FANDEMIC: Firmware Attack Construction and Deployment on Power Management Integrated Circuit and Impacts on IoT Applications

Ryan Tsang (University of California, Davis), Doreen Joseph (University of California, Davis), Qiushi Wu (University of California, Davis), Soheil Salehi (University of California, Davis), Nadir Carreon (University of Arizona), Prasant Mohapatra (University of California, Davis), Houman Homayoun (University of California, Davis)

Supply chains have become a pillar of our economic world, and they have brought tremendous advantages to both enterprises and users. These networks consist of companies and suppliers with the goal of reducing costs and production time by offloading various stages of the production process to third party foundries. Although globalized supply chains offer many advantages, they are also vulnerable to attacks at many different points along the pipeline. For Internet-of-Things (IoT) devices, this problem is exacerbated by firmware vulnerabilities, which influence the low-level control of the system hardware. Moreover, according to the National Vulnerability Database (NVD) the number of firmware vulnerabilities within IoT devices is rapidly increasing every year, making such firmware vulnerabilities a cause for growing concern and magnifying the need to address emerging firmware vulnerabilities.
In this paper we attempt to define and expand upon a class of firmware vulnerability that is characterized by the malicious configuration of power management integrated circuits (PMIC). We propose a firmware attack construction and deployment on power management IC (FANDEMIC) that involves reverse engineering bare-metal IoT firmware binaries and identifying the functions that interact with its PMIC. We demonstrate the possibility of directly altering the binary to deliberately misconfigure the PMIC such that supply line voltages are altered, which could result in a variety of problems with the device. We propose a workflow to reverse engineer the binary, using Ghidra and Python scripting, and provide two simple, but novel function matching algorithms. Furthermore, we highlight and discuss the potential aforementioned consequences of PMIC attacks, in particular, battery degradation and failure, accelerated aging effects, and sensor data corruption. As a proof of concept we implement the proposed attack on an nRF52 microcontroller and a MAX20303 PMIC to demonstrate sensor data corruption. Finally, we discuss possible mitigation techniques, which include binary auditing and secure firmware updates.