IEEE Consumer Electronics Magazine - May/June 2023 - 77

Firmware Analysis Regarding firmware vulnerabilities,
most Arduino systems run without
OS. Non-OS Arduino boards are programmed by
executing a set of instructions in their microcontroller3.
These instructions can be written using
the Arduino software and uploaded to the board.
Arduino boards include a ready-to-use installed
bootloader, which may be a door to a malicious
third party if he has access to the
hardware.34 This default bootloader helps developers
to quickly install a program using a UARTUSB
wire directly connected to the Arduino
board. If a malicious third party has USB-hardware
access to the board, he will be able to easily
upload a new firmware.
Arduino default bootloader adds some delay
on booting. This delay is between around 1.5 s on
the latest versions to 10 s on the oldest ones. In
some environments, like drone controllers, this
booting delay can lead to dangerous situations.
Luckily, the default bootloader can be rewritten
or completely deleted using an external programmer.35
If the bootloader is removed, firmware
reprogramming can only be done using the external
programmer. This requires a new piece of
hardware and higher skills to reprogram the
hardware.
If an attacker has an external programmer and
access to the boards, the firmware in binary format
may be extracted because the flash memory
data is not encrypted.36 The downloaded code
can be afterward disassembled and converted in
human-readable code using tools like HexRays.
In order to prevent a third unauthorized
actor to access the firmware, the security bit of
the microcontroller can be activated. However,
this bit does not prevent a program on the bootloader
from reading the flash memory. Then, in
order to secure completely the flash memory,
the bootloader must be deleted.
As with any other software, Arduino firmware
can be attacked exploiting buffer overflow bugs in
order to get access to unauthorized data. This
attack modifies normal application flow by writing
data in unexpected memory addresses.37
Even though this attack is complex to perform on
Arduino microcontrollers due to its stack operation,
it is not impossible. This kind of attack can
be really dangerous as an attacker could even execute
bootloader code to overwrite the firmware.
FIGURE 1. Cross-compiler AVR-GCC complains
about stack protector option.
Arduino microcontrollers have reduced
memory size. For that reason, bad designed software
will end up in fatal states if memory is full.
Full SRAM avoids the sketch to run as expected
and there is no easy way to detect this problem.38
Arduino development and testing requires
attention and good practices to avoid full-memory
problems.
When developing with Arduino, stack vulnerabilities
must be avoided during development,
as running-time protections are not available.
Protection techniques like Address Space Layout
Randomization (ASLR) or Stack Canaries that
can avoid some stack attacks are not supported
for AVR devices. If we try to compile any application
using stack protection options, the compiler
will complain about it (see Figure 1).
Communication Analysis Communication
stack implementations are also vulnerable to
attacks. Both Arduino MEGA with Ethernet connection,
MKR 1010 on Wi-Fi and Arduino UNO
with Ethernet shield, tolerate an SYN flooding
attack and an HTTP DoS attack. While attacks
are being performed, the access to the servers
becomes almost impossible. However, once
attacks stop, server becomes accessible again
with no need to restart the board.
Arduino MEGA with the Wi-Fi shield loses connection
after only 100 ICMP packets sent on few
seconds. After the attack, the MEGA board does
not answer any more ping requests neither to web
requests (see Figure 2). In order to recover the
connection on the board, a full reboot is required.
Regarding Wemos D1R2, the board has stability
problems as soon as a DoS attack starts.
