Attify’s Firmware Analysis Toolkit and AttifyOS VM

Attify has a Firmware Analysis Toolkit (FAT). Apparently they include a pre-built version of it in their AttifyOS VM, and use it in their IoT training:

Firmware Analysis Toolkit: FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware. This is built in order to use for the “Offensive IoT Exploitation” training conducted by Attify. As of now, it is simply a script to automate Firmadyne which is a tool used for firmware emulation. In case of any issues with the actual emulation, please post your issues in the firmadyne issues.

Attify OS – Distro for pentesting IoT devices: Instead of spending time installing, configuring and setting up various tools required for IoT pentesting, here is a pre-made distro for you containing the tools that would come handy during any Internet of Things Security Assessment or Penetration testing.

From training site:
Firmware analysis: IoT devices and embedded systems run on firmware, which often hold a lot of secrets and sensitive information. This module will help you analyze and extract firmware, thus helping you identify vulnerabilities in the firmware for IoT devices. We will also look at firmware emulation using FAT, a custom tool built by Attify with which you can emulate firmware and perform all sorts of “non-hardware” based attacks. The tool is fully scriptable and hence can be modified and used according to your preference. You also get access to the API, which will allow you to use the tool for your own further research. (unsure if this official or not)


NXP: designing IoT devices with secure boot

NXP has a webinar for IoT makers, talking about secure booting. ‘Webinar’ scared me, but there’s no registration required. 🙂

Watch this on-demand presentation to learn how to:
* Manage the life cycle of an IoT edge node from development to deployment.
* Leverage hardware and software offerings available with the Kinetis MCU portfolio that can help you protect against attacks.
* Ease the burden of secure IoT edge node development using new processors and architectures from ARM.


Click to access Designing-Secure-IoT-Devices-Starts-with-a-Secure-Boot.pdf

Internet of Things Cybersecurity Improvement Act of 2017

ARM IETF ID on IoT firmware update architecture

IETF Internet draft: draft-moran-fud-architecture-00:

A Firmware Update Architecture for Internet of Things Devices
July 18, 2017
Brendan Moran, Milosch Meriac, Hannes Tschofenig
ARM Limited

Vulnerabilities with IoT devices have raised the need for a solid and secure firmware update mechanism that is also suitable for constrained devices. Incorporating such update mechanism to fix vulnerabilities, to update configuration settings as well as adding new functionality is recommended by security experts. This document specifies requires and an architecture for a firmware update mechanism aimed for Internet of Things (IoT) devices. The architecture is agnostic to the transport of the firmware images and associated meta-data. This version of the document assumes asymmetric cryptography and a public key infrastructure. Future versions may also describe a symmetric key approach for very constrained devices.

There’s a mailing list for FUD:

UEFI-based IoT firmware updates

Simplify Secure, UEFI-Based IoT Firmware Updates
Rich Nass

In the age of the Internet of Things (IoT), where everything is becoming connected, each connection point can be viewed as a “Hack This” sign for the bad guys. To prevent this, developers need to be sure that all firmware and associated patches are kept up to date with verified and secure revision control. Any unpatched or outdated firmware can allow access to critical system functions. Unfortunately, this need to keep firmware updated often goes overlooked by the development team after a product has shipped. In many cases this is due to the resources required and complexities involved. But what if the whole process of updating and securing firmware remotely or over the air (OTA) could be standardized and encapsulated within an easy-to-use, reliable solution that works seamlessly with your underlying hardware? It turns out that such a solution is already in hand.[…]

IoT security, AR, and VR

[…]On the subject of supply and demand leading to security issues, Ben Smith, CEO of Laduma, stated, “As new developments are rushed to market in order to gain a lead on competitors, there is a risk that mistakes are being made.” Because of the massive popularity that Virtual and Augmented Reality has gained in the last few years, companies were forced to either put out products that were not necessarily secure or forego their inclusion in the massive VR market of 2016. However, it is no surprise that the connection of multiple insecure devices on a network creates a perfect entry for hackers to retrieve the massive amounts of data which Virtual Reality platforms both receive from the users themselves as well as collect without necessary consent for marketing purposes. In fact, Tata Communication’s Srinivasan CR once stated on the subject, “Every device connecting into a network is a potential vulnerability which can be used to infiltrate the network itself and other devices connected to it.”[…]

Mozilla Corporation abandons IoT project

As expected, Mozilla has canceled their IoT project:

“This experiment has concluded.”

