IoT manufacturer: your intellectual property is on your devices
Do you properly protect it before you ship it?
Firmware extraction and analysis: an underestimated threat in an IoT world? Organizations are investing heavily in increasing their security posture, to avoid intellectual property to leak from their organization. However, often is forgotten that their manufactured connected products frequently contain intellectual property that they are so eager to protect.
Martijn Knuiman & Jeroen Slobbe - 2 March 2017
Recently, Deloitte in collaboration with MAPI published a report on cyber risk in advanced manufacturing. One of the six key cyber risk themes identified is in the area of connected products, otherwise known as Internet of Things (IoT) devices. Over half of the manufacturing executives interviewed by Deloitte said their company produced connected products that are able to store and/or transmit confidential data, making them an interesting target for actors with bad intentions. Additionally theft of intellectual property is perceived as one of the top ten cyber threats for manufacturers according to the report. So, how can Intellectual property be lost via a connected product?
How can intellectual property be lost via a connected product?
Already In 2014 OWASP -a not-for-profit organization focused at improving software security- published a top ten of IoT security risks. Within that top 10, OWASP mentions the risk of firmware and with good reason. Firmware is a type of low-level software developed to control the hardware of a specific product or system. There are two types of firmware security risks:
· Firstly, when an attacker can install illegitimate firmware on a device, they could steal confidential data passing through it, or cause the device to perform undesired behavior.
· Secondly, the other way around, if an attacker could read-out the firmware from the device, they could steal secrets from it. If no good practices are applied, assets such as default passwords, references towards internal systems like code repositories or secret algorithms could be obtained.
For our risks, the theft of intellectual property we will focus on the last.
How to exploit firmware?
The first step in exploiting firmware is to obtain the firmware. An attacker could obtain a copy of the firmware, called an image, in at least three ways. The easiest way is to browse and search the website of a manufacturer and simply download the file. However not all manufacturers will provide firmware updates in this way. Secondly an attacker could sniff the data between a device and the cloud while the device is requesting an update. Finally an attacker could abuse a hardware debugging port and extract the firmware via that channel or get access to the device file system.
A firmware image could contain a wide range of files, varying from Filesystem Images towards bootloaders or just regular update scripts. Additionally, all those types of files can be compressed or encoded in multiple ways. Although manual analysis of the firmware has an educational benefit, during day to day testing this is time consuming. Luckily for the pentesters, there are tools – such as binwalk – available to speed up the analysis.
Binwalk can scan a firmware image and recognize many different (embedded) file types and file systems. Once a file is recognized, it will be placed a separate folder for further analysis. Once all files are extracted in their regular form an attacker could start searching for familiar patterns.
For example, when the device happens to have an admin web interface which is password protected, it is now easy to browse the extracted filesystem for the password file and attack the password hash. Additionally an attacker has potential access to all code (in case of a scripting language) and hence could get hold of some of the intellectual property of the device. Even worse, if the device still contains information from the developers such as references, notes, certificates or test code with access to the code repository, the attacker could also obtain access to these systems.
There is no one silver bullet in preventing attacks on a device’s firmware. Depending on the type of product a manufacturer should take at least a minimum amount of measures into consideration. Our top six suggestions for product owners and developers to consider are:
1. Ensure that during the testing stages of development the product is tested against IoT security standards, such as OWASP’s IoT top 10;
2. Ensure that the full attack surface is analyzed, so that you know your risks and can prepare mitigating measures;
3. Ensure that firmware can be updated over the air, such that in case of emergency a patch can be applied;
4. Ensure that the firmware image is cleansed before distribution e.g. make sure that no default hardcoded passwords are used, no references to the build environments are existing, that debug code and todo.txt files are removed and that all private certificates are removed;
5. Make sure that the (hardware) debug ports (like JTAG, UART, etc.) and debug software parts are removed before moving a product in production;
6. Make sure that tamper-evidence and tamper-detection functionality is enabled on the device such that the user could detect it when unauthorized firmware could cause a safety hazard;
OWASP is addressing the risk of leaking confidential information via firmware since 2014. As more clear tutorials and tools are getting on the market and more connected products are introduced to the overall market, the risk of losing intellectual property via connected products is increasing. However when paying close attention during the development process of a product, the risk can be properly controlled. Hence we advise product manufacturing companies to put this on their risk radar.
Do you want to know more on cyber risk in advanced manufacturing?