These boards constantly reboots because of an
May/June 2023
77

IEEE Consumer Electronics Magazine - May/June 2023

Table of Contents for the Digital Edition of IEEE Consumer Electronics Magazine - May/June 2023

Contents
IEEE Consumer Electronics Magazine - May/June 2023 - Cover1
IEEE Consumer Electronics Magazine - May/June 2023 - Cover2
IEEE Consumer Electronics Magazine - May/June 2023 - Contents
IEEE Consumer Electronics Magazine - May/June 2023 - 2
IEEE Consumer Electronics Magazine - May/June 2023 - 3
IEEE Consumer Electronics Magazine - May/June 2023 - 4
IEEE Consumer Electronics Magazine - May/June 2023 - 5
IEEE Consumer Electronics Magazine - May/June 2023 - 6
IEEE Consumer Electronics Magazine - May/June 2023 - 7
IEEE Consumer Electronics Magazine - May/June 2023 - 8
IEEE Consumer Electronics Magazine - May/June 2023 - 9
IEEE Consumer Electronics Magazine - May/June 2023 - 10
IEEE Consumer Electronics Magazine - May/June 2023 - 11
IEEE Consumer Electronics Magazine - May/June 2023 - 12
IEEE Consumer Electronics Magazine - May/June 2023 - 13
IEEE Consumer Electronics Magazine - May/June 2023 - 14
IEEE Consumer Electronics Magazine - May/June 2023 - 15
IEEE Consumer Electronics Magazine - May/June 2023 - 16
IEEE Consumer Electronics Magazine - May/June 2023 - 17
IEEE Consumer Electronics Magazine - May/June 2023 - 18
IEEE Consumer Electronics Magazine - May/June 2023 - 19
IEEE Consumer Electronics Magazine - May/June 2023 - 20
IEEE Consumer Electronics Magazine - May/June 2023 - 21
IEEE Consumer Electronics Magazine - May/June 2023 - 22
IEEE Consumer Electronics Magazine - May/June 2023 - 23
IEEE Consumer Electronics Magazine - May/June 2023 - 24
IEEE Consumer Electronics Magazine - May/June 2023 - 25
IEEE Consumer Electronics Magazine - May/June 2023 - 26
IEEE Consumer Electronics Magazine - May/June 2023 - 27
IEEE Consumer Electronics Magazine - May/June 2023 - 28
IEEE Consumer Electronics Magazine - May/June 2023 - 29
IEEE Consumer Electronics Magazine - May/June 2023 - 30
IEEE Consumer Electronics Magazine - May/June 2023 - 31
IEEE Consumer Electronics Magazine - May/June 2023 - 32
IEEE Consumer Electronics Magazine - May/June 2023 - 33
IEEE Consumer Electronics Magazine - May/June 2023 - 34
IEEE Consumer Electronics Magazine - May/June 2023 - 35
IEEE Consumer Electronics Magazine - May/June 2023 - 36
IEEE Consumer Electronics Magazine - May/June 2023 - 37
IEEE Consumer Electronics Magazine - May/June 2023 - 38
IEEE Consumer Electronics Magazine - May/June 2023 - 39
IEEE Consumer Electronics Magazine - May/June 2023 - 40
IEEE Consumer Electronics Magazine - May/June 2023 - 41
IEEE Consumer Electronics Magazine - May/June 2023 - 42
IEEE Consumer Electronics Magazine - May/June 2023 - 43
IEEE Consumer Electronics Magazine - May/June 2023 - 44
IEEE Consumer Electronics Magazine - May/June 2023 - 45
IEEE Consumer Electronics Magazine - May/June 2023 - 46
IEEE Consumer Electronics Magazine - May/June 2023 - 47
IEEE Consumer Electronics Magazine - May/June 2023 - 48
IEEE Consumer Electronics Magazine - May/June 2023 - 49
IEEE Consumer Electronics Magazine - May/June 2023 - 50
IEEE Consumer Electronics Magazine - May/June 2023 - 51
IEEE Consumer Electronics Magazine - May/June 2023 - 52
IEEE Consumer Electronics Magazine - May/June 2023 - 53
IEEE Consumer Electronics Magazine - May/June 2023 - 54
IEEE Consumer Electronics Magazine - May/June 2023 - 55
IEEE Consumer Electronics Magazine - May/June 2023 - 56
IEEE Consumer Electronics Magazine - May/June 2023 - 57
IEEE Consumer Electronics Magazine - May/June 2023 - 58
IEEE Consumer Electronics Magazine - May/June 2023 - 59
IEEE Consumer Electronics Magazine - May/June 2023 - 60
IEEE Consumer Electronics Magazine - May/June 2023 - 61
IEEE Consumer Electronics Magazine - May/June 2023 - 62
IEEE Consumer Electronics Magazine - May/June 2023 - 63
IEEE Consumer Electronics Magazine - May/June 2023 - 64
IEEE Consumer Electronics Magazine - May/June 2023 - 65
IEEE Consumer Electronics Magazine - May/June 2023 - 66
IEEE Consumer Electronics Magazine - May/June 2023 - 67
IEEE Consumer Electronics Magazine - May/June 2023 - 68
IEEE Consumer Electronics Magazine - May/June 2023 - 69
IEEE Consumer Electronics Magazine - May/June 2023 - 70
IEEE Consumer Electronics Magazine - May/June 2023 - 71
IEEE Consumer Electronics Magazine - May/June 2023 - 72
IEEE Consumer Electronics Magazine - May/June 2023 - 73
IEEE Consumer Electronics Magazine - May/June 2023 - 74
IEEE Consumer Electronics Magazine - May/June 2023 - 75
IEEE Consumer Electronics Magazine - May/June 2023 - 76
IEEE Consumer Electronics Magazine - May/June 2023 - 77
IEEE Consumer Electronics Magazine - May/June 2023 - 78
IEEE Consumer Electronics Magazine - May/June 2023 - 79
