Firmware Analysis of Embedded Systems

Dimitrios-Georgios Akestoridis

Carnegie Mellon University

14-829 / 18-638: Mobile and IoT Security (Fall 2018)

Reminders

• University Policies: https://www.cmu.edu/policies/index.html

• Course Policies: http://mews.sv.cmu.edu/teaching/14829/f18/policy.html

• Be aware of potential ethical and legal implications of your actions

• Use isolated networks for your assignments and research

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 2
What is an embedded system?

• An embedded system consists of special-purpose computer hardware and

software, often as part of a larger system and with limited resources

• Embedded systems can be found in a plethora of devices, including:

• Thermostats
• Washing machines
• Pacemakers

• Most IoT devices are just embedded systems with networking capabilities,
such as:
• IP cameras
• Fitness trackers
• Smart locks

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 3
How do embedded systems work?

• The special-purpose computer software that controls an embedded system

is often referred to as firmware and it is stored in non-volatile memory

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
How do embedded systems work?

• The special-purpose computer software that controls an embedded system

is often referred to as firmware and it is stored in non-volatile memory

• Many vendors use flash memory in their devices to store their firmware,
which enables them to later:
• Improve the system’s functionality
• Fix security vulnerabilities

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
How do embedded systems work?

• The special-purpose computer software that controls an embedded system

is often referred to as firmware and it is stored in non-volatile memory

• Many vendors use flash memory in their devices to store their firmware,
which enables them to later:
• Improve the system’s functionality
• Fix security vulnerabilities

• A firmware image may be provided in order to update the firmware of a

device, which can be done either manually or automatically

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
What does a firmware image look like?
• Possible methods for obtaining the firmware image of a device:
• Downloading it from the vendor’s website
• Capturing it during the device’s firmware update process
• Extracting it from the hardware

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 5
What does a firmware image look like?
• Possible methods for obtaining the firmware image of a device:
• Downloading it from the vendor’s website
• Capturing it during the device’s firmware update process
• Extracting it from the hardware

• For illustration purposes, we will use a firmware image from the OpenWrt
project:
• https://downloads.openwrt.org/releases/18.06.0/targets/ar71xx/generic/
• https://git.openwrt.org/openwrt/openwrt.git/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 5
$ file

• The firmware image could be in a standard archive format that the file
command can identify

• If the file format of the provided firmware image is unknown, then file will
simply report that it contains binary data

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 6
$ strings
• We can inspect sequences of printable characters in the firmware image with
the strings command

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 7
$ hexdump
• We can examine the bytes of the firmware image with the hexdump
command

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x4e4c3136 (NL16) and 0x55324e44 (U2ND) correspond to the magic
number and ID number of the BIN header:
• https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=tools/
firmware-utils/src/addpattern.c;hb=HEAD

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x48445230 (HDR0) corresponds to the magic number of the TRX header:
• https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/
system/mtd/src/trx.c;hb=HEAD

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x27051956 corresponds to the magic number of the uImage header:
• https://git.denx.de/?p=u-boot.git;a=blob_plain;f=include/image.h;hb=HEAD

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x1f8b08 corresponds to the magic number of the gzip file format with the
“deflate” compression method:
• https://tools.ietf.org/html/rfc1952

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump

• If the -v option is not

provided, hexdump
replaces repeating lines
with a single asterisk (*)

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ hexdump

• 0x68737173 (hsqs)
corresponds to the magic
number of the little-endian
SquashFS filesystem:
• https://sourceforge.net/
p/squashfs/code/ci/
master/tree/
squashfs-tools/
squashfs_fs.h

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ hexdump

• 0xdeadc0de indicates the

start of the reformatted
JFFS2 partition:
• https://openwrt.org/
docs/techref/filesystems

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ binwalk

• We can use binwalk to

scan for known signatures

• Custom signatures can

easily be incorporated

• Wide variety of analysis

options available

• https://github.com/
ReFirmLabs/binwalk

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 10
$ binwalk

• Regions that contain compressed or

encrypted data tend to have high
values of entropy

• Useful for the inspection of regions that

contain data in an unknown format

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 11
$ binwalk

• Regions that contain compressed or

encrypted data tend to have high
values of entropy

• Useful for the inspection of regions that

contain data in an unknown format

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 11
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data

• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]

• https://github.com/cortesi/scurve

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data

• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]

• https://github.com/cortesi/scurve

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data

• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]

