Researchers demonstrate wormable flaw for IoT development board Arduino Yun

Vulnerabilities in connected devices and their consequences are stealing the thunder from the benefits and opportunities the Internet of Things has to offer. We’ve recently seen an increase in malware and exploits designed to target IoT devices because the big data they collect is a gold mine for criminals.

The long list of IoT security failures continues with ArduWorm, a new strain of malware created as proof-of-concept to target Arduino Yun, the platform frequently used in IoT applications. The functional malware sample was developed by three Spanish researchers, members of the Computer Security Lab of the Universidad Carlos III de Madrid, to show how easy the platform is to hack by corrupting the memory through code reuse attacks.

The malware, developed in lab conditions, is “able to get the control of a Linux-based microprocessor integrated in the device with full privileges, which allows it to install a backdoor and spread as a worm through the compromised network”.

“Together with the classical Atmel AVR based Microcontroller Unit (MCU) present in most of Arduino devices (concretely, the ATmega32u4), the Yun is also equipped with a Atheros Micro Processor (MPU) holding a Linux based OpenWrt operating system,” the research paper reads. “This Atheros MPU manages one Ethernet interface and one Wi-Fi card, which makes it a suitable device for IoT scenarios. Both the Atmel AVR and the Atheros are connected using a serial bus managed by a software library called Bridge.”

In their research, the group discovered that the Atmel Microcontroller Unit controlling the Yún board suffers from a series of design flaws, including “a critical point of exposure” in the Bridge library, which connected the AVR chip to the OpenWrt chip without requiring authentication in Linux. The key to the hack was to exploit the memory corruption vulnerability in the Atmega32u4 MCU and make the AVR chip run out of RAM by writing data into the memory. By corrupting the memory, ArduWorm installed a backdoor and spread inside the network. The architectural flaws allowed the malware to completely take over the Linux-based microprocessor with root privileges.