The Various Facets of IoT Firmware AnalysisKurapati Purna Siri
Listen on the go!
Firmware is a code or software on the device that allows and enables the device to perform various tasks. The most common architectures for IoT devices are ARM and MIPS.
Firmware provides the necessary instructions on how to communicate with hardware. Firmware is held in non-volatile memory devices such as ROM, EPROM, EEPROM, and code running on embedded devices.
Updates to Firmware: Firmware updates are often pushed to fix bugs, roll out new features, or improve security.
- Can happen automatically
- May need to be done manually
What Is an IOT Device?
A “non-standard” device linked to the internet is referred to as a “non-standard” device. Usually, they contain an embedded OS (firmware) and some way to interface with them. May have embedded sensors and can send, collect, and exchange data.
Examples include Security Cameras, Smart Home Devices-outlets, light switches, etc., Raspberry Pi’s, Connected Appliances-washers, dryers, ovens, etc., Wireless Routers-Linksys, D-Link, ASUS, etc., Wearables -Apple Watch, Pedometers, heart monitors, Autonomous ag equipment and cars, and Connected Appliances-washers, dryers, ovens, etc.
Top 10 IOT Issues OWASP:
Weak Guessable or Hardcoded Passwords: Using credentials that are quickly brute forced, available to the public, or unchangeable, includes backdoors in firmware or client software that grant unauthorized access to deployed systems.
Insecure Network Services: Unnecessary or insecure network services running on the device, particularly those exposed to the internet, that jeopardize information confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.
Insecure Ecosystem Interfaces: Outside of the device, there are insecure online, backend API, cloud, or mobile interfaces in the ecosystem that allow the device or its linked components to be compromised. A lack of authentication and authorization, a lack of or insufficient encryption, and a lack of input and output filtering are all significant issues.
Lack of Secure Update Mechanism: Inability to update the gadget in a secure manner. This includes a lack of device firmware certification; insecure distribution (unencrypted in transit); anti-rollback procedures; and alerts of security changes caused by updates.
Use of Insecure or Outdated Components: Deprecated or insecure software components/libraries that may allow the device to be hacked This includes vulnerable operating system platform customizations and the usage of third-party software or hardware components sourced from a tainted supply chain.
Inadequate Privacy Protection: Personal data about the user that is stored on the device or in the ecosystem is used insecurely, erroneously, or without permission.
Insecure Data Transfer and Storage: There is no encryption or access control for sensitive data anywhere in the ecosystem, including at rest, in transit, and during processing.
Lack of Device Management: Asset management, update management, secure decommissioning, system monitoring, and reaction capabilities are all lacking on devices that have been put into production.
Insecure Default Settings: Devices or systems with insecure default settings or that lack the capacity to protect the system by blocking operations from modifying configurations are known as insecure default settings.
What exactly is a bootloader?
A piece of code or software that runs before any OS is loaded into memory. Bootloaders usually contain several ways to boot the OS kernel and contain commands for debugging and modifying the kernel environment.
Some of the common bootloaders include U-Boot, RedBoot, BareBox, and BusyBox.
Why examine the firmware?
- If you can control the firmware, you can control the device.
- Many vulnerabilities found in IoT devices originate here.
- An IoT device can be an easy entry point for an attacker to enter the network.
What can I find by looking at firmware?
- Firmware contains hardcoded
- Network values
- Encryption not used for sensitive information
- Updates not encrypted
- Update not verified before upload/install
There are two ways to analyze the firmware: Manual and Automated.
Manual analysis is time consuming and is not easy.
Automated Analysis is easy because it can be performed using open-source tools which are available in GitHub Firmwalker and Binwalk.
Below points are used to find during the Firmware Analysis
- Etc/shadow and etc/passwd
- List out the etc/ssl directory
- Look for script files
- Search for other .bin files
- Experimental support for making calls to the Shodan API using the Shodan CLI
- Explore for Keywords such as admin, password remote
- Look around for common web servers used on IoT devices
- Search for SSL related files such as .pem, .crt
- Look for configuration files
- Hunt for common binaries such as ssh, tftp, dropbear, etc
- Search for URLs, email addresses, and IP addresses
For Firmware Analysis we are using OWASP IGOAT. Download it from
After the download use Binwalk tool which is a default tool in Kali and if you use any other Linux distro then you can get it from GitHub.
