.03%), and the presence of exposed debugging interfaces (CWE-782, 10.07%). These results highlight enduring risks in critical domains such as healthcare and industrial IoT, often magnified by insecure coding
practices and reliance on outdated software components. To address these systemic shortcomings, this study proposes the Risk Mitigation Modeling for IoT Development Lifecycle (RMMIDL), a secure-by-design framework that embeds proactive security measures throughout each phase of IoT development. RMMIDL
offers a systematic and well-defined framework for addressing pervasive risks,
enhancing the resilience of IoT ecosystems, and promoting the implementation of robust security measures. Furthermore, this study outlines prospective research directions, emphasizing the potential of integrating large language models (LLMs), broadening the scope of firmware datasets, and fostering industry-wide collaboration to drive advancements in IoT security.
Original languageEnglish
Title of host publicationICSE 2025, 47th International Conference on Software Engineering: proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Publication statusAccepted - 10 Dec 2024
Event6th Engineering and Cybersecurity of Critical Systems (EnCyCriS) - Rogers Center, Ottawa, Canada
Duration: 27 Apr 202503 May 2025
https://conf.researchr.org/home/icse-2025/encycris-2025

Publication series

NameInternational Conference on Software Engineering (ICSE): Proceedings
ISSN (Print)0270-5257
ISSN (Electronic)1558-1225

Conference

Conference6th Engineering and Cybersecurity of Critical Systems (EnCyCriS)
Abbreviated titleEnCyCriS
Country/TerritoryCanada
CityOttawa
Period27/04/202503/05/2025
Internet address

Fingerprint

Dive into the research topics of 'Static analysis of IoT Firmware: identifying systemic vulnerabilities with RMMIDL'. Together they form a unique fingerprint.

Cite this