With the rapid increase in IoT devices, the concern towards IoT security is also increasing. According to Gartner, there would be more than 20 billion active IoT devices by 2025.
IoT devices generate an ample amount of data that may contain crucial personal data as well. As most of the devices are under consumers control, so, there is every possibility of devices being exposed to malicious attackers.
IoT devices are always vulnerable to unauthorized physical and internet access. Thus, firmware plays a vital role in IoT.
Any IoT device interacting with the firmware consists of actual code that operates the IoT device.
According to the list of Top 10 IoT Security Vulnerabilities by OWASP. Insecure Software, Firmware as well as inadequate Physical Security are the top reasons making IoT devices vulnerable.
This White Paper aims to provide various ways to extract the file system from the firmware and analyze the binaries of vulnerabilities.
IoT Penetration Testing
The exploitation of various components of an IoT device is called IoT Penetration Testing. It also includes providing a solution to increase the security of the device.
To perform an IoT penetration test pen tester needs to understand the scope of the pen test, constraints, and its limitations. The penetration testing conditions vary from product to product.
Prior to the test, an IoT pen tester needs to collect the workflow of the device and the evaluation report of the product.
As we know, the Internet of Things is a big picture on its own. Thus, security vulnerabilities may be present at different layers of the IoT model, which needs to be addressed to create a secure product.
From the above figure, it’s clear that the firmware is the backbone of IoT devices. So, it’s necessary to extract the firmware without affecting the device functionality.
Before getting deep into the firmware, the proposed approach is to go through the following details:
- Hardware Overview and Analysis
- Extraction of Firmware
- File System type
- Compression and Encryption
- Firmware Analysis
- Firmware Emulation
Hardware Overview and Analysis
The first step is to understand the device and collect information with the help of manuals, documentation, online resources, etc.
Have an overlook and get the flow diagram and PCB layout of the IoT devices.
Check the controller used in the IoT devices, and with the help of pinout get information about UART, I2C, SPI, JTAG usability.
Go through the vulnerabilities present in the controller. Test the open ports of devices and collect information about the internal and external storage devices. With the help of datasheet get the pinout controller, EEPROM, etc.
Extraction of Firmware
The extraction of firmware from an IoT device is a major hurdle.
There are different methods to extract the firmware from the device. Below are the different ways to get the firmware binary.
- Getting online through the vendor’s site.
- Sniffing OTA while the device is performing the updates.
- Extracting firmware from the device.
- Reverse Application, i.e., getting access to the firmware using the web and mobile applications.
Capturing firmware during updates is not a uniform process and is constrained to be device-specific.
Extracting firmware through JTAG, USB, ICSP is another way to obtain the firmware. In the case of block debug, interface firmware extraction can be done using flash chip dump.
File System Types
The core components of any firmware are bootloader, a kernel image, and a file system. The common type of file systems encountered in IoT devices are listed below:
The complete list of the file system is available at http://elinux.org/File_Systems.
Linux command $ file filesystem.bin can be used to know the filesystem type.
Compression and Encryption
In embedded devices, file systems are compressed to save space. Various types of compressions used for IoT devices are listed below:
- ARJ, etc.
Bootloader sets up the entire system and loads the kernel. Bootloader provides early initialization and is responsible for initializing the board.
Accessing a bootloader with further changes helps to get root access to the device if the bootloader is present.
Firmware Analysis Tools are used to analyze the firmware and read its content, and IoT firmware is repeatedly encrypted with XOR or AES.
Performing hexdump if it results recurring strings it’s indication of XOR encryption.
Linux tool such as $ hexdump -c firmware.bin | grep -i shsq can be used on the firmware to know the starting address of firmware.
Tools such as unsquashfs can be used to reveal the file system content. Another tool dd can be used to dump the file system from binary image.
In Linux further utilities such as head, strings can reveal insightful information about the firmware version, operating system, and bootloader.
Analyzing interesting binaries through disassembly can also be done. Tools such as objdump, IDA, online disassembler, radre2, hopper, etc. can be used to read the bin files or object files. We can also identify the instruction set and architecture of firmware from the mentioned above tools.
Reverse Engineering Tools
Binwalk, is a simple linux tool for analyzing binary files for embedded files and executable code. It is mostly used to extract the content of firmware images.
Firmwalker is another automated tool for the analysis of firmware. It searches for various contents such as passwd, shadow, SSL directory, script files, keywords, emails, URL, IP, etc.
AttifyOS is a penetration testing distro for security professionals to assess the security of IoT devices. It includes various tools for embedded, firmware, software and radio.
Firmware Analysis Toolkit is used to identify and analyze vulnerabilities in IoT and embedded devices.
Firmware emulation fulfills the purpose of exploitation, remote debugging, analyzing the firmware, etc. Without having a physical IoT device, we can emulate a firmware and interact with it. Qemu can be used to emulate the binaries.
By – Surendra Hingane & Swapnil Naik