The Automation Of Firmware-Analysis For IoT-Devices - Alexander Poth

okay okay good afternoon everybody my name is Alex I'm a poet and today I like to talk about the automation of FEM analysis for IOT Linux devices and the reason is timbre analyzers contains a lot of basic simple steps are mostly a lot of basic simple steps and we can try to autumn eyes that Rives and I wrote two simple Python scripts which I'll show you later which can automate this process but at first who am i i'm a junior pen tester at europe in cybersecurity i have a degree in industrial engineering which is very uncommon because i think most people in the InfoSec have studied something like computer science but i was always interested in capture the flags for

example or computer science in general so i decided to get a job in and InfoSec and yeah i wrote my thesis about linux for my security which is also a part in my talk here so our film analyzes can be very very complex right but you have always some basic simple steps steps which you can do for example a check if the film is encrypted try to get the filesystem all of our binary and search for interesting files inside our binary and I did everything for Linux for Linux pyramids because many IOT devices are running on Linux and yes so we can divide the whole process of film analyzed into two steps first one is

these static analyzers the second one to eat a mannequin arises and in the static analysis we have no execution of the thermal right we just look inside our image and try to search for any interesting files like any encryption algorithms weak encryption algorithms store credentials something like that and in the dynamic and Isis we are analyzing during operating time so we're trying to execute our firmer and look how is our firmer responding okay so at first I'd like to talk a little bit about these static analyzers and what we are trying to do here at first we'd like to check if this our firm that encrypted or is it not because if the firm is acquitted it will

be very hard will be very hard to get any information out of it right so of course we can check and our the encryption algorithms we implement it or something like that but mostly we can't get any useful information others okay that if the film is not encrypted we can try to reverse the whole face vise of symbol of the binary and in our case so that's our Linux file system and if we did that we can search for any interesting files find vulnerabilities

so I'd like to start with the check for encryption what we can say is when a binary is encrypted the entropy of the data is high and in our case we just say entropy equals to the randomness of data which is not 400 percent right but in our case we just say that and to demonstrate that I created two different strings the left one is a a b b b c CC and this string is ordered in some way white right so we can say this string has low entropy and on the right we have a string like CVAG CIA BAC this string looks like chaos okay so we can say in this example we have a high entropy I

also created some to check the clients on the left you can see on original set back in the original set like the entropy is falling and rising poverty hold and data and on the right I encrypted the same jet pack and as you can see the entropy is continuously at the maximum which is one so to check if our binaries encrypted we can check the entropy with somewhere known to its so I picked up two tools which can easily be used for an entropy analyzers very easy the first one is dent which is a comment line to it I used that for my little scripts which I show you later so it comes with a few options in this very

easy to use and on the other side what I can recommend a spin with pin the stop ion which is a web service you can just upload your film image and then based of Io creates view and great visualization of your finger here on the right you have an unencrypted image for example on the left this one is encrypted so after we collect our binary point Krypton and we found out it's not encrypted we can try to reverse any files all of our binary okay so it just for definition the revers engineering this the reversal of the development or production process from the product to the design or the source code but in our case we just try

to reverse Linux directories and Linux file by its power of our message and like you can see here we have a film a bit and then a binary and we try to get our Linux directories such as eg C bar plot of cetera and maybe we can find any interesting files and set there for example and credential players PHP web files in general for our config files and of course you can do this process manually by yourself you can just look inside the binary and extract everything manually or you can use tools for that and one really cool - it is pin lock and pin what is a tool which is able to search for non signatures

in satified and to demonstrate that I downloaded some random pictures here for example I can't picture PNG I also creates a zip file with some random content in it and what I did was i just wrote everything inside our cell mates custom right I just did that with cat and and if you know the one big 60 on a hex dump on that you can see the whole heck state of our size my thyroid and what pin what does it it goes through the hex code and searches for add any well-known signatures for example of JPEG has its own signature signature at FDA at fbb Fuji has its own header its own signature and so does so

