IoT security fundamentals: Reverse-engineering firmware
Firmware is any software installed on the IoT device. The user interacts with the device using this interface and communicates with the hardware.
In this article, we will be learning how to reverse-engineer firmware for finding and exploiting vulnerabilities present in it. For a practical demo, we will be extracting the hardcoded Telnet credentials present in the DLink firmware.
For sake of understanding, the post has been divided in two parts: firmware extraction and vulnerability exploitation.
Part 1: Firmware extraction
This involves extracting the firmware or having access to the firmware files. (Extraction of firmware files from the device is out of scope, thus not covered.) Firmware files can be easily obtained by visiting the vendor’s website and downloading from there.
Once the firmware file is with us, we can find and exploit present vulnerabilities in two ways.
1) Static Analysis: By reversing a firmware (bin/img) file. We will be covering this in this post.
2) Dynamic Analysis: By emulating a firmware
Let’s begin with static analysis.
Static analysis is the process of reversing a firmware and searching for vulnerabilities present in it. It can be done either using some tool or going through each and every firmware file manually.
Examples of this include looking for hard-coded usernames or passwords, searching for sensitive data in the files and so on.
Tools for static analysis
The following tools can be used for reversing the firmware:
- Firmware Modification Kit(FMK).
- FRAK (Firmware Reverse Analysis Konsole)
Of the above tools, Binwalk and Firmware Modification Kit (FMK) are widely used.
When to use which? If you just want to reverse a firmware, use Binwalk. If you want to reverse a firmware, modify a file and repack a firmware, use FMK.
Firmware reversing using Binwalk
Let’s see how one can reverse the firmware binary and obtain files present in it. Before this, let’s install Binwalk and download vulnerable firmware for the demo. Links for them are mentioned below. Please follow each and every step diligently.
- Binwalk installation — Please follow this guide: Binwalk_Setup
- Vulnerable firmware — Get it from here: Vulnerable_Dlink_Firmware
Now let’s start with the process of firmware extraction.
Step 1: Dlink firmware is as shown:
Step 2: Extracting firmware using the binwalk -e option. Please note the extracted firmware files in the background.
Firmware has been extracted using the binwalk -e option. The firmware uses the Squashfs file system, as highlighted in red.
Now let’s open the _DIR412A1_FW114WWb02.bin.extracted folder. Inside the folder, you will find the squashfs-root folder. It contains all the files present in the firmware. Let’s open it and see the content.
What do you observe? It’s a typical Linux file system. Can be easily guessed by looking at folders such as bin, etc, proc and so on.
This completes the process of extracting the firmware bin file using the binwalk -e option.
Part 2: Vulnerability exploitation
As mentioned above, if you want to search for vulnerabilities present in the firmware, one can do it manually by going through each and every file. But the issue is this is too time-consuming. What we will be doing is we will extract the hard-coded Telnet credentials present in the firmware using grep -iR telnet command, as shown.
If you see the output of the command, there are many instances where the word “telnet” is present. Have a look at the highlighted section “telnetd -l /usr/sbin/login -u Alphanetworks: $image_sign -i br0 &”.
telnetd involves a binary /usr/sbin/login. So maybe this is related to login. Alphanetworks is the username (the -u option is the hint). The username is followed by the password.
But here, “Alphanetworks:” is followed by $image_sign. It means the password is the value of the variable image_sign. So let’s find the value of variable image_sign for the password. We find this instance of Telnet being loaded from root/etc/init0.d/S80telnetd.sh file (highlighted part).
Let’s open the file and see the content.
Value of image_sign variable = “cat /etc/config/image_sign”. So the value of the variable image_sign is the content of the file “/etc/config/image_sign“. Let’s see what “etc/config/image_sign” contains
It contains the password, which is “wrgn28_dlob_dir412”. So the Telnet credentials are as follows:
- username = Alphanetworks && password = wrgn28_dlob_dir412
Now we have the credentials with us, we just have to find where this firmware is being used and can use the above username and password for logging into the router via Telnet.
So, this is how one can reverse IoT firmware and look for vulnerability present in it.
- Reverse engineering my router’s firmware with binwalk, embeddedbits.org
- Embedded Devices Security Firmware Reverse Engineering, media.blackhat.com
- Reverse Engineering Router Firmware, Linux Security Blog
- How to Start IoT device Firmware Reverse Engineering?, SecureLayer7