A Large-Scale Analysis of the Security of Embedded Firmwares

AndreiCos+n,JonasZaddach,AurélienFrancillon,andDavideBalzaro:,Eurecomh;ps://www.usenix.org/conference/usenixsecurity14/technical-sessions/presenta+on/cos+n

SaeidMofrad

INTRODUCTION:Embeddedsystems:-Embeddedsystemarecomputerswithdedicatedfunc+onalitysuchasrou+ngpacket,prin+ngpagesormakingVOIPphonecallsandetc.-Theyarebroadlyused.-Theyarege:ngcomplexandsmarterandprovingadministra+veornon-administra+veinterfaceinexampletheyimplements-ComplexsoTware-Complexprotocols-Processvarioustypeofdata-Theyarege:ngheavilyinterconnectedinprivateorpublicnetworks(IoT)Firmware:ThesoTwareanddatawhichsupportsthefunc+onalityofembeddedsystemiscalledfirmware.

SecurityProblem:Manyexamplesofinsecureembeddedsystemhavebeenseenindailybases:RoutersPrintersVoIPCars...EachoftheabovefindingsisaresultofanindividualanalysisandresearchItincludesmanualandtediouseffortanddoesnotscale.

PaperGoal:

Performingalargescaleanalysistoprovideabe;erunderstandingoftheproblem

ProblemwithLargeScaleAnalysisinembeddedsystems:Heterogeneityof-Hardware,ArchitectureandOpera+ngSystems-Intendedusers,Requirementsofthedevices-SecurityGoalsforeachfirmwareanddeviceManualAnalysisdoesnotscale,itrequires-FindinganddownloadingFirmwarefiles-Unpackingandperformingini+alorsubsequentanalysis-RediscoveringthesameorsimilarbugsinotherFirmwarefiles

PreviousApproaches:

Testofrealdevices[Bojinobv9ccs]-Itisaccurate-Doesnotscaleverywellbecauseitneedsphysicaldevices,logis+candmanagementScanDevicesontheinternetLargescaletesNng[Coi10ACASC]-Canonlytestforknownvulnerability(likedefaultpasswords)-UsingBlackboxapproachSomeresearchistoointrusive[Census2012]-Theyareclosetobeingunethical.-Theyhadtoinjectcodeandcompromisedeviceshencea;ackingdevicesforstudy-

Thispaperapproachtothelargescaleanalysis

-Collectalargenumberoffirmwareimages-PerformBroadbutsimplesta+canalysis-CorrelateacrossfirmwaresthefindingsorresultsAdvantages:-Nointrusiveonlinetes+ng-Nodeviceatallintheexperiment-Scaleable(intermsofhardwareresources,compu+ngpower)-Buttherearemanychallenges

ChallengeobservaNon:MainstreamSystemshavecentralizedupdateandupdatechannelsandformatsarewellunderstoodandverywellstablished.Suchas-MicrosoTupdate-Appleupdate-LinuxupdatemanagerEmbeddedsystemdoesnothavecentralizedupdatesAfirmwareupdateorfirmwarerecoveryordumpinvolveacombina+onofveryrestrictsprocessincludingbuildingschema+csusingdevelopmentboards,customdriversorcustomu+li+es.-Nolargescalefirmwaredataset

ChallengeA:BuildingaRepresentaNveDataset: They collected a subset of firmwares available for download. -This is subset because many firmware and not publicly available -No intended to have an upgrade -Needs product purchase and registration. www.firmware.re project

ChallengeB:FirmwareIdenNficaNonInthecollecteddatasettherearesomefilesingrayarea“Uncertain”Goodexampleisprinterupgrade:Upgradebyprin+ngspeciallycraTedPSdocument.Soitseemsnotfirmwarefilebutitisfirmware!Soitbelongstouncertaintyareaandcannotbediscarded.

Challenge C: Unpacking and Custom Formats How to reliably unpack and learn format?

