ArduWorm: A Malware for Your Arduino Yun

We’ve been waiting for this one. A worm was written for the Internet-connected Arduino Yun that gets in through a memory corruption exploit in the ATmega32u4 that’s used as the serial bridge. The paper (as PDF) is a bit technical, but if you’re interested, it’s a great read. (Edit: The link went dead. Here is our local copy.)

The crux of the hack is getting the AVR to run out of RAM, which more than a few of us have done accidentally from time to time. Here, the hackers write more and more data into memory until they end up writing into the heap, where data that’s used to control the program lives. Writing a worm for the AVR isn’t as easy as it was in the 1990’s on PCs, because a lot of the code that you’d like to run is in flash, and thus immutable. However, if you know where enough functions are located in flash, you can just use what’s there. These kind of return-oriented programming (ROP) tricks were enough for the researchers to write a worm.

In the end, the worm is persistent, can spread from Yun to Yun, and can do most everything that you’d love/hate a worm to do. In security, we all know that a chain is only as strong as its weakest link, and here the attack isn’t against the OpenWRT Linux system running on the big chip, but rather against the small AVR chip playing a support role. Because the AVR is completely trusted by the Linux system, once you’ve got that, you’ve won.

Will this amount to anything in practice? Probably not. There are tons of systems out there with much more easily accessed vulnerabilities: hard-coded passwords and poor encryption protocols. Attacking all the Yuns in the world wouldn’t be worth one’s time. It’s a very cool proof of concept, and in our opinion, that’s even better.

Thanks [Dave] for the great tip!

24 thoughts on “ArduWorm: A Malware for Your Arduino Yun

  1. I developed a virus like program for a network of chip kit boards a while back. It wasn’t malicious, it was to propagate settings for home automation, to save me patching into them all one at a time. Buried in an old hard disk. Hopefully I stumble upon it again one day.

      1. My wild guess would be at less than the number of results from a google search for “Arduino Yun”. So I would guess that the upper limit would be ~400,000. But I’m only guessing.

      2. I am pretty sure I read somewhere (some time ago) that the ORIGINAL (from “Italy”) Arduino UNO had sold at most a couple million units… and that’s the most popular board of the family. So I am not guessing anything over 50,000 units ….

    1. The attack vector is bluetooth here, and the propagation vector is bluetooth or wifi telnet/ssh to other devices that use the same login credentials as the attacked device.

  2. >In this work, we have exploited a function (implemented
    >ad-hoc for the prototype) that receives data from the Bluetooth
    >port and stores it into a buffer, without checking its bounds.

    So, they introduce an attack vector and then exploit it. It’s not an attack on any default software on there like the HaD article would suggest. It’s a proof of concept.

  3. The AVR chips can’t run out of RAM, only flash. ROP was invented to get over limitations of (write xor execute) security in modern cpus. In a modern computer, the writable data area of a process is not executable, and the executable area is read only. The cleverness of ROP is you don’t upload any NEW code and you only write to the data area. You trash the return addresses on the stack so you run some of the EXISTING code already in the read only pages, just in a different order than intended. If you can get the target to call mmap or something with the right values, you can make one of the data pages you uploaded executable and now you are in.

    The true cleverness here is applying it to the AVR. You can’t execute out of RAM and you can’t accidently write to flash. But you can trash the stack you can run some flash code in a different sequence. And if there is a bootloader, you can call it and write a page of flash with your data.

    I wonder if ROP has applications outside of hacking. Abusing the processor’s ‘ret’ mechanism may be a way to write a fast virtual machine interpreter. Write a bit of addresses of instruction landlers somewhere, move the stack pointer, and return. The processor will take on the fetch/dispatch loop by itself.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s