Sponsored by

#100papers- ArduWorm

ArduWorm is a function piece of malware which targets Arduino devices. Such malware infections are pertinent given the steady exponential rise of IoT devices. Two proof of concept scenarrios are discussed as well as a list of possible counter measures.

Keywords: Cyber, Malware, IoT, Internet of Things, RAT, Remote Administration Tool, Worm, Dictionary Attack.

Pastrana, S., Rodriguez-Canseco, J., & Calleja, A. (2016). ArduWorm: A functional malware targeting Arduino devices. COSEC Computer Security Lab.


Researchers Pastrana, Rodriguez-Canseco and Calleja from the Computer Security Lab at the Universidad Carlos III de Madrid, Spain have conducted a vulnerability analysis of the Arduino Yun platform. It is worth noting that this is a self-published paper that, from appearances, has not been through peer review. Never-the-less the concepts discussed are worthy of merit.

The authors highlight a vulnerability in the connection between the Amtel branded MicroController Unit (MCU) and an additional Atheros microprocessor (MPU). This connection is a serial bus managed by a bridging software library aptly named “Bridge“. By exploiting a critical vulnerability, the entire Yun platform is compromised via exploitation of existing memory corruption in the Atmega32u4 MCU.

The AVR processor used in the Arduino platform is based on a modified Harvard architecture where the data and code are physically segregated in memory, ArduWorm implements code reuse as opposed to code injection. It is worth noting that AVR does not actually stand for anything and is thought to be an acronym of the inventors’ names (Alf and Vegard’s RISC processor) [1].

The main attack focuses on the OpenWrt software which is a Linux kernel run on the Arduino Yun system. The authors focus on how to gain elevated privileges to this side of the device using Return Oriented Programming (ROP).

Using a standard attack method of influencing the stack pointers to point to code to be executed a worm has been designed which includes a Remote Administration Tool (RAT). The payload is a simple reverse shell with root privileges opened on port 16333. The worm contains persistence phases creating an SSH user should the port be closed. During the reconnaissance phase, all networked devices using ports 22/23 are logged to identified potential targets. Moving on to the propagation and exploitation phase the worm then uses the principle of password reuse to infiltrate further devices from a small dictioonary.

It is unclear if the AVR MCP have updated their architectures to resolve this style of attack. Research has been presented which could be implemented [2] but, further personal research is required to understand if this has been implemented. Other precautions such as encryption and standardisation of IoT security measures are proposed. The most basic strategy of changing passwords to avoid or disrupt a dictionary style attack is not.

It is unclear if this work is downloadable as an exploit. I’d recommend the authors seek peer-review and wider publication.

Additional References

[1] ^ “UNSW School of Computer Science and Engineering – General AVR Info”. Cse.unsw.edu.au. Archived from the original on; 2012-06-23. Retrieved on; 2012-09-19.

[2] Habibi, J., Gupta, A., Carlsony, S., Panicker, A., Bertino, E.: “MAVR: Code reuse stealthy attacks and mitigation on unmanned aerial vehi- cles”. In IEEE 35th International Conference on Distributed Computing Systems (ICDCS), pp. 642–652, 2015. DOI:10.1109/ICDCS.2015.71

#100papers: 10 points

One Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.