The Various Facets of IoT Firmware Analysis

Listen on the go!

IOT

Firmware is a code or software on the device that allows and enables the device to perform various tasks. The most common architectures for IoT firmware devices are ARM and MIPS.

Firmware provides the necessary instructions on how to communicate with hardware. Firmware is held in non-volatile memory devices such as ROM, EPROM, EEPROM, and code running on embedded devices.

Updates to Firmware: Firmware updates for IOT devices are often pushed to fix bugs, roll out new features, or improve security.

  • Can happen automatically
  • May need to be done manually

What is an IOT Device?

A “non-standard” device linked to the internet is called a “non-standard” device. Usually, they contain an embedded OS (firmware) and some way to interface with them. May have embedded sensors and can send, collect, and exchange data.

Examples include Security Cameras, Smart Home Devices-outlets, light switches, etc., Raspberry Pi’s, Connected Appliances-washers, dryers, ovens, etc., Wireless Routers-Linksys, D-Link, ASUS, etc., Wearables -Apple Watch, Pedometers, heart monitors, Autonomous ag equipment and cars, and Connected Appliances-washers, dryers, ovens, etc.

Top 10 IoT Issues OWASP

Weak Guessable or Hardcoded Passwords:

Using credentials that are quickly brute forced, available to the public, or unchangeable, including backdoors in firmware or client software that grant unauthorized access to deployed systems.

Insecure Network Services:

Unnecessary or insecure network services running on the device, particularly those exposed to the internet, that jeopardize information confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.

Insecure Ecosystem Interfaces:

Outside of the device, there are insecure online, backend API, cloud, or mobile interfaces in the ecosystem that allow the device or its linked components to be compromised. Significant issues include a lack of authentication and authorization, a lack of encryption, and a lack of input and output filtering.

Lack of Secure Update Mechanism:

Inability to update the gadget securely. This includes a lack of device firmware certification, insecure distribution (unencrypted in transit), anti-rollback procedures, and alerts of security changes caused by updates.

Use of Insecure or Outdated Components:

Deprecated or insecure software components/libraries that may allow the device to be hacked. This includes vulnerable operating system platform customizations and the usage of third-party software or hardware components sourced from a tainted supply chain.

Inadequate Privacy Protection:

Personal data about the user stored on the device or in the ecosystem is used insecurely, erroneously, or without permission.

Insecure Data Transfer and Storage:

There is no encryption or access control for sensitive data anywhere in the ecosystem, including at rest, in transit, and during processing.

Lack of Device Management:

Asset management, update management, secure decommissioning, system monitoring, and reaction capabilities are all lacking on devices that have been put into production.

Insecure Default Settings:

Devices or systems with insecure default settings or that cannot protect the system by blocking operations from modifying configurations are known as insecure default settings.

What exactly is a bootloader?

A piece of code or software that runs before any OS is loaded into memory. Bootloaders usually contain several ways to boot the OS kernel and contain commands for debugging and modifying the kernel environment.

Some of the common bootloaders include U-Boot, RedBoot, BareBox, and BusyBox.

Why examine the firmware?

  • If you can control the firmware, you can control the device.
  • Many vulnerabilities found in IoT devices originate here.
  • An IoT device can be an easy entry point for attackers to enter the network.

What can I find by looking at firmware?

  • Firmware contains hardcoded
    • Credentials
    • Keys
    • Network values
  • Encryption is not used for sensitive information
  • Updates not encrypted
  • Update not verified before upload/install

Methodology:

There are two ways to analyze the firmware: Manual and Automated.

Manual analysis is time-consuming and not easy.

Automated analysis is easy because it can be performed using open-source tools available on GitHub, Firmwalker, and Binwalk.

The below points are used to find during the Firmware Analysis

  • Etc/shadow, etc/passwd
  • List out the etc/ssl directory
  • Look for script files
  • Search for other .bin files
  • Experimental support for making calls to the Shodan API using the Shodan CLI
  • Explore for Keywords such as admin, password remote
  • Look around for common web servers used on IoT devices
  • Search for SSL related files such as .pem, .crt
  • Look for configuration files
  • Hunt for common binaries such as ssh, tftp, dropbear, etc
  • Search for URLs, email addresses, and IP addresses

For Firmware Analysis we are using OWASP IGOAT. Download it from here.

OWSAP IGOAT

After the download, use the Binwalk tool, a default tool in Kali, and if you use any other Linux distro, you can get it from GitHub.

To install, Use apt install Binwalk.

$ binwalk IoTGoat-raspberry-pi2.img

binwalk IoT Goat-raspberry-pi2

There are some most common files system used in IOT: squashfs, cramfs, JFFS2, yaffs2, ext2.  This IOT firmware update uses squashfs file system.

squashfs file system

And, it has multiple types of Compression file system. As shown below, it uses xz compression. Some of the Compression methods: LZMA, gzip, Zip, Zlib, xz, ARJ.

