Pointers for Secure IoT Firmware Analysis & Testing

 

This article is from Firmware Analysis Project that provides:

  • Security testing guidance for vulnerabilities in the “Device Firmware” attack surface.
  • Steps for extracting file systems from various firmware files.
  • Guidance on searching a file systems for sensitive of interesting data.
  • Information on static analysis of firmware contents.
  • Information on dynamic analysis of emulated services. (e.g. web admin interface)
  • Testing tool links
  • A site for pulling together existing information on firmware analysis

Device Firmware Vulnerabilities

Usual suspect points:

  • Out-of-date core components
  • Unsupported core components
  • Expired and/or self-signed certificates
  • Same certificate used on multiple devices
  • Admin web interface concerns
  • Hardcoded or easy to guess credentials
  • Sensitive information disclosure
  • Sensitive URL disclosure
  • Encryption key exposure
  • Backdoor accounts
  • Vulnerable services (web, ssh, tftp, etc.)

Recommendations

  • Ensure that supported and up-to-date software is used by developers.
  • Ensure that robust update mechanisms are in place for devices.
  • Ensure that certificates are not duplicated across devices and product lines.
  • Ensure supported and up-to-date software is used by developers.
  • Develop a mechanism to ensure a new certificate is installed when old ones expire.
  • Disable deprecated SSL versions.
  • Ensure developers do not code in easy to guess or common admin passwords.
  • Ensure services such as SSH have a secure password created.
  • Develop a mechanism that requires the user to create a secure admin password during initial device setup.
  • Ensure developers do not hard code passwords or hashes.
  • Have source code reviewed by a third party before releasing device to production.
  • Ensure industry standard encryption or strong hashing is used.

Device Firmware Analysis Guidance:

  • Following kind of analysis practices should be established to avoid dand minimize the risk of evice firmware vulnerabilities:
    • Firmware file analysis
    • Firmware extraction
    • Dynamic binary analysis
    • Static binary analysis
    • Static code analysis
    • Firmware emulation
    • File system analysis

Device Firmware Tools

  • Firmwalker
    • A simple bash script for searching the extracted or mounted firmware file system.
  • Firmware Modification Kit
    • This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images.
  • Angr binary analysis framework
    • angr is a platform-agnostic binary analysis framework.
    • a suite of Python 3 libraries that let you load a binary and do a lot of cool things to it:
      • Disassembly and intermediate-representation lifting
      • Program instrumentation
      • Symbolic execution
      • Control-flow analysis
      • Data-dependency analysis
      • Value-set analysis (VSA)
      • Decompilation
  • Binwalk firmware analysis tool
    • Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  • Binary Analysis Tool
    • The Binary Analysis Tool (BAT) makes it easier and cheaper to look inside binary code, find compliance issues, and reduce uncertainty when deploying Free and Open Source Software.
    • binaryanalysis-ng(BANG)
      • Binary Analysis Next Generation (BANG)
      • BANG is a framework for processing binary files (like firmware). It consists of an unpacker that recursively unpacks and classifies/labels files and separate analysis programs that work on the results of the unpacker.
  • Firmadyne
    • FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware.
  • Firmware Analysis Comparison Toolkit
  • ByteSweep
    • A Free Software IoT Firmware Security Analysis Tool

Vulnerable Firmware

  • (for testing, analysis & study purpose)
    • Damn Vulnerable Router Firmware
    • OWASP IoTGoat
      • The IoTGoat Project is a deliberately insecure firmware based on OpenWrt and maintained by OWASP to educate users how to test for the most common vulnerabilities found in IoT devices.
References: