![\"IOT\"](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/IOT-1.png\")
<\/p>\n<\/p>\n
Firmware is a code or software on the device that allows and enables the device to perform various tasks. The most common architectures for IoT firmware devices are ARM and MIPS.<\/p>\n
Firmware provides the necessary instructions on how to communicate with hardware. Firmware is held in non-volatile memory devices such as ROM, EPROM, EEPROM, and code running on embedded devices.<\/p>\n
Updates to Firmware:<\/strong>\u00a0Firmware updates for IOT devices\u00a0are often pushed to fix bugs, roll out new features, or improve security.<\/p>\n A \u201cnon-standard\u201d device linked to the internet is called a \u201cnon-standard\u201d device. Usually, they contain an embedded OS (firmware) and some way to interface with them. May have embedded sensors and can send, collect, and exchange data.<\/p>\n Examples include Security Cameras, Smart Home<\/a> Devices-outlets, light switches, etc., Raspberry Pi\u2019s, Connected Appliances-washers, dryers, ovens, etc., Wireless Routers-Linksys, D-Link, ASUS, etc., Wearables -Apple Watch, Pedometers, heart monitors, Autonomous ag equipment and cars, and Connected Appliances-washers, dryers, ovens, etc.<\/p>\n Using credentials that are quickly brute forced, available to the public, or unchangeable, including backdoors in firmware or client software that grant unauthorized access to deployed systems.<\/p>\n Unnecessary or insecure network services running on the device, particularly those exposed to the internet, that jeopardize information confidentiality, integrity\/authenticity, or availability of information or allow unauthorized remote control.<\/p>\n Outside of the device, there are insecure online, backend API, cloud, or mobile interfaces in the ecosystem that allow the device or its linked components to be compromised. Significant issues include a lack of authentication and authorization, a lack of encryption, and a lack of input and output filtering.<\/p>\n Inability to update the gadget securely. This includes a lack of device firmware certification, insecure distribution (unencrypted in transit), anti-rollback procedures, and alerts of security changes caused by updates.<\/p>\n Deprecated or insecure software components\/libraries that may allow the device to be hacked. This includes vulnerable operating system platform customizations and the usage of third-party software or hardware components sourced from a tainted supply chain.<\/p>\n Personal data about the user stored on the device or in the ecosystem is used insecurely, erroneously, or without permission.<\/p>\n There is no encryption or access control for sensitive data anywhere in the ecosystem, including at rest, in transit, and during processing.<\/p>\n Asset management, update management, secure decommissioning, system monitoring, and reaction capabilities are all lacking on devices that have been put into production.<\/p>\n Devices or systems with insecure default settings or that cannot protect the system by blocking operations from modifying configurations are known as insecure default settings.<\/p>\n A piece of code or software that runs before any OS is loaded into memory. Bootloaders usually contain several ways to boot the OS kernel and contain commands for debugging and modifying the kernel environment.<\/p>\n Some of the common bootloaders include U-Boot, RedBoot, BareBox, and BusyBox.<\/p>\n There are two ways to analyze the firmware: Manual and Automated.<\/p>\n Manual analysis is time-consuming and not easy.<\/p>\n Automated analysis is easy because it can be performed using open-source tools<\/a> available on GitHub, Firmwalker, and Binwalk.<\/p>\n For Firmware Analysis we are using OWASP IGOAT. Download it from here<\/a>.<\/p>\n After the download, use the Binwalk tool, a default tool in Kali, and if you use any other Linux distro, you can get it from GitHub.<\/p>\n To install, Use apt install Binwalk.<\/p>\n $ binwalk IoTGoat-raspberry-pi2.img<\/p>\n There are some most common files system used in IOT:\u202fsquashfs, cramfs, JFFS2, yaffs2, ext2.\u202f\u202fThis IOT firmware update uses squashfs file system.<\/p>\n And, it has multiple types of Compression file system. As shown below, it uses xz compression.\u202fSome of the Compression methods: LZMA, gzip, Zip, Zlib, xz, ARJ.<\/p>\n With the help of address, we get an idea like after how many offsets it start extracting.<\/p>\n So, we got few information to initiate analysis<\/p>\n Let\u2019s extract image file using binwalk.<\/p>\n $ binwalk -e IoTGoat-raspberry-pi2.img<\/p>\n Change directory and let\u2019s search for any sensitive information.<\/p>\n We come to know that username is iotgoatuser.<\/p>\n And we got the password for the iotgoatuser, try to crack using Hydra, JohnTheRipper.<\/p>\n Navigate to usr\/lib\/lua\/luci\/controller\/iotgoat where we find some juicy information.<\/p>\n We can identify the Architecture.<\/p>\n You can also automate the search using Firmwalker tool.<\/p>\n These are the few steps to do the firmware analysis. Try to explore all the directories and its files to get lot more sensitive information.<\/p>\n Static looks at the firmware while it is not in operation<\/p>\n An IOT device has hardware like cameras. All these embedded systems have hardware inside which has user applications to interact with and make communication once the internet has some kind of management storage. They are completely linked into the ecosystem. So, and then to moderate all these things, we have logic given to the device that is firmware. It is the core business logic of the device\/product. For some vendors, it could be an IP.<\/p>\n If an attacker is successful in finding any vulnerability in the firmware, it could directly or indirectly affect the other parts of the ecosystem.<\/p>\n For example, if the firmware is IP for some vendors and someone is able to get that firmware. Getting firmware could be a different way, which could be via a hardware attack or directly download from the vendor\u2019s website. If it is an IP, it obviously will not be available on the website. So in this case, you have to use some tricks around hardware hacking. One way is if you get the hardware, you can clone the device. It affects the IP. Another thing is if you get the hardware, we perform reverse engineering on it, which leads to another exploit. So for example, let us say a hardcoded system etc.