IoT firmware analysis — Firmwalker
IoT is the next big technology that will change the way we communicate and exchange data. Every day thousands of IoT devices are coming into the market. Most of these devices collect and exchange data over the cloud. Not much effort has been put into securing the IoT devices, thus understanding the security of IoT devices and their communication is of utmost importance.
If one has a close look at any IoT Network, there are many components to be secured. Some of them are listed below –
- Web/Cloud Interface
- Mobile Application
- IoT Communication Protocols
- IoT Hardware Interfaces like JTAG, UART, SPI, and I2C.
- IoT Device Firmware
Security of all the components mentioned above cannot be covered in a single post. In this post, I will explain how to analyze the firmware of any IoT device since not much resource is available on firmware security.
IoT firmware – What is IoT firmware?
Firmware is a software program programmed on a hardware device. It provides the necessary instructions on how the device communicates with the other computer hardware.
Have you seen something like shown in the image below?
Now I hope it’s clear what firmware is. Put simply, the software running on any IoT device is termed as Firmware.
Firmware Analysis Methodology – To analyze any firmware, there are two ways to do so – one is manual and other uses a tool. Manual Analysis consumes a lot of time, and due to time constraints often it is not possible to do a manual analysis. Thus, automated analysis of firmware comes in handy.
In this post, we will learn how to use a tool named Firmwalker for analyzing the firmware. The tool was written by Craig and can be found at https://github.com/craigz28/Firmwalker. Please download it for performing firmware analysis practically.
The tool is basically a bash script capable of identifying following issues –
- etc/shadow and etc/passwd
- list out the etc/ssl directory
- search for SSL related files such as .pem, .crt, etc.
- search for configuration files
- look for script files
- search for other .bin files
- look for keywords such as admin, password, remote, etc.
- search for common web servers used on IoT devices
- search for common binaries such as ssh, tftp, dropbear, etc.
- search for URLs, email addresses, and IP addresses
- Experimental support for making calls to the Shodan API using the Shodan CLI
Above are the issues widely found in IoT firmware and the tool does a great job in identifying the issues.
Procedure for automated firmware vulnerability analysis
- Get the Firmware – The IoT firmware can be obtained by downloading from the official website of the vendor. If not available on the website for some reason, vendor itself may provide the firmware. If this also does not work, many times a google search or Github search will do the job.
- Extract the Firmware – Firmware files are usually bundled or compressed files. They are widely available in bin, zip, gzip or tar format. We need to extract the firmware first to go through the files. This is achieved using a tool named Binwalk. More on Binwalk can be found here – https://github.com/ReFirmLabs/Binwalk . Binwalk is already installed on Kali Linux.
- Run Firmwalker – Once the files are extracted, we need to run Firmwalker over it. Firmwalker will scan all the files present in the firmware and look for the vulnerabilities listed above. The only prerequisite is the extracted firmware file, and Firmwalker should be present in the same folder. Once the scanning is done, Firmwalker generates the output in a file name Firmwalker.txt by default. This Firmwalker.txt file contains the list of vulnerabilities which were found in the firmware.
Practical Demo – The demo file can be downloaded from this link – http://www.filewatcher.com/m/DIR412A1_FW114WWb02.bin.3534983-0.html. There are four firmware files available. Download the one belonging to the year 2013.
After downloading, copy the file into Firmwalker folder as shown below (I have renamed the file as DLink.bin) –
Run Binwalk to extract the firmware file as shown
The output is shown in the folder
Once the file has been extracted run Firmwalker as shown below –
The output of the result is saved in the file names Firmwalker.txt. The screenshots are shown below –
Opening the file, we see the result as shown –
The above result shows the shell scripts found in the firmware.
Another issue found is shown below –
This is how one goes through the result and find and exploit the issues.
In this firmware, there was one shell script found as shown below –
It seems it is related to telnet login.
On opening the path, I see –
Woah. It is related to telnet login. On reading the highlighted lines, the username is Alphanetworks, and the password is being loaded from the variable image_sign. The path of the variable is shown in the first highlighted line.
When we open that file, we get the password as shown below –
Now, we have the username and the password; we can easily login over the telnet connection. The worst part is all the devices running the firmware are vulnerable and can be compromised.
Thus, Firmwalker is a great tool for scanning and finding the issues in an IoT Firmware.