• https://github.com/cortesi/scurve

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ dd
• We can duplicate regions of the firmware image with the dd command:
• if option: Input file
• bs option: Number of bytes in a block (in decimal notation)
• skip option: Number of blocks to skip (in decimal notation)
• count option: Number of blocks to copy (in decimal notation)
• of option: Output file

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 13
Data extraction tools

• We can extract gzip compressed

data with gunzip and SquashFS
filesystems with unsquashfs
• Vendors often use non-standard
SquashFS filesystems that
unsquashfs is unable to extract:
• https://github.com/devttys0/
sasquatch

• With the --extract option,

binwalk uses common tools to
extract the files that it identified

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 14
Inspecting the kernel image

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 15
Inspecting the kernel image

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 16
Decompressing the kernel
• We can extract LZMA compressed data
with the unlzma command

• For recursive scanning and extraction of

known files, we can use binwalk with
the --extract and --matryoshka
options, or simply -eM

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 17
Decompressing the kernel
• We can extract LZMA compressed data
with the unlzma command

• For recursive scanning and extraction of

known files, we can use binwalk with
the --extract and --matryoshka
options, or simply -eM

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 17
Inspecting the kernel

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 18
Inspecting the filesystem

• What to look for in the filesystem?

• Password files
• Encryption keys
• Public key certificates
• Executable files
• Configuration files
• Interesting keywords

• We can use firmwalker to search

for some common files and
keywords in the filesystem:
• https://github.com/craigz28/
firmwalker

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 19
Password files

• Usually, the system’s accounts can be found in the /etc/passwd file and
their hashed passwords are stored in the /etc/shadow file

• For more information regarding the format of those files:

• $ man 5 passwd
• $ man 5 shadow
• $ man 3 crypt

• Traditional DES-based password hashes can be easily cracked with john:

• http://www.openwall.com/john/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 20
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/

• Multiple devices may be using the same encryption keys, sometimes even
devices of different vendors:
• https://www.usenix.org/conference/usenixsecurity14/technical-sessions/
presentation/costin
• https://www.sec-consult.com/en/blog/2016/09/
house-of-keys-9-months-later-40-worse/index.html

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/

• Multiple devices may be using the same encryption keys, sometimes even
devices of different vendors:
• https://www.usenix.org/conference/usenixsecurity14/technical-sessions/
presentation/costin
• https://www.sec-consult.com/en/blog/2016/09/
house-of-keys-9-months-later-40-worse/index.html

• Datasets of private keys that were found in embedded systems:

• https://github.com/devttys0/littleblackbox
• https://github.com/sec-consult/houseofkeys

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Public key certificates

• We can process private keys, public keys, and X.509 certificates with the
openssl program

• For example, we can view the contents of an X.509 certificate in PEM format
with the following command:
• $ openssl x509 -in certificate.pem -text -noout

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 22
Public key certificates

• We can process private keys, public keys, and X.509 certificates with the
openssl program

• For example, we can view the contents of an X.509 certificate in PEM format
with the following command:
• $ openssl x509 -in certificate.pem -text -noout

• We can estimate the number of Internet-connected devices that use the

same public key certificate by searching for its fingerprint on computer
search engines:
• https://www.shodan.io/
• https://censys.io/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 22
Executable files

• We can examine executable

files in ELF format with the
readelf command

• For example, with the -h

option, readelf displays the
information that is contained
in the header of the ELF file

• We can disassemble ELF files

with tools like radare2:
• https://github.com/radare/
radare2

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 23
QEMU user mode emulation
• We can use QEMU in user mode to execute binary files that were compiled
for a different computer architecture than that of our host system:
• https://www.qemu.org/

• We use the chroot command to execute the ELF file with the extracted
SquashFS filesystem as root directory

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 24
QEMU full system emulation
• QEMU also supports full system emulation using prebuilt images:
• https://people.debian.org/~aurel32/qemu/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 25
QEMU full system emulation
• QEMU also supports full system emulation using prebuilt images:
• https://people.debian.org/~aurel32/qemu/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 25
QEMU full system emulation
• We can copy the extracted filesystem in the hard disk image and then initiate
a command interpreter (shell) with chroot

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 26
General security concerns

• Is there any information leakage from the device?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

• Is the device running any unnecessary services?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

• Is the device running any unnecessary services?

• Are there any backdoors in the firmware?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

• Is the device running any unnecessary services?

• Are there any backdoors in the firmware?

• Is the device using outdated software with known vulnerabilities?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27