Discover the IoT security assessment with best practice guides on each of the different stages of an IoT security audir that we have discussed in previous OWASP FSTM methodology articles
The Internet of Things (IoT) sector has experienced exponential growth over the last few years. The launch of 4G networks provided the impetus this sector needed to deploy communications effectively and cheaply. The current deployment of 5G networks will be another turning point in this highly competitive market, making IoT security assessment a must in the years to come.
On the other hand, the proliferation of wearable devices (wearables) has not only generated a new market but has also created a new data-centric business model. Thus, the business paradigm has changed and is no longer focused so much on the sale of physical devices but is oriented towards the sale of services and data management.
Wearable devices, smartphones and social networks have brought about a change of mentality in society, making these services increasingly necessary. The penetration and acceptance of this type of products is increasingly higher and reaches more segments of the population.
For all these reasons, it can be said that today we are living a moment of important technological transition that is changing our way of thinking, educating, relating to others, etc. However, how secure are these IoT devices? Is security a main element in their design? Is there any methodology to evaluate their security? This article will answer these questions based on some reflections on the OWASP FSTM methodologies and their impact on the IoT sector.
The OWASP FSTM methodology is a methodology adapted to firmware analysis and standardized by OWASP. In the introductory article that precedes this series, the approach of this methodology is discussed in more detail. The Tarlogic Innovation team has sought to expand the methodology throughout this series of 9 articles. Thus, recommendations, best practices and a list of tools have been included in each of the stages of IoT security assessment.
While it is true that this methodology is focused on any type of firmware, it is especially applicable to the IoT device market. Generally, IoT devices usually apply OTA update policies, and, in many cases, firmware is available on the manufacturer’s website. Manufacturers also publish update patches containing partial firmware online, although in some IoT security assessment we have been able to locate full firmware available on the internet.
The following is a review of the methodology grouped into four phases: information acquisition, static analysis, dynamic analysis, and exploitation. Each of these phases is associated with one or more stages of the methodology.
Acquisition of IoT device information
The first stages of the methodology are focused on obtaining information (OWASP FSTM – Stage 1) and firmware (OWASP FSTM – Stage 2) from the device being audited. It is important to note that the OWASP FSTM methodology is an incremental approach so that the information obtained in the previous stages directly impacts the successive stages. The more effort put into one stage, the greater the degree of knowledge about the device and the faster the subsequent stages will be performed.
Therefore, obtaining information (stage 1) is a critical process for IoT security testing. A specialized cyber-intelligence team can add great value in this type of analysis. The entry corresponding to stage 1 of the methodology describes both the sources of information and the most useful analysis points to properly study the device to be analyzed. In short, more depth will be achieved in the IoT security assessment.
On the other hand, step 2 of the methodology focuses on obtaining the firmware. This step is especially relevant because the firmware constitutes the analysis substrate in IoT security assessment. Thanks to the information contained in it, the rest of the analysis can be focused in an optimal and efficient way. In most cases the firmware cannot be obtained from the internet from the sources identified during step 1, so it is necessary to resort to hardware hacking techniques and obtain it directly from the physical device.
Tarlogic Security has a department specialized in hardware hacking with firmware extraction capabilities through debug ports (JTAG, serial…) or by desoldering the device memories. In addition, for the most unusual analysis tasks, ad-hoc hardware is designed to work with this type of devices. In the entry corresponding to step 2, the steps necessary to obtain the firmware and a very illustrative practical example are presented.
Analysis and study of the collected information (3,4,5). Static analysis
After obtaining the IoT device firmware, the next step is to analyze its content to better understand the device operation, identify possible vulnerabilities and focus the rest of the analysis in the most effective and efficient way possible.
The stages of the methodology that focus on firmware analysis and file system extraction are: OWASP FSTM – Stage 3 (firmware analysis), OWASP FSTM – Stage 4 (file system extraction), and OWASP FSTM – Stage 5 (file system analysis).
The objective of stage 3 of the methodology is to study the firmware to identify: the most interesting regions (file system), if there is any encryption, strings of interest, entropy… All these processes are explained in detail in the entry corresponding to this stage.
It’s important to note that many manufacturers reuse firmware for many of their products, so gaining experience on one of them speeds up the analysis of the rest of the products in the family. In addition, within the same context (e.g., home camcorders) many manufacturers build their solutions on open-source projects to which they add extra layers, so gaining experience on one of them is the gateway to the rest of the competing solutions.