IEEE Consumer Electronics Magazine - May/June 2023 - 80
IEEE Consumer Electronics Magazine - May/June 2023 - 81
IEEE Consumer Electronics Magazine - May/June 2023 - 82
IEEE Consumer Electronics Magazine - May/June 2023 - 83
IEEE Consumer Electronics Magazine - May/June 2023 - 84
IEEE Consumer Electronics Magazine - May/June 2023 - 85
IEEE Consumer Electronics Magazine - May/June 2023 - 86
IEEE Consumer Electronics Magazine - May/June 2023 - 87
IEEE Consumer Electronics Magazine - May/June 2023 - 88
IEEE Consumer Electronics Magazine - May/June 2023 - 89
IEEE Consumer Electronics Magazine - May/June 2023 - 90
IEEE Consumer Electronics Magazine - May/June 2023 - 91
IEEE Consumer Electronics Magazine - May/June 2023 - 92
IEEE Consumer Electronics Magazine - May/June 2023 - 93
IEEE Consumer Electronics Magazine - May/June 2023 - 94
IEEE Consumer Electronics Magazine - May/June 2023 - 95
IEEE Consumer Electronics Magazine - May/June 2023 - 96
IEEE Consumer Electronics Magazine - May/June 2023 - 97
IEEE Consumer Electronics Magazine - May/June 2023 - 98
IEEE Consumer Electronics Magazine - May/June 2023 - 99
IEEE Consumer Electronics Magazine - May/June 2023 - 100
IEEE Consumer Electronics Magazine - May/June 2023 - 101
IEEE Consumer Electronics Magazine - May/June 2023 - 102
IEEE Consumer Electronics Magazine - May/June 2023 - 103
IEEE Consumer Electronics Magazine - May/June 2023 - 104
IEEE Consumer Electronics Magazine - May/June 2023 - 105
IEEE Consumer Electronics Magazine - May/June 2023 - 106
IEEE Consumer Electronics Magazine - May/June 2023 - 107
IEEE Consumer Electronics Magazine - May/June 2023 - 108
IEEE Consumer Electronics Magazine - May/June 2023 - 109
IEEE Consumer Electronics Magazine - May/June 2023 - 110
IEEE Consumer Electronics Magazine - May/June 2023 - 111
IEEE Consumer Electronics Magazine - May/June 2023 - 112
IEEE Consumer Electronics Magazine - May/June 2023 - 113
IEEE Consumer Electronics Magazine - May/June 2023 - 114
IEEE Consumer Electronics Magazine - May/June 2023 - 115
IEEE Consumer Electronics Magazine - May/June 2023 - 116
IEEE Consumer Electronics Magazine - May/June 2023 - Cover3
IEEE Consumer Electronics Magazine - May/June 2023 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20240102
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20231112
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230708
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230506
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230304
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230102
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20221112
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220708
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220506
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220304
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220102
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20211112
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210708
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210506
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210304
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202010
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202009
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202007
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202004
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202003
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202001
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201909
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201907
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201905
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201903
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201901
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201811
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201809
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201807
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201805
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201803
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_july2017
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_april2017
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_january2017
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_october2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_july2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_april2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_january2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_october2015
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_july2015
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_april2015
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_january2015
https://www.nxtbookmedia.com