To install, Use apt install Binwalk.
$ binwalk IoTGoat-raspberry-pi2.img
There are some most common files system used in IOT: squashfs, cramfs, JFFS2, yaffs2, ext2. This IOT firmware uses squashfs file system.
And, it has multiple types of Compression file system. As shown below, it uses xz compression. Some of the Compression methods: LZMA, gzip, Zip, Zlib, xz, ARJ.
With the help of address, we get an idea like after how many offsets it start extracting.
So, we got few information to initiate analysis
- filesystem – Squashfs
- compression – xz
- address – 29360128
Let’s extract image file using binwalk.
$ binwalk -e IoTGoat-raspberry-pi2.img
Change directory and let’s search for any sensitive information.
We come to know that username is iotgoatuser.
And we got the password for the iotgoatuser, try to crack using Hydra, JohnTheRipper.
Navigate to usr/lib/lua/luci/controller/iotgoat where we find some juicy information.
We can identify the Architecture.
You can also automate the search using Firmwalker tool.
These are the few steps to do the firmware analysis. Try to explore all the directories and its files to get lot more sensitive information.
Static Versus Dynamic Analysis:
Static looks at the firmware while it is not in operation
- Analyze filesystem
- Inspect bootloader
- Looks for “hard-coded” items
- Use tools such as Firmadyne, Binwalk, Firmwalker etc
Dynamic looks at it while in operation:
- Need to have device on and have access to it
- Also have the option to virtualize the IoT device
- Use pentest type tools like nmap, Metasploit etc
How to perform Static Analysis:
- Get firmware
- Extract file system(binwalk)
- Uncompress filesystem and components if needed
- Look for common issues within filesystem such as passwords, Ips, keys etc. (firmwalker)
- Look at the various binaries present in the firmware and analyze then to identify vulnerabilities
- Check for the version of common binaries such as busybox and see if you can find a corresponding exploit for that given version
How to perform Dynamic Analysis:
- Need to have the firmware running
- Physical Device
- Virtualize device -QEMU
- Use Pen Testing Tools
- Tcpdump netcat
- Default Credentials
- Google and Shodan
Why Firmware Reverse Engineering:
An IOT device has hardware like cameras. All these embedded systems have hardware inside which has user applications to interact with and make communication once the internet has some kind of management storage. They are completely linked into the ecosystem. So, and then to moderate all these things, we have logic given to the device that is firmware. It is the core business logic of the device/product. For some vendors, it could be an IP.
If an attacker is successful in finding any vulnerability in the firmware, it could directly or indirectly affect the other parts of the ecosystem.
For example, if the firmware is IP for some vendors and someone is able to get that firmware. Getting firmware could be a different way, which could be via a hardware attack or directly download from the vendor’s website. If it is an IP, it obviously will not be available on the website. So in this case, you have to use some tricks around hardware hacking. One way is if you get the hardware, you can clone the device. It affects the IP. Another thing is if you get the hardware, we perform reverse engineering on it, which leads to another exploit. So for example, let us say a hardcoded system etc.
Possible attack scenarios with respective firmware (reverse engineering) includes File system, Custom Binaries, Hardcoded sensitive information like passwords, keys etc., Configuration Files, Certificates, Perform debugging, hunt and attack, Fuzzing, Vulnerability in binaries leading to RCE, Dos attacks, and Patch with backdoors.
Several firmware software tools that can analyze firmware images, decompile images, and attach to firmware processes during runtime are Binwalk, Firmwalker, Binary Analysis Tool (BAT), Firmware Analysis Toolkit, and Radare2.
Are your IoT devices safe and ready to tackle the challenges related to:
- Data security
- Security threats
- Access management
- 3rd-party data sharing
- Compliance requirements
- Hardware challenges
- Integration management
Quality and Performance form the keystone of IoT devices to function and interconnect seamlessly. We ensure testing of the end-to-end functionality of multiple devices across platforms.
Cigniti’s experience in IoT app Testing as a Service (TaaS), a team of IoT-skilled testers, and a robust IoT testing infrastructure (labs, simulators, test racks, etc.,) support real-time testing of Big Data, Compatibility, IoT Security, Performance, Pilot, Regulatory, Reliability, Upgrade, Usability, and smart devices in a dynamic environment (RFID, Sensors).