IoT security fundamentals: Reverse-engineering firmware
Firmware is any software installed on the IoT device. The user interacts with the device using this interface and communicates with the hardware.
In this article, we will be learning how to reverse-engineer firmware for finding and exploiting vulnerabilities present in it. For a practical demo, we will be extracting the hardcoded Telnet credentials present in the DLink firmware.
For sake of understanding, the post has been divided in two parts: firmware extraction and vulnerability exploitation.
Learn IoT Security
Part 1: Firmware extraction
This involves extracting the firmware or having access to the firmware files. (Extraction of firmware files from the device is out of scope, thus not covered.) Firmware files can be easily obtained by visiting the vendor’s website and downloading from there.
Once the firmware file is with us, we can find and exploit present vulnerabilities in two ways.
1) Static Analysis: By reversing a firmware (bin/img) file. We will be covering this in this post.
2) Dynamic Analysis: By emulating a firmware
Let’s begin with static analysis.
Static analysis
Static analysis is the process of reversing a firmware and searching for vulnerabilities present in it. It can be done either using some tool or going through each and every firmware file manually.
Examples of this include looking for hard-coded usernames or passwords, searching for sensitive data in the files and so on.
Tools for static analysis
The following tools can be used for reversing the firmware:
- Binwalk
- Firmware Modification Kit(FMK).
- Firmwalk
- FRAK (Firmware Reverse Analysis Konsole)
Of the above tools, Binwalk and Firmware Modification Kit (FMK) are widely used.
When to use which? If you just want to reverse a firmware, use Binwalk. If you want to reverse a firmware, modify a file and repack a firmware, use FMK.
Firmware reversing using Binwalk
Let’s see how one can reverse the firmware binary and obtain files present in it. Before this, let's install Binwalk and download vulnerable firmware for the demo. Links for them are mentioned below. Please follow each and every step diligently.
- Binwalk installation — Please follow this guide: Binwalk_Setup
- Vulnerable firmware — Get it from here: Vulnerable_Dlink_Firmware
Now let’s start with the process of firmware extraction.
Step 1: Dlink firmware is as shown:
Step 2: Extracting firmware using the binwalk -e option. Please note the extracted firmware files in the background.
Firmware has been extracted using the binwalk -e option. The firmware uses the Squashfs file system, as highlighted in red.
Now let’s open the _DIR412A1_FW114WWb02.bin.extracted folder. Inside the folder, you will find the squashfs-root folder. It contains all the files present in the firmware. Let’s open it and see the content.
What do you observe? It’s a typical Linux file system. Can be easily guessed by looking at folders such as bin, etc, proc and so on.
This completes the process of extracting the firmware bin file using the binwalk -e option.
Part 2: Vulnerability exploitation
As mentioned above, if you want to search for vulnerabilities present in the firmware, one can do it manually by going through each and every file. But the issue is this is too time-consuming. What we will be doing is we will extract the hard-coded Telnet credentials present in the firmware using grep -iR telnet command, as shown.
If you see the output of the command, there are many instances where the word “telnet” is present. Have a look at the highlighted section “telnetd -l /usr/sbin/login -u Alphanetworks: $image_sign -i br0 &”.
telnetd involves a binary /usr/sbin/login. So maybe this is related to login. Alphanetworks is the username (the -u option is the hint). The username is followed by the password.
But here, “Alphanetworks:” is followed by $image_sign. It means the password is the value of the variable image_sign. So let’s find the value of variable image_sign for the password. We find this instance of Telnet being loaded from root/etc/init0.d/S80telnetd.sh file (highlighted part).
Let’s open the file and see the content.
Value of image_sign variable = “cat /etc/config/image_sign”. So the value of the variable image_sign is the content of the file “/etc/config/image_sign“. Let’s see what “etc/config/image_sign” contains
It contains the password, which is “wrgn28_dlob_dir412”. So the Telnet credentials are as follows:
- username = Alphanetworks && password = wrgn28_dlob_dir412
Now we have the credentials with us, we just have to find where this firmware is being used and can use the above username and password for logging into the router via Telnet.
So, this is how one can reverse IoT firmware and look for vulnerability present in it.
Learn IoT Security
Sources
- Reverse engineering my router's firmware with binwalk, embeddedbits.org
- Embedded Devices Security Firmware Reverse Engineering, media.blackhat.com
- Reverse Engineering Router Firmware, Linux Security Blog
- How to Start IoT device Firmware Reverse Engineering?, SecureLayer7
Learn IoT Security
Build your IoT security skills and become a Certified IoT Security Practitioner. What you'll learn:- Securing IoT networks
- Software and firmware risks
- Controlling access to IoT
- Ensuring privacy
- And more
In this Series
- IoT security fundamentals: Reverse-engineering firmware
- Capture: Improve IoT firmware security with new firmware architecture
- Smart Toys and Their Cybersecurity Risks: Are Our Toys Becoming a Sci-Fi Nightmare? [updated 2021]
- Japan’s IoT scanning project looks for vulnerable IoT devices
- IoT security fundamentals: IoT vs OT (Operational Technology)
- IoT Security Fundamentals: Intercepting and Manipulating Wireless Communications
- IoT Security Fundamentals: Hardware, Software and Radio Security
- IoT Security Fundamentals: Detecting and Exploiting Web Application Vulnerabilities
- Keeping Alexa out of the boardroom (and the bedroom office): IoT security tips for remote employees
- Internet of Things (IoT) trends in 2019
- Can legislation save IoT security?
- An Overview of the Proposed DIGIT Act
- The IoT Security Skills Gap
- Internet of Things (IoT) Evolution: Where to From Here?
- Security Issues in Edge Computing and the IoT
- 10 Tips to Increase IoT Cameras Protection
- IoT firmware analysis -- Firmwalker
- Shodan and IoT: The Problem is here!
- The Top Ten IoT Vulnerabilities
- How IoT is Raising Cybersecurity Concerns
- The Rise of the IoT Botnet: Beyond the Mirai Bot
- Security Vulnerabilities of Internet-Connected Homes
- Security Challenges in the Internet of Things (IoT)
- Will IoT Security Awareness Protect Me From My Toaster?
- The Emergence of IoT: Is Security a Concern?
- Internet of Things: How Much are We Exposed to Cyber Threats?
- How to Test the Security of IoT Smart Devices
- Three Security Practices That IoT Will Disrupt
- Privacy Implications of the Internet of Things
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
