The increasing integration of IoT devices into critical infrastructures has made them prime targets for cyberattacks. Many of these devices rely on outdated or legacy software, which introduces inherent vulnerabilities and complicates firmware updates, making the identification and testing of these weaknesses essential. Existing methods, such as Diane and IoTFuzzer, typically employ black-box approaches, mutating network requests generated during device operation to craft potential attack vectors. However, black-box methods recognize successful exploits based on external feedback signals, such as errors or crashes, which makes them ineffective when the effect of an exploit is not an error and the feedback signal requires execution trace analysis. To address these limitations, we introduce MITHRAS, the first gray-box approach that uses mobile companion apps to deliver maliciously mutated requests directly to IoT devices, under the guidance of the distance between the execution trace and a potential vulnerability sink. MITHRAS uses Deep Reinforcement Learning to efficiently navigate the communication code within companion apps, dynamically mutating request payloads before transmission. Adapting to past attack outcomes, MITHRAS dynamically refines its strategy, mimicking human decision-making to improve exploit generation effectiveness.
Link to the paper.