<\/p>\n Possible attack scenarios with respective firmware (reverse engineering) includes\u00a0<\/strong>File system, Custom Binaries, Hardcoded sensitive information like passwords, keys etc., Configuration Files, Certificates, Perform debugging, hunt and attack, Fuzzing, Vulnerability in binaries leading to RCE, Dos attacks, and Patch with backdoors.<\/p>\n Firmware Analysis Tools<\/p>\n Several firmware software tools that can analyze firmware images, decompile images, and attach to firmware processes during runtime are Binwalk, Firmwalker, Binary Analysis Tool (BAT), Firmware Analysis Toolkit, and Radare2.<\/p>\n Are your IoT devices safe and ready to tackle the challenges related to:<\/p>\n Quality and Performance form the keystone of IoT devices to function and interconnect seamlessly. We ensure testing of the end-to-end functionality<\/a> of multiple devices across platforms.<\/p>\n Cigniti\u2019s experience in IoT app Testing as a Service (TaaS), a team of IoT-skilled testers, and a robust IoT testing infrastructure (labs, simulators, test racks, etc.,) support real-time testing of Big Data, Compatibility, IoT firmware Security, Performance, Pilot, Regulatory, Reliability, Upgrade, Usability, and smart devices in a dynamic environment (RFID, Sensors).<\/p>\n Need help? Consult our team of\u00a0IoT Testing experts<\/a>\u00a0and\u00a0Security Testing experts<\/a>\u00a0to learn more about the various facets of IoT Firmware Analysis<\/strong><\/em>.<\/p>\n","protected":false},"excerpt":{"rendered":" Firmware is a code or software on the device that allows and enables the device to perform various tasks. The most common architectures for IoT firmware devices are ARM and MIPS. Firmware provides the necessary instructions on how to communicate with hardware. Firmware is held in non-volatile memory devices such as ROM, EPROM, EEPROM, and […]<\/p>\n","protected":false},"author":20,"featured_media":17719,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[739,7],"tags":[4165,1186,3272,4163,2761,3478,2762,4162,4164,2760,3535,1195,1196,2758,202,1198,2625,1201,3537,2137,2589],"ppma_author":[4161],"authors":[{"term_id":4161,"user_id":0,"is_guest":1,"slug":"kurapati-purna-siri","display_name":"Kurapati Purna Siri","avatar_url":{"url":"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/Kurapati-Purna-Siri.jpg","url2x":"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/Kurapati-Purna-Siri.jpg"},"user_url":"","last_name":"","first_name":"","job_title":"","description":"Have 5+ years of experience and have been actively involved in multiple Security Assessment for services like DAST, SAST and MAST. Currently working as a Security Researcher with Cigniti Technologies and a part of the Security Center of Excellence team. Keen in exploring new tools and technologies and fine tuning those as per project requirements."}],"_links":{"self":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts\/17217"}],"collection":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/comments?post=17217"}],"version-history":[{"count":0,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts\/17217\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/media\/17719"}],"wp:attachment":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/media?parent=17217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/categories?post=17217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/tags?post=17217"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=17217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
What is an IOT Device?<\/h2>\n
Top 10 IoT Issues OWASP<\/h2>\n
Weak Guessable or Hardcoded Passwords:<\/strong><\/h3>\n
Insecure Network Services:<\/strong><\/h3>\n
Insecure Ecosystem Interfaces:<\/strong><\/h3>\n
Lack of Secure Update Mechanism:<\/strong><\/h3>\n
Use of Insecure or Outdated Components:<\/strong><\/h3>\n
Inadequate Privacy Protection:<\/strong><\/h3>\n
Insecure Data Transfer and Storage:<\/strong><\/h3>\n
Lack of Device Management:<\/strong><\/h3>\n
Insecure Default Settings:<\/strong><\/h3>\n
What exactly is a bootloader?<\/h2>\n
Why examine the firmware?<\/h2>\n
\n
What can I find by looking at firmware?<\/h3>\n
\n
\n
\n
Methodology:<\/strong><\/h3>\n
The below points are used to find during the Firmware Analysis<\/h2>\n
\n
![\"OWSAP](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/OWSAP-IGOAT-1.png\")
<\/p>\n![\"binwalk](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/binwalk-IoTGoat-raspberry-pi2-1.png\")
<\/p>\n![\"squashfs](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/squashfs-file-system-1.png\")
<\/p>\n![\"Compression\"](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/compression-1.png\")
<\/p>\n![\"Address\"](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/address.png\")
<\/p>\n\n
![\"binwalk](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/binwalk-e-IoTGoat-raspberry-pi2-1.png\")
<\/p>\n![\"Sensitive](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/sensitive-information-squashfs-root-1.png\")
<\/p>\n![\"sensitive](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/sensitive-information-squashfs-root-etc-1.png\")
<\/p>\n![\"Username\"](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/username-1.png\")
<\/p>\n![\"Password\"](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/password-1.png\")
<\/p>\n![\"Juicy](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/juicy-information-1.png\")
<\/p>\n![\"Architecture\"](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/Architecture-1.png\")
<\/p>\n![\"Firmwalker](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/Firmwalker-tool-1.png\")
<\/p>\n![\"Few](\"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/few-steps-to-do-the-firmware-analysis-1.png\")
<\/p>\nStatic Versus Dynamic Analysis<\/h2>\n
\n
Dynamic looks at it while in operation:<\/h3>\n
\n
How to perform Static Analysis:<\/strong><\/h3>\n
\n
How to perform Dynamic Analysis:<\/strong><\/h3>\n
\n
\n
\n
\n
Why Firmware Reverse Engineering<\/h2>\n
Conclusion<\/h2>\n
\n