This work addresses the challenge of detecting hidden services in IoT device firmware—services invisible to users yet exploitable by attackers. We propose a novel automated discovery method that synergistically combines static analysis and lightweight symbolic execution. First, firmware is unpacked and potential service entry points are identified. Subsequently, static analysis extracts control-flow and network-behavior features, while lightweight symbolic execution verifies reachability and privilege-escalation paths, enabling precise identification of concealed services. To our knowledge, this is the first approach to deeply integrate these two techniques for hidden-service detection in IoT firmware, overcoming key limitations of conventional dynamic analysis—including low code coverage and strong environmental dependencies. Evaluated on real-world IoT firmware samples, our method achieves an average analysis time of under three minutes per firmware image and a false-positive rate below 8%. It successfully uncovers multiple high-severity hidden services, significantly enhancing both the efficiency and reliability of firmware security auditing.

In this paper, we proposes an automatic firmware analysis tool targeting at finding hidden services that may be potentially harmful to the IoT devices. Our approach uses static analysis and symbolic execution to search and filter services that are transparent to normal users but explicit to experienced attackers. A prototype is built and evaluated against a dataset of IoT firmware, and The evaluation shows our tool can find the suspicious hidden services effectively.