1
00:00:02,720 --> 00:00:03,740
Hello, everybody.

2
00:00:03,890 --> 00:00:11,120
Welcome back to this course, in this lesson, I will talk about how to extract and analyze Iot devices

3
00:00:11,120 --> 00:00:20,870
firmware. Firmware is generally found in Iot devices in a compressed format and resides in non-volatile

4
00:00:20,870 --> 00:00:23,180
memory of the Iot device.

5
00:00:24,140 --> 00:00:33,830
It includes generally: a bootloader, the kernel, the file system and additional resources. Regarding

6
00:00:33,830 --> 00:00:36,430
obtaining the firmware of a device,

7
00:00:36,680 --> 00:00:45,920
It must be said that device manufacturers often make firmware available for download on their website.

8
00:00:46,640 --> 00:00:55,700
Sometimes it may also be possible to obtain the firmware in the face of update mechanisms (OTA, Over The-Air updates)

9
00:00:55,700 --> 00:01:02,840
not implemented in a secure way, and which allow with a man-in-the-middle attack to obtain it.

10
00:01:04,980 --> 00:01:13,050
The classic methods of extracting the firmware of a device consist in extracting it directly from the

11
00:01:13,050 --> 00:01:23,910
hardware by means of appropriate interfaces, such as UART, SPI, I2C, or by extracting it directly

12
00:01:23,910 --> 00:01:32,390
from the EEPROM through an EEPROM chip reader. For the extraction of the firmware could also be used

13
00:01:32,400 --> 00:01:38,220
a connection via JTAG or SWD debug interface.

14
00:01:40,600 --> 00:01:48,520
The image shows an EEPROM flash BIOS programmer, which can be used for firmware dump.

15
00:01:50,500 --> 00:01:59,110
The first operation to perform, after obtaining the firmware of the device under test, is to recognize and

16
00:01:59,110 --> 00:02:06,940
extract the file system from the firmware. The recognition and the extraction of the file system can be

17
00:02:06,940 --> 00:02:14,940
done manually or with the help of tools such as, for example, with the Linux tool binwalk.

18
00:02:17,380 --> 00:02:25,060
We can see here usage informations of the binwalk tool, of which I will show some example of use

19
00:02:25,060 --> 00:02:25,660
shortly.

20
00:02:29,810 --> 00:02:37,540
The slide shows an example of analysis with binwalk of a firmware where binwalk analysis reports

21
00:02:37,540 --> 00:02:43,780
recognition of a filesystem Squashfs with gzip compression.

22
00:02:46,800 --> 00:02:52,190
To verify the application of encryption to the firmware, it is possible

23
00:02:52,240 --> 00:03:01,470
with binwalk (with the -E uppercase parameter) to perform an analysis of the entropy of the firmware file,

24
00:03:01,950 --> 00:03:11,340
as in the example shown in the slide. A completely flat line would indicate the presence of encryption,

25
00:03:11,340 --> 00:03:20,610
in case instead of ripples, it would mean that the firmware is only in compressed format, but not encrypted.

26
00:03:22,990 --> 00:03:31,720
And here is an example of extracting the filesystem, using binwalk (used with the parameter -e lowercase).

27
00:03:35,470 --> 00:03:42,220
After extracting the file system from the device firmware, you can proceed by checking the presence

28
00:03:42,220 --> 00:03:50,580
of: sensitive information, hardcoded passwords, encryption keys, backdoor accesses, etc..

29
00:03:52,510 --> 00:04:01,210
The analysis of the extracted file system can be carried out manually or even with the aid of tools such

30
00:04:01,210 --> 00:04:06,790
as the firmwalker tool, as in example shown in the slide.

31
00:04:09,350 --> 00:04:14,900
Next step is to analyze the binary files in the file system.

32
00:04:15,320 --> 00:04:22,640
We can check whether the binaries have any vulnerabilities. To analyze and make a reverse engineering

33
00:04:22,640 --> 00:04:25,460
of binaries the commonly used tools

34
00:04:25,460 --> 00:04:35,420
are disassemblers and binary debuggers, such as: IDA Pro, radare2, Hopper, Ghidra, etc.

35
00:04:37,770 --> 00:04:46,290
In addition to a static analysis of binary files, it is useful to be able to carry out a dynamic

36
00:04:46,290 --> 00:04:48,690
analysis by running them.

37
00:04:49,380 --> 00:04:57,330
To do this, you can use tools, such as Qemu, to emulate the binaries and then run them.

38
00:04:59,220 --> 00:05:05,820
For further information on the methodologies and tools used for the extraction and analysis of the firmware,

39
00:05:05,820 --> 00:05:13,080
it is possible to consult the OWASP firmware Security Testing Methodology project.

40
00:05:14,610 --> 00:05:15,090
OK.

41
00:05:15,240 --> 00:05:18,300
Thank you for your kind attention, bye.