Analyzing the Firmware

Unpacking memory images: Once a memory image has been obtained, it is necessary to unpack it in order to view the data it holds. The community-maintained binwalk utility has the ability to unpack and extract most common embedded file systems, and even some proprietary file systems. When used with the ‘-Z’ argument, binwalk detects raw compression streams that may be hidden from default scans and is able to extract them. Firmware-mod-kit, a collection of utilities contains several file formats and variations that binwalk does not support.

Brute forcing passwords: One of the more interesting features of reverse engineering is password extraction. Native Linux passwords are used by default over SSH (secure shell) and Telnet (telecommunication network) connections and in some cases also for other services such as HTTP and FTP. A known observation about the Mirai IoT malware is that the infection method was connecting to IoT devices over SSH/Telnet with default credentials. Many devices today have credentials that may not be as trivial as ‘root’, ‘admin’ or ‘123456’ but are still not complex enough to withstand an exhaustive password search.

Linux user passwords are usually stored in the special file ‘/etc/passwd’ or its companion ‘/etc/shadow’ in a hashed format. The password hash files can be read freely by users with sufficient credentials and can also be extracted from the file system residing in the firmware.

Some utility supports several hashing algorithms, but there are two that are most commonly observed in IoT devices:

• Descrypt - A DES (data encryption standard) based password hashing algorithm that uses a two character salt with 4096 different combinations. Although passwords may exceed 8 bytes, only the first 8 bytes are hashed and tested. A modern high-end GPU (graphical processing unit) is capable of calculating over 9*10^8 descrypt hashes per second.
• Md5crypt - An MD5 (message digest algorithm 5) based password hashing algorithm that supports a salt value of 12-48 bits allowing up to 248 different combinations. md5crypt do not impose any length limitation on passwords. A modern high-end GPU is capable of calculating over 10^6 md5crypt hashes per second.

While simple passwords can be recovered using generic password recovery tools such as John the Ripper, advanced password cracking can be achieved with hashcat. Hashcat is an advanced password cracking program which supports advanced rules and patterns and is designed for GPU hashing. Hashcat use requires more knowledge than using John the Ripper and it is widely used for the recovery of difficult passwords.

In order to perform efficient password cracking, a word list or password generation pattern file is required. Many patterns and word lists are available online, but none had proved effective enough against hard-to-guess IoT device passwords. A few observations by the authors about known and newly discovered passwords allowed the creation and sorting of a password pattern list that proved more effective against tested IoT device passwords. The pattern generation rules employed consist of: up to two symbol characters; up to two three uppercase characters; any amount of digits and lowercase characters; and up to eight characters total.

Detecting vulnerabilities within the firmware: As firmware images contain the operating system and code controlling the device behavior, further analysis may expose underlying vulnerabilities. 

Beneficial Uses of the Reverse Engineering Process

Many uses of reverse engineering that are not malicious or illegal and can benefit the owner. Low-end products are often accompanied with insufficient information about their hardware or software. A concerned consumer can use the process we’ve presented to learn about the device and its properties. If the device has been rebranded the consumer could search the Internet for similar devices provided by other vendors. The consumer obtains the ability to learn about the device’s and perhaps even upgrade the firmware and secure the device. This process can be performed on many types of IoT devices and toys and may also be helpful in securing products no longer supported by vendors. Becoming more knowledgeable and informed regarding the device’s software and hardware can not only help the customer get to know their product; it also allows the owner to customize the device to meet his/her needs. After gathering the desired information, the owner can manipulate the firmware or configuration and develop the device further, and even add missing functionality.