OTenafirmwareimageisjustdatabinarybloborasciblob(noheaders)

Paperapproachforunpacking&customformatchallengeTheycomparedseveralexisNngunpackingtools(binwalk,FRAK,BAT)TheyusedBAT(BinaryanalysisToolkit)ExtendeditwithmulNplecustomunpackers.BecauseOTenafirmwareimageisjustdatabinarybloborasciblob(noheaders)FileCarvingisrequired(togivemorechanceofextrac+ngsomething)CarvingusesBruteforceateveryoffsetwithallknownunpackersHeuris+cfordetec+ngwheretostopcarvingsinceitresultstohighfalseandnoisydata

ChallengeD:ScalabilityandComputaNonalLimits:-UnpackingandfilecarvingisveryCPUintensive-Unpackingresultsinmillionsoffilessomanualanalysisifinfeasible-One-to-OnefuzzyhashcomparisononbigdatasetisCPUintensive

ChallengeE:ResultsConfirmaNon•  Annissuewhichisfoundsta+cally-Maynotapplytoarealdevice-CannotguaranteeexploitabilityInexamplevulnerabledaemonpresentbutneverstarted•  Issueconfirma+onisdifficultproblem-Requiredadvancedanalysis(sta+c&dynamic)-OTenrequiredrealembeddeddevicesforfinalconfirma+on-Doesnotscalewellinheterogeneousenvironment(involvingmanydevicesand)

Architecture:

Crawler:759kcollectedfiles.1.8TBofdiskspaceUsesFTP-indexEnginesandGCSE(Googlecustomsearchengine)APIUnpacking:

StaNcanalysis:• 

CorrelaNon/clustering:basedonfuzzyhashes,PrivateSSLkeys,Creden+als

•  WebServerConfigs,hardcodedcreden+al,CodeRepositories•  DataEnrichment:VersionBannersSpecificKeywords(e.gTelnet,Shell,UART,backdoor)

ExampleofCorrelaNon:correlaNonviafussyhashessimilariNes(ssdeep,sdhash)StrongCorrela+onbetweentwofirmwarebyhavingSharedCreden+alsandSelf-SignedCer+ficatesE.GvulnerabilitypropagaNon.

CaseStudies:1-BackdoorsinPlainSightthebackdoorwasfoundtobeac+vatedbythestring“xmlsetroodkcableoj28840yb+de”(i.e.,editby04882joelbackdoorinreverse).theyperformedastringsearchinthedatasetwithvariousbackdoorrelatedkeywordsandfound1198matches,in326firmwarecandidates.2-PrivateSSL(RSAkey)•  manyfirmwareimagescontainingpublicandprivateRSA

keypairs•  -plarormautoma+callyextractsthefingerprintofthepublic

keys,privatekeysandSSLcer+ficates.•  -keysarethensearchedinZMap’sHTTPSsurveyDatabase•  VendorC’sSSLcer+ficatewasfoundtobeusedbyaround

30KonlineIPaddresses.•  -thenfetchedthewebpagesavailableatthoseaddresses(withouttryingtoauthen+cate).Surprisingly,ReturnedCCTVcamerasbrandedbyanothervendor–VendorB

ResultSummary:•  38newvulnerabili+es(CVE)•  Correlatedthemto140konlinedevices.•  Affected693firmwarefilesbyatleastoneofthese

vulnerabili+es.

Conclusion:Abroaderviewoffirmwares•  Notonlybeneficialbutnecessaryfordiscoveryandanalysis•  Correla+onrevealsfirmwarerela+onshipShowhowvulnerabilityreappearindifferentproductorvendor•  Couldallowhowfirmwareareevolveorgetfixed•  Therearemanyhiddenvulnerability•  Securityisatradeoffwithcostand+metomarketandSecurityisnotpriorityofsomevendors

REFERENCE:

•  h;ps://www.usenix.org/node/184450