pin work is not just able to search for these signatures it is also able to extract any data out of it so what I did here I am data bin bought on that pile B and which we created with the extraction parameters and as you can see Ben was able to find our giant like signature power PNG and I was at 5 and it could easy extract everything hours of our image we have our cap image our set by our PNG and it was able to extract the content of be supplied as well so in this example I did a pin walk on a real Road I film and I think this was such a

feeling roll up in there and as you can see pin was able to find our you boot loader and it was able to found find our you image which is our Linux kernel and it found some as um a compressed data which is our Linux file system okay and it was also able to reverse our file system our little status and all of the image and of course to analyze and the you boot loader the the kernel image also very important but in my talk and in my tool I am just focusing on the root filesystem so we checked our binary file crimson we found out it's not encrypted we were able to get any data

out of it our root filesystem and now we can search for any interesting files so one step of this analysis could be to search for stored keys inside the filesystem very often developments are storing for example private keys inside the image and if we can extract these keys we can authenticate to their services right for any cloud services or web servers whatever so it is also always very important to look for these fights um you can for example search for any known finance like house keys of right gives ideas a and so on but sometimes you don't have any find a means you have to do it with another way but I will explain the data so similar

to the search for sort keys the search for install at web service is also very important I'm a lot of MIT devices have web service running and concerta binary and example I use so that a user can lock in to some configurations watch camera stream etc and if we can extract these web service you can look what version is it right and if you know the version we can look online okay are there any known vulnerability so maybe even exploits and then so it is also always very important to look for these web service and what is even more important is what is running on the web server right so we should always check other any web files inside our binary

and because custom-made web applications are often a famous target target for I check us because and developers have often no clue about how to implement a real secure web application so we should always search for any web files like PHP ASP CDI and have a closer look inside these files maybe we can find any for example come out and command injections inside the source code we can do this process manually or we can just use any well-known tools for example soma cube whips what these are very well known very good tools to scan our source code automatically and similar to the search for web service we should also search for any other binaries and for example

what you see see very often is busybox the busybox binary and spam these binaries are very often outdated for maybe even self-made and if we found some out tail and wineries we can always check like like the web service we can check for any vulnerabilities or exploits and if the binary is our segment we can always try to reverse them right and whatever radar Detra either [Music] so what could also be very important is to look for any configuration files in the binary why is that because insecure configurations are one of the most seen vulnerabilities and this could be miss configuration this configuration that permits directory listings I think some of you guys have already seen that you

can try to access any web page and suddenly you have a complete complete directory listing directly listening this is a very common misconception and what is all the very often seen is the use of default credentials like admin admin so you should always check your camp configuration files inside your binary so examples can search for dot-com dot C CPC so I talked about searching for config files wet files Keys etc but very often the developers also using self-made files right and we don't know the name of the files so what we can try to do is we just look in every file in our binary and search for any strings for example admin root password

privately secret and so on and maybe sometimes we find hardcore adventurous or for example pool Ian's implemented token create our whatever and they should always be done okay I have shown you some basic steps for which kind of files and strings we can defer and now we'll show a small safe may tool which can automate this simple process

you see anything okay here we are very small isn't it

okay so the tool is asking me for any image file so I already prepared some images here and set that for don't be have some is it here image which has caught this add up them I just take that image just type here it is add up in and now the whole process is starting it just does the entropy analyzes it creates some output I will show that later now it's reversing the whole binary and it said whoa I found on e TC and bin directory about directory and this is probably Linux file system than what and here search for any interesting fights it looks for Linux potentials SFI it's config files databases and so on and in

this section it looks on every file and search for any interesting strings I think it finished ok wrote any output and set my output folder here just before that is added in which was what power image and here we have some outputs for entropy analyzer so it creates some output or entropy analyzers but what is even even more interesting is our reverse file system so it was able to reverse our whole Linux file system all of you

and here it shows what interesting files could be aunt so it creates an HD HTML file was some hyperlinks here for example it found some config files other binaries you can access them through right here and there for example it found password string and some files you can just click here what it found okay phantoms standard credentials here so this tool is no rocket science right but it can save a lot of time so what I have shown you by some basic steps to search for interesting files in the binary it said and which was a part of the static analysis now I will talk a little bit of party dynamic analysis and we can do the