Compression

With the help of address, we get an idea like after how many offsets it start extracting.

Address

So, we got few information to initiate analysis

  • filesystem – Squashfs
  • compression – xz
  • address – 29360128

Let’s extract image file using binwalk.

$ binwalk -e IoTGoat-raspberry-pi2.img

binwalk -e IoTGoat-raspberry-pi2

Change directory and let’s search for any sensitive information.

Sensitive information squashfs root

sensitive information squashfs root etc

We come to know that username is iotgoatuser.

Username

And we got the password for the iotgoatuser, try to crack using Hydra, JohnTheRipper.

Password

Navigate to usr/lib/lua/luci/controller/iotgoat where we find some juicy information.

Juicy Information

We can identify the Architecture.

Architecture

You can also automate the search using Firmwalker tool.

Firmwalker Tool

Few steps to do the firmware analysis

These are the few steps to do the firmware analysis. Try to explore all the directories and its files to get lot more sensitive information.

Static Versus Dynamic Analysis

Static looks at the firmware while it is not in operation

  • Analyze filesystem
  • Inspect bootloader
  • Looks for “hard-coded” items
  • Use tools such as Firmadyne, Binwalk, Firmwalker etc

Dynamic looks at it while in operation:

  • Need to have device on and have access to it
  • Also have the option to virtualize the IoT device
  • Use pentest type tools like nmap, Metasploit etc

How to perform Static Analysis:

  • Get firmware
  • Extract file system(binwalk)
  • Uncompress filesystem and components if needed
  • Look for common issues within filesystem such as passwords, Ips, keys etc. (firmwalker)
  • Look at the various binaries present in the firmware and analyze then to identify vulnerabilities
  • Check for the version of common binaries such as busybox and see if you can find a corresponding exploit for that given version

How to perform Dynamic Analysis:

  • Use Pen Testing Tools
    • NMAP
    • Metasploit
    • Tcpdump netcat
    • Wireshrak
  • Default Credentials
  • Google and Shodan

Why Firmware Reverse Engineering

An IOT device has hardware like cameras. All these embedded systems have hardware inside which has user applications to interact with and make communication once the internet has some kind of management storage. They are completely linked into the ecosystem. So, and then to moderate all these things, we have logic given to the device that is firmware. It is the core business logic of the device/product. For some vendors, it could be an IP.

If an attacker is successful in finding any vulnerability in the firmware, it could directly or indirectly affect the other parts of the ecosystem.

For example, if the firmware is IP for some vendors and someone is able to get that firmware. Getting firmware could be a different way, which could be via a hardware attack or directly download from the vendor’s website. If it is an IP, it obviously will not be available on the website. So in this case, you have to use some tricks around hardware hacking. One way is if you get the hardware, you can clone the device. It affects the IP. Another thing is if you get the hardware, we perform reverse engineering on it, which leads to another exploit. So for example, let us say a hardcoded system etc.

Possible attack scenarios with respective firmware (reverse engineering) includes File system, Custom Binaries, Hardcoded sensitive information like passwords, keys etc., Configuration Files, Certificates, Perform debugging, hunt and attack, Fuzzing, Vulnerability in binaries leading to RCE, Dos attacks, and Patch with backdoors.

Firmware Analysis Tools

Several firmware software tools that can analyze firmware images, decompile images, and attach to firmware processes during runtime are Binwalk, Firmwalker, Binary Analysis Tool (BAT), Firmware Analysis Toolkit, and Radare2.

Conclusion

Are your IoT devices safe and ready to tackle the challenges related to:

  • Data security
  • Security threats
  • Access management
  • 3rd-party data sharing
  • Compliance requirements
  • Hardware challenges
  • Validation
  • Integration management

Quality and Performance form the keystone of IoT devices to function and interconnect seamlessly. We ensure testing of the end-to-end functionality of multiple devices across platforms.

Cigniti’s experience in IoT app Testing as a Service (TaaS), a team of IoT-skilled testers, and a robust IoT testing infrastructure (labs, simulators, test racks, etc.,) support real-time testing of Big Data, Compatibility, IoT firmware Security, Performance, Pilot, Regulatory, Reliability, Upgrade, Usability, and smart devices in a dynamic environment (RFID, Sensors).

Need help? Consult our team of IoT Testing experts and Security Testing experts to learn more about the various facets of IoT Firmware Analysis.

Author

  • Kurapati Purna Siri

    Have 5+ years of experience and have been actively involved in multiple Security Assessment for services like DAST, SAST and MAST. Currently working as a Security Researcher with Cigniti Technologies and a part of the Security Center of Excellence team. Keen in exploring new tools and technologies and fine tuning those as per project requirements.

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *