Blog by Cigniti Technologies

The Various Facets of IoT Firmware Analysis

The Various Facets of IoT Firmware Analysis
Listen on the go!

Firmware is a code or software on the device that allows and enables the device to perform various tasks. The most common architectures for IoT devices are ARM and MIPS.

Firmware provides the necessary instructions on how to communicate with hardware. Firmware is held in non-volatile memory devices such as ROM, EPROM, EEPROM, and code running on embedded devices.

Updates to Firmware: Firmware updates are often pushed to fix bugs, roll out new features, or improve security.

What Is an IOT Device?

A “non-standard” device linked to the internet is referred to as a “non-standard” device. Usually, they contain an embedded OS (firmware) and some way to interface with them. May have embedded sensors and can send, collect, and exchange data.

Examples include Security Cameras, Smart Home Devices-outlets, light switches, etc., Raspberry Pi’s, Connected Appliances-washers, dryers, ovens, etc., Wireless Routers-Linksys, D-Link, ASUS, etc., Wearables -Apple Watch, Pedometers, heart monitors, Autonomous ag equipment and cars, and Connected Appliances-washers, dryers, ovens, etc.

Top 10 IOT Issues OWASP:

Weak Guessable or Hardcoded Passwords: Using credentials that are quickly brute forced, available to the public, or unchangeable, includes backdoors in firmware or client software that grant unauthorized access to deployed systems.

Insecure Network Services: Unnecessary or insecure network services running on the device, particularly those exposed to the internet, that jeopardize information confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.

Insecure Ecosystem Interfaces: Outside of the device, there are insecure online, backend API, cloud, or mobile interfaces in the ecosystem that allow the device or its linked components to be compromised. A lack of authentication and authorization, a lack of or insufficient encryption, and a lack of input and output filtering are all significant issues.

Lack of Secure Update Mechanism: Inability to update the gadget in a secure manner. This includes a lack of device firmware certification; insecure distribution (unencrypted in transit); anti-rollback procedures; and alerts of security changes caused by updates.

Use of Insecure or Outdated Components: Deprecated or insecure software components/libraries that may allow the device to be hacked This includes vulnerable operating system platform customizations and the usage of third-party software or hardware components sourced from a tainted supply chain.

Inadequate Privacy Protection: Personal data about the user that is stored on the device or in the ecosystem is used insecurely, erroneously, or without permission.

Insecure Data Transfer and Storage: There is no encryption or access control for sensitive data anywhere in the ecosystem, including at rest, in transit, and during processing.

Lack of Device Management: Asset management, update management, secure decommissioning, system monitoring, and reaction capabilities are all lacking on devices that have been put into production.

Insecure Default Settings: Devices or systems with insecure default settings or that lack the capacity to protect the system by blocking operations from modifying configurations are known as insecure default settings.

What exactly is a bootloader?

A piece of code or software that runs before any OS is loaded into memory. Bootloaders usually contain several ways to boot the OS kernel and contain commands for debugging and modifying the kernel environment.

Some of the common bootloaders include U-Boot, RedBoot, BareBox, and BusyBox.

Why examine the firmware?

What can I find by looking at firmware?

Methodology:

There are two ways to analyze the firmware: Manual and Automated.

Manual analysis is time consuming and is not easy.

Automated Analysis is easy because it can be performed using open-source tools which are available in GitHub Firmwalker and Binwalk.

Below points are used to find during the Firmware Analysis

For Firmware Analysis we are using OWASP IGOAT. Download it from

https://github.com/OWASP/IoTGoat/releases

After the download use Binwalk tool which is a default tool in Kali and if you use any other Linux distro then you can get it from GitHub.

To install, Use apt install Binwalk.

$ binwalk IoTGoat-raspberry-pi2.img

There are some most common files system used in IOT: squashfs, cramfs, JFFS2, yaffs2, ext2.  This IOT firmware uses squashfs file system.

And, it has multiple types of Compression file system. As shown below, it uses xz compression. Some of the Compression methods: LZMA, gzip, Zip, Zlib, xz, ARJ.

With the help of address, we get an idea like after how many offsets it start extracting.

So, we got few information to initiate analysis

Let’s extract image file using binwalk.

$ binwalk -e IoTGoat-raspberry-pi2.img

Change directory and let’s search for any sensitive information.

We come to know that username is iotgoatuser.

And we got the password for the iotgoatuser, try to crack using Hydra, JohnTheRipper.

Navigate to usr/lib/lua/luci/controller/iotgoat where we find some juicy information.

We can identify the Architecture.

You can also automate the search using Firmwalker tool.

These are the few steps to do the firmware analysis. Try to explore all the directories and its files to get lot more sensitive information.

Static Versus Dynamic Analysis:

Static looks at the firmware while it is not in operation

Dynamic looks at it while in operation:

How to perform Static Analysis:

How to perform Dynamic Analysis:

Why Firmware Reverse Engineering:

An IOT device has hardware like cameras. All these embedded systems have hardware inside which has user applications to interact with and make communication once the internet has some kind of management storage. They are completely linked into the ecosystem. So, and then to moderate all these things, we have logic given to the device that is firmware. It is the core business logic of the device/product. For some vendors, it could be an IP.

If an attacker is successful in finding any vulnerability in the firmware, it could directly or indirectly affect the other parts of the ecosystem.

For example, if the firmware is IP for some vendors and someone is able to get that firmware. Getting firmware could be a different way, which could be via a hardware attack or directly download from the vendor’s website. If it is an IP, it obviously will not be available on the website. So in this case, you have to use some tricks around hardware hacking. One way is if you get the hardware, you can clone the device. It affects the IP. Another thing is if you get the hardware, we perform reverse engineering on it, which leads to another exploit. So for example, let us say a hardcoded system etc.

Possible attack scenarios with respective firmware (reverse engineering) includes File system, Custom Binaries, Hardcoded sensitive information like passwords, keys etc., Configuration Files, Certificates, Perform debugging, hunt and attack, Fuzzing, Vulnerability in binaries leading to RCE, Dos attacks, and Patch with backdoors.

Firmware Tools:

Several firmware software tools that can analyze firmware images, decompile images, and attach to firmware processes during runtime are Binwalk, Firmwalker, Binary Analysis Tool (BAT), Firmware Analysis Toolkit, and Radare2.

Conclusion

Are your IoT devices safe and ready to tackle the challenges related to:

Quality and Performance form the keystone of IoT devices to function and interconnect seamlessly. We ensure testing of the end-to-end functionality of multiple devices across platforms.

Cigniti’s experience in IoT app Testing as a Service (TaaS), a team of IoT-skilled testers, and a robust IoT testing infrastructure (labs, simulators, test racks, etc.,) support real-time testing of Big Data, Compatibility, IoT Security, Performance, Pilot, Regulatory, Reliability, Upgrade, Usability, and smart devices in a dynamic environment (RFID, Sensors).

Need help? Consult our team of IoT Testing experts and Security Testing experts to learn more about the various facets of IoT Firmware Analysis.

Author

  • Have 5+ years of experience and have been actively involved in multiple Security Assessment for services like DAST, SAST and MAST. Currently working as a Security Researcher with Cigniti Technologies and a part of the Security Center of Excellence team. Keen in exploring new tools and technologies and fine tuning those as per project requirements.

Exit mobile version