dynamic analysis in two ways we can run our friend RAM on a device but very often we have no device so we have to remove light you film the right had to emulate the architecture where our firmware is running data source and [Music] there are some cool tools out there to emulate the images and the most known emulator for any architecture out there's probably QE QE Mo's very mighty very powerful it knows for almost every non architecture it comes with many pre-made conflicts for different ships etc but in my opinion it's very complex and if you never done anything with with chemo can I'll take a lot of time and salon simulation is running so but what the

cool thing is is I'm on top of tumor there's even an alliance trinket and what it does it it looks inside the binary itself and searches for any informations about the architecture CPU chipset etc and loads the fading few email configurations so it's that's all the the complex part parts plate so it's very easy to use but sadly it was not working with every binary I think 8090 percent just very sad but because it's very easy and I decided to use this tool for my little script and this is how we do use FET to emulate our image so we must execute fat and type in path 12 a permit image it will be more late on

network interface so much yeah and it will give us an IP address and if we now execute our firmware we can just access our running Thunder via browser or run our well-known fantastic to its butt and

if our firmware is Ronnie we can on as I mentioned before we can run our standard fantastic tools you can run a map on that port scan via pass the directory person dick to whether scanner which is also very popular for web applications but these tools mostly except of reverb can very easy be automated and I will show you that

so I just prepared the fat because it takes a little bit time to set every configurations etc so I just typed here the path to a thermal image which is also throat affirmative and it was able to image to create a network interface with an IP address now I'm just executing the film there and I think this would take about 20-30 seconds

great so our film is running and we can access it so now I can show you my letter tool what I created

okay I caught this one lazy daddy and it's I executed it and it asked me for our project name this is our directive directory where our output files are written in okay so I just typed for example b-sides and now it's asking me for the module we want to use and I just prepare some modules here I will show you that here besides folder okay we have five sub modules inside here I think you can see more so every name has a small number in front of it and this is our water okay so it will hear in this pirate - renamed we have the name the number 20 after that 25 30 50 60 so

it will run every module in this order and if we change the order we can just change the number okay so I'm just loading the p-sets module and now it's asking me if everything is right it just shows the order again at first it will do it tlbuster nikto and nmap scan and it will then join all files together and now it's running so it runs through the whole modules and yes and what is really cool um you can put in any IP address and set that fire saw imagine you are Pentastar customer comes and says hey i have 10 service or 10 IP addresses to just type in every IP address then let it run overnight so you can save a lot

of time for the basic steps parts kind of directly handsome okay that's you know yet is it possible that I'm doing a safe with you guys because this was my first talk any problems generator

great so thank you very much are there any questions

you mean in the program itself well well sometimes you will you get the firmware but you cannot for example download afirma if you have an eye roll it or IP come arrive from typically lasers or a satellite you can just download it okay if you want to get the familiar to dump it yeah but that's okay so mostly or sometimes you can just download the film breath for example if you have you are developer of any marketer any device you can just put your firm the online so everyone can download it so I just did not dump any firmware or something like that so I did all test on existing existing some images with which everyone

can download [Music] Harvard Minnesota mobile application 3 how many tools were partially encrypted like her more images some parties when takes some parties encrypted I'm g13 at some point so you know let's say that you downloaded something on the blood a part of that is encrypted at a part of that you probably have a really hard time you had that entropy diagram this and it showed high entropy almost almost everywhere a piece of is at each Angie's you could extract file system out to it wasn't it is very difficult to sometimes your you have compressed data and sometimes you have encrypted data so it's very hard to automate the the difference so that the program says okay

this is encrypted paint this is compressed so if you've got a compressed image the entropy is also very high enough so in this case it was compressed it was Jim in the German analysis toolkit yeah to get to that's very easy you just honor that to some pre configurations takes about 10 minutes 10 minutes we just have to free install some juice

no but as I mention before it's not very stable so I would say in my cases I was able to run maybe 80% of performance so

if you want to really get sure to emulate images should probably do that with Huey mo but as I mention before this is very complex we need some time to do that but with you email you can almost emulate any architect

[Music]