IOT Firmware Hacking

Hi there,

Anyone did IOT hacking before?
I am doing some exercises that requires to us the following command.

sudo file firmware.bin 
#output: firmware.bin: data -> nothing useful
sudo hexdump -c firmware.bin | more
#rootsquash: 0000000   q   s   h   s
man binwalk
sudo binwalk -e firmware.bin

I would appreciate if some of the pointers can be exchanged.

How to get the firmware

  • Vendors website
  • Support groups
  • Community forums
  • OTA update sniffing
  • Mobile application
  • Dumping from the device

Analyzing firmware

  • Analyze it via strings and hexdump
  • Is the firmware encrypted?
    • What kind of encryption is being used?
      • hexdump -C firmware.bin
      • strings firmware.bin
      • binwalk -E firmware.bin to figure out the entropy
    • Where can you find the encryption keys?
    • How can you get a copy of the decrypted firmware?
  • Extracting components from the firmware
    • Extract the file system (binwalk -e firmware.bin )
    • Does the file system has hardcoded credentials (grep is your friend)
      • API keys
      • Private certificates
      • Backdoors
      • Sensitive URLs
      • Config files revealing useful information
  • Emulating the firmware
    • Identify the architecture
    • Emulate the firmware using Qemu and Chroot or FAT (python fat.py - FAT available from here )
    • Perform analysis and exploitation via emulation
  • Reverse engineering firmware binaries
    • Command Injection bugs (IDA analysis and looking at the web files)
    • Identifying Buffer overflows and other software binary specific vulns and exploitation
      • what all security protections are there in place?
      • Bypassing the security protections.