Bootloader Attacks on IoT Devices: The Basics

One of the key components of the embedded/Internet of Things software stack is the Bootloader. Unfortunately, this is also the least audited component of the IoT software stack. So why is the Bootloader so important from a security perspective? Here are my reasons:

1. First Software Component to Run: Once the device powers up, the System on Chip (SoC)'s internal ROM code runs and transfers control to the Bootloader (generally multi-stage). The Bootloader is then responsible for loading the Linux Kernel (OS) into RAM and running it. Hence the Bootloader has full control on the destiny of the device, as it decides what boots next :)
2. Embedded Bootkits anyone? An attacker can target the Bootloader and create potential bootkits which can backdoor the system. Why is this very probable for IoT devices? because trusted/secure boot is pretty much absent on them (cost-performance and security objectives are at odds?).
3. Patch / Backdoor the Kernel-Userspace programs: The Bootloader can reach out into the flash storage and modify key components like the Kernel and other userspace programs on the filesystem. Alternately, it can load the kernel into memory, patch it with malcode and then run the modified kernel. Bootloaders like U-Boot are fairly advanced and its easy to compile such capabilities into them. An attacker can overwrite the vendor supplied Bootloader with his backdoored one and take over the box!
4. Generally Never Replaced during Firmware Updates: Bootloaders typically remain untouched during firmware updates. I am sure vendors do not want something to go wrong and brick the device :) This makes Bootloader attacks even more potent as they might persist for the lifetime of the smart device.
5. Difficult to gather Forensic Evidence: Once the Bootloader loads and runs the OS kernel, it ceases to exist! the memory it used in RAM is reclaimed by the OS and will be overwritten as the system starts running its applications. This makes it more difficult to gather runtime forensic evidence! Of course, being able to run memory acquisition tools on your smart bulb will be no mean task anyway :)

Did I wet your appetite for more on Bootloaders? For the uninitialized, I've made a quick primer on how Bootloaders work with the industrial grade TI-AM335X BeagleBone Black board as a case study. This video is one of many I've created as part of the Embedded/IoT Linux for Red-Blue Teams course on Pentester Academy. Here is the video:

I will be posting more videos on Bootloader attacks, Bootkits and Kernel mode Rootkits for IoT devices very soon! Hopefully this will help generate more awareness among IoT security auditors to look beyond application attacks!