Increasing IoT Attacks: Why You Should Learn About ARM Exploitation

Increasing IoT Attacks: Why You Should Learn About ARM Exploitation

. 5 min read

The Internet of Things (IoT) industry today is developing at a breakneck speed. All most every gadget that we can think of are now connected to the Internet. While this is good in one way, it also vastly increases the attack surface. It's now not uncommon to hear every other day about a new hack on an IoT device.  Not all vendors are equally up to the task to issue a proper patch after such a vulnerability is discovered. This leaves the end-user vulnerable and at the mercy of attackers.

This blog post explains some prominent examples of IoT hacks on ARM devices. These hacks paint a grim picture of the insecurity in today's world faced by IoT gadgets, a majority of which are powered by ARM processors. All of these incidents point towards the necessity to get familiar with ARM exploitation, to be able to understand the security threats and be equipped to deal with them appropriately.

Mirai Botnet Attack

Mirai is a self-spreading botnet virus. The Mirai botnet code contaminates inadequately secured web gadgets by utilizing telnet to discover those that are as yet utilizing their default username and password. The success of Mirai is because of its capacity to contaminate a huge number of these insecure gadgets and coordinate them to mount a DDOS attack against a picked unfortunate victim.

Mirai took advantage of these vulnerable IoT devices in a simple but brilliant way. Rather than trying to use complicated techniques to monitor IoT devices, it examined each bot for open Telnet slots, then tried to log in using 61 random username/password combinations that are frequently used as the standard for these devices. In this way, it was able to generate a military of impacted closed-circuit TV digital cameras and routers, prepared to do its bidding.


Mirai's first major strike came on Sept 19, 2016, when it was used against the France variety OVH. After a while, the Mirai botnet rule was launched into the crazy. With the public release of the Mirai Botnet rule, anybody could try their fortune infecting IoT devices (most of which were still unprotected) and releasing DDoS strikes against their opponents, or promoting that power to the biggest prospective buyer.

IP Cameras Attack

Image Source: Google Images

A cyber attack operated by something the world wide web had never seen before: a military created of more than one thousand affected Online of Factors gadgets. The online hackers, whose identification is still unidentified, used internet-connected electronic cameras, and other unprotected online gadgets to link to the, pummeling the website with demands in order to make it a failure. The electronic attack exceeded 660 Gbps of visitors, making it one of the most popular documented attacks in the past in regards to quantity.

At this factor, however, it's uncertain if the assailants used the complete energy of the two botnets or just a part of it. Security scientists and internet defenders are still looking into the strikes and trying to monitor who's behind them, but people who've been working to guard sites against huge refusal of support (DDoS) strikes such as this one, believe the fact this was unmatched both because of its surprising dimension and because of the use of what could be known as a Botnet of Factors.


Yi Technology Home Camera Code Execution Vulnerability

Image Source: Google Images

Yi Home Camera is an IoT home camera of the Yi Technology camera lineup sold globally.  An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US which can be triggered by inserting an SD card by the attacker. Logic flaw and command injection can be executed with the use of a specially crafted file, resulting in code execution.

Samsung SmartThings Hub video-core Code Execution Vulnerability

Image Source: Google Images

An exploitable stack-based buffer overflow vulnerability exists in the database "find-by-cameraId" functionality and Samsung WifiScan callback notification of video-core HTTP server of Samsung SmartThings Hub. An attacker can trigger this vulnerability by sending a series of HTTP requests. The video-core process mistakenly handles existing records inside its SQLite database, prompting a buffer overflow on the stack.


Samsung SmartThings Hub is a central controller which enables the end customer to utilize their smartphone to connect remotely with their home gadgets by simply installing the SmartThings mobile application. The firmware is Linux-based and runs a progression of daemons that interface with nearby gadgets by means of Ethernet, Z-Wave, Zigbee, and Bluetooth conventions.

There is a likelihood for remote SmartThings servers to communicate with the video-core process by sending messages in the persistent TLS connection, set up by the hubCore procedure. These messages can encapsulate an HTTP request, which hubCore would transfer straightforwardly to the HTTP server exposed by video-core. By requesting the path "/samsungWifiScan" it's possible to instruct the video-core process to discover a Samsung smart camera and notify the operation using a callback.

These attacks serve as a stark reminder of how vulnerable IoT devices can be. Remote code execution is a standout amongst the most unsafe situations accessible to PC criminals. In this day and age, ARM is to a great degree common and numerous projects utilize it. Hackers can use the infected devices to carry out botnet attacks or infect network hosts with dangerous viruses and other types of malware.


Many hacked IoT gadgets have been utilized in the past for observation purposes so that lawbreakers can keep an eye on the network activity when the compromised gadgets fill in as modems or routers, gateways. Working with ARM does not mean that you stack-overflow safe, you should always be careful with buffer operations, check sizes, and use safe coding functions instead of dangerous functions (such as strcpy, memcpy,).

Developing safe coding habits can minimize this threat. However, making the stack non-executable is not enough, adding more security mechanisms is essential.

We will be covering each of these attacks in detail in our upcoming blogs. Stay tuned!

If you’re a penetration tester, identifying vulnerabilities in ARM binaries and performing exploitation is a skillset that you need to master. Perfect your ARM Exploitation skills with Attify’s newly launched

ARM Exploitation Video Course. Order Today! ARM-Video-Course-launch