Step 4 is the natural continuation of the previous step. A central step in IoT security assessment. After identifying the regions of interest in the firmware, the file system is extracted. Generally, the types of file systems typically used in IoT devices are standard; however, the analyst’s experience is crucial in this type of analysis because many manufacturers modify the signatures of the binaries, and it is important to have intuition and prior experience in order to identify them.
In the article corresponding to this stage, the importance of learning how to search for signatures and magic numbers, the usefulness of entropy in this type of work and different techniques and tools for extracting file systems are presented.
After extracting the file system, it is necessary to analyze and study its contents (step 5). Usually, files of interest such as certificates, keys, passwords, or executables susceptible to be exploited are searched. This task is usually quite monotonous and repetitive, so it is always interesting to have the help of some tools that allow you to automate this process in whole or in part. In the article corresponding to this stage of the series, some of them are presented.
It’s important to note that when working with IoT devices, manufacturers often reuse keys and certificates, so that breaching a single device can lead to breaching an entire network. Some examples of this type of cases can be found in a video surveillance system in which cameras are reused or in a sensor network deployed in a rural environment (farm).
Runtime analysis of the IoT device (6,7,8). Dynamic analysis
After gaining access to the device file system, dynamic analysis of the device can be performed. The stages OWASP FSTM – Stage 6, OWASP FSTM – Stage 7, OWASP FSTM – Stage 8 focus on emulation, dynamic analysis, and runtime respectively.
The goal of stage 6 is to emulate the firmware to evaluate its security level. Emulation is a very powerful technique in IoT security assessment because it allows parallelizing proofs of concept (attacks) and makes the analysis cheaper since it does not require a physical device to perform it.
However, it is necessary to consider that, even if an attack is successful in emulation time, it does not always have to work on the real device. Still, it is a very interesting technique that is worth using. In the IoT context, since these are generally embedded devices with a simple architecture, it is relatively easy to perform this emulation process.
In the article corresponding to this stage of the series, several tools (QEMU, Unicorn, Renode…) are presented with which to carry out this emulation process (depending on the level at which you want to emulate). In addition, this explanation is complemented by a practical example using the QEMU tool.
The dynamic analysis phase (step 7) is defined as the study of the running device in a real or emulated environment. For this purpose, the device is analyzed, trying to delve into the possible vulnerabilities found in the previous stages.
In this article of the series, hardware hacking techniques (such as debugging with physical ports or emulation), traditional pentesting, fuzzing or procedures to modify the bootloader or firmware of the device are presented. Other useful techniques applied at this stage are reverse engineering of communication protocols and glitching.
Because static analysis of the firmware and its executables provides only a limited amount of information about its operation, it is usually necessary to continue the analysis in a dynamic environment. An environment in which the firmware and its components can be observed (and manipulated) in execution.
Thus, runtime analysis (stage 8) builds on the previous phases to gain access to the system’s executables and internal processes, either in a real environment through administrator access or in a virtualized environment, built specifically for the executables of this firmware and where there is much more control over execution.
This article in the series presents the main existing techniques to perform runtime analysis: instrumentation and debugging, tracing, and logging. Regarding instrumentation and debugging, at Tarlogic we have a great experience in hardware debugging within our hardware hacking services; and software debugging and instrumentation.
Exploiting binaries during IoT security assessment
Vulnerability exploitation techniques vary greatly depending on the type of vulnerability and the component they affect, although usually the most serious and damaging ones come from executables without the relevant security measures or that make use of vulnerable functions.
If the previous analysis phases have been successful, at this point a vulnerability or evidence of a vulnerability will have been discovered in one of the firmware components of an OT or IoT device. Sometimes this vulnerability is found in an executable, for which a proof-of-concept (PoC) or exploit can be written.
The article corresponding to stage 9 of the OWASP FSTM series presents the main techniques for exploiting executables, against protection and evasion measures. This is the goal of Tarlogic’s IoT security audit service, to identify vulnerabilities and exploit them to ensure that our customers’ products are as secure as possible.
It is important to highlight that the IoT sector is not only going to become a predominant sector in the coming years, but it is also a critical element for security in both domestic and industrial environments. A failure in one of these devices can compromise the security of an entire system if it is not adequately protected (isolated networks, bastion of systems…).
Therefore, it can be said that IoT will be one of the main vectors of entry into organizations in the future and will serve to pivot and make lateral movements within them.
To avoid this type of threats, it is very important to follow the recommendations of this type of methodologies and to have the help and advice of experts in the field. From Tarlogic, through cybersecurity and cyber-intelligence services we are prepared to perform any IoT security assessment (both software and hardware). If you have any doubts about whether your devices are secure or not, do not hesitate to contact us!