Firmware Analysis for IoT Devices

• November 14, 2021
• By Cyberarch Admin

Firmware Analysis – IOT

Internet of Things also called as IoT is the next big thing. Nowadays lot of IoT devices are introduced into the market which collects and share data in the cloud. Any modern device that we use will be interacting with the firmware. Firmware is a piece of code on the device allowing and enabling the device to perform various tasks required for the device to function. Simply to say firmware is software that is programmed on a hardware device.  Therefore in this tutorial we will focus on firmware analysis at different level such as extracting the firmware, binary analysis etc.  We will give idea about ARM and MIPS which are the most common architectures for IOT Devices. Also let’s have a look at components such as file system types, compressions, encryptions, bootloader etc.

Methodology

As like any other analysis firmware too has two ways such as Manual and Automated analysis. Complete Manual Analysis is not that easy as it is time consuming and that’s why we go for Automated Analysis of firmware which is easy. For automated analysis there are lots of tools available such as Firmwalker, FACT – Firmware Analysis and Comparison Tool, Firmware Analysis Toolkit etc. As listed in infosecinstitue, usually tools will analyse

• etc/shadow and etc/passwd
• list out the etc/ssl directory
• Search for SSL related files such as .pem, .crt, etc.
• Search for configuration files
• Look for script files
• Search for other .bin files
• Look for keywords such as admin, password, remote, etc.
• Search for common web servers used on IoT devices
• Search for common binaries such as ssh, tftp, dropbear, etc.
• Search for URLs, email addresses, and IP addresses
• Experimental support for making calls to the Shodan API using the Shodan CLI

To do IoT Firmware analysis first thing to do is download the firmware from the vendor’s official site or from Github. Then extract the firmware which comes bundled or compressed in different formats such as bin, zip, gzip, tar etc.

IoT Firmware Analysis – Step by step

For firmware analysis we are going to use IoTGoat from OWASP. Download the Firmware from https://github.com/OWASP/IoTGoat/releases.

Once the image file is downloaded let’s start analysing it using binwalk tool which is already present in Kali Linux. To do so type this command

#binwalk IoTGoat-raspberry-pi2.img

At the end you can notice that this Firmware is of Sqaushfs file system. We will list some of the common files systems of the IoT Devices for your idea

• squashfs
• cramfs
• JFFS2
• yaffs2
• ext2

Same like different file system, we have various types of compression file system. IoTGoat uses xz compression method

• LZMA
• gzip
• Zip
• Zlib
• xz
• ARJ

Next to the file system, you see the word little endian. Little Endian and Big Endian are the ways of storing multibyte data-types. First byte of the data representation of the multibyte data-type is stored first in Big Endian machines.

In Little Endian machines Last byte of the data representation of the multibyte data-type is stored first.

So to summarise, we came to know the below mentioned things from our initial analysis.

• filesystem – Squashfs
• compression – xz
• address – 29360128

By knowing the address we can understand after how many offset it should start extracting which in our case is 29360128.

So to extract .img file and to save it as .bin file, we use the below command

# dd if=IoTGoat-raspberry-pi2.img bs=1 skip=29360128 of=iotgoat.bin

“if” represents inputfile, and “of” represents output file.

“bs” specifies the block size for the both the input and output file.

Now .img was copied into .bin. Let’s check the file using binwalk.

As the filesystem is Squasfs, let’s extract iotgoat.bin using unsquashfs which again is inbuilt with Kali linux. Use the following command

# unsquashfs iotgoat.bin

The extracted file will be found under squashfs-root directory

Instead of using Squashfs, we can use binwalk too to extract the image file. To do so use –e flag in binwalk as like shown below.

Files extracted using binwalk will be present under the directory _IoTGoat-raspberry-pi2.img.extracted

Let’s dive into the next step. Now we have to open the extracted directory. You can choose the directory according to the method that you have used to extract

# cd _IoTGoat-raspberry-pi2.img.extracted

# cd squashfs-root

Once we are into the extracted directory, let’s search for sensitive files/information. When we move to /etc directory we see that passwd and shadow files are present.

Let’s see what’s in the passwd file. Here we get to know that a user named iotgoatuser is present.

Same way let us check shadow file.

Now for the next part download IoTGoat-x86.vmdk file from https://github.com/OWASP/IoTGoat/releases and run the virtual instance. Once you run the VM, go to Kali linux and search for the IP of IoTGoat.

arp-scan – – local

Now let us get the username, password wordlist from https://github.com/securing/mirai_credentials/blob/master/mirai_creds.txt and save it under /usr/share/wordlists/

Now let us use hydra or medusa for cracking the password.

For hydra use the below command

hydra -V -f -t 4 -l iotgoatuser -P /usr/share/wordlists/mirai_creds.txt ssh://192.168.1.5

where:

-V — to display a couple login+password while the password mining;

-f — is a stop as soon as the password for specified login will be found;

-l — is for username

-P — is a path to the password dictionary;

ssh://192.168.60.50 — is a service and victim IP address.

Here for demonstration purpose, I have added the IP of my IoTGoat. You add the IP which you get while doing the arp-scan.

For medusa, use the below command

# medusa –u iotgoatuser –P /usr/share/wordlists/mirai_creds.txt –h 192.168.1.5 -M ssh -f

Where:

-h — is victim IP address;

-u — is a login;

-P — is a dictionary path;

-M — is a module choice;

-f — is stop as soon as the valid login/password couple is found;

From this we got to know the password is 7ujMko0vizxv.

Now let’s connect to the SSH of IoTGoat

# ssh [email protected]

When asks for the password type the above found password. Once done, we are successfully in

Now let’s get back to the squashfs-root directory to get some juicy informations.

Navigate to usr/lib/lua/luci/controller/iotgoat where we find a database file named sensordata.db

# sqlite3 sensordata.db

We see lot of email ids along with birthdate

At the same time when we navigate to /lib/functions, we were able to see various shell script files.

When we navigate to usr/lib/lua/luci/view/iotgoat we find htm files which can be accessed via IoTGoat web application

Another interesting thing we found is dropbear which runs in port 22 is present under different directories.

/usr/sbin/dropbear

/etc/config/dropbear

/etc/init.d/dropbear

To know list of files related to dropbear, do as follow

# cat dropbear.list

Under this directory many files contains sensitive information too such as shown below.

If we keep digging, we can get much information like this which can be used for a successful attack.

Now let’s get back to the squashfs-root directory and navigate to bin directory. There we will try to get some juicy information. For emulation purpose let use identify the architecture by

# readelf –h busybox

From this we know that it is ARM Architecture

 

Conclusion

Cyber-security is very important if you are to succeed online. Hackers are getting better at their games, which means you need a dedicated team that will stay updated with security issues and provides around-the-clock protection to your websites.

Cyberarch Consulting has a strong record of helping business secure their network/servers. We help you become Compliance ready by conducting Penetration Testing based on the compliance requirement. Our security professionals with many years of experience who holds industry standard best certifications will help you find and patch the security loopholes and secure your business.

Author : Meshach.M – Senior Security Consultant at Cyberarch Consulting