Lich: Enhancing IoT Supply Chain Security Through Automated Firmware Analysis

The Internet of Things (IoT) is growing at an unprecedented speed, with over 16.6 billion connected devices in 2023 and projections of around 40 billion by 2030. However, this exponential growth is accompanied by serious security issues within an IoT device supply chain. By analysing case studies, the research identifies how individual vulnerabilities in supply chain can compromise the overall security of devices. Since firmware development is an integral part of an IoT supply chain, any weakness at this stage has large-scale security and reliability repercussions. This research focuses on security vulnerabilities arising from weaknesses in IoT firmware development, examining key challenges. The paper also introduces the energy robustness concept, which consists of encouraging developers to consider the amount of joules consumed by a firmware in a specific time frame for the purpose of determining the empiric degree of device robusteness to its inherent vulnerabilities and to external attacks. As a practical solution, we present Lich, a firmware analysis tool that executes a sequence of security and energy consumption tools with the objective of discovering vulnerabilities at an early stage of development and before a firmware deployment. The research aims to demonstrate, on a theoretical level, that the implementation of continuous controls can improve the reliability and security of the IoT supply chain.