No press on the Mozilla press site in months, however:

OWASP IoT firmware guidance

I just noticed that the OWASP project, the Open source Web App Security Project, has an IoT project, and that project has a Firmware Analysis Project

“The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface ‘Device Firmware'”.

Nothing specific to UEFI, coreboot, ACPI, SMM, etc. They are using the embedded OS definition of firmware.

Senrio: JTAG explained

Senrio has a nice blog post on JTAG usage on consumer IoT devices:

JTAG Explained (finally!): Why “IoT”, Software Security Engineers, and Manufacturers Should Care: Imagine you are handed this device and asked to get root on it as quickly as possible. No further information is given. Where would you begin?  (If you just want to see the router get rooted, jump down to “Mounting an Attack: Rooting a Home Router” 😉 Our target: A VERY common/popular consumer Access Point. Since you have the device in your hands, you might try directly attacking the hardware. However, if you’ve never done any kind of hardware hacking, getting started can be intimidating. In this post, we are going to talk about the fundamental information you need to know to use JTAG for hacking hardware. We’ll also go over a quick example to illustrate the power of direct hardware access. […]

Sequitur Labs’ IoT security checklist

Philip Attfield of Sequitur Labs Inc. wrote an article for IoT Agenda on IoT Security; excerpting a checklist from the article:

* Devices must implement a “root of trust” as a trustworthy measure of integrity and authenticity. A root of trust, once established, is unchangeable and is therefore always reliable and trustworthy.
* Secure interaction between devices on a network is necessary. Implement mechanisms enabling mutual device authentication.
* Isolation and separation are well-accepted principles of security. Isolating sensitive information such as encryption keys, proprietary algorithms or other information raises the difficulty level for an attacker and minimizes the impact of a breach.
* Separate application functions critical to security. Execute such functions in isolated and secured memory regions to prevent compromise.
* Choose hardware platforms that include tamper resistance features. Such features protect against physical device tampering by destroying critical information such as encryption keys before hackers are able to access them.

Senrio’s IoT firmware security checklist

Senrio has a blog post with a list of firmware security tips for IoT devices:

5 Tips for Better IoT and Firmware Security

In this new wold of “the Internet of Things” and billions of networked embedded devices,  it is crucial for device manufacturers to bake security into their new designs before they leave the factory. Here are five tips from a team of security researchers who make a living reverse engineering (hacking) into IoT devices on behalf of industry clients.  […]

Intel Joule

“Today during the Intel Developer Forum (IDF) opening keynote, Intel CEO Brian Krzanich introduced the Intel® Joule™ compute module, a high-performance developer platform with support for Intel® RealSense™ depth-sensing cameras, targeted at Internet of Things (IoT) developers, entrepreneurs and established enterprises. […] The Intel Joule platform enables people to rapidly prototype a concept and then take it into production in a fraction of the time and development cost. Intel Joule is a high performance system-on-module (SOM) in a tiny, low-power package thus making it ideal for computer vision, robotics, drones, industrial IoT, VR, AR, micro-servers and other applications that require high-end edge computing. The Intel Joule module is available in two models – 570x and 550x. The Intel Joule 570x developer kit is available for sale at the 2016 Intel Developer Conference in San Francisco, and will begin shipping in September through Intel reseller partners.”

I’m still reading the docs, not sure what firmware it has, and if developers have ability to revise it. If you know, please leave a Comment. Suggested price is US$379.

Click to access intel-joule-fact-sheet.pdf

Senrio+Xipiter 0day for MANY D-Link devices

[…] In our last post we talked about a vulnerability discovered in the D-Link DCS-930L Cloud Camera. Since then the Senrio Research Team has been working closely with the D-Link Security Incident Report Team. Below we disclose technical details of our efforts.  […] What does that mean in terms of exposure to consumers? In a collaboration with Shodan we discovered 400,000 devices publicly accessible that could be affected by this 0day.  […]

NIST SP 800-183: Network of Things

NIST has a new IoT-related document, focusing on the “Network of Things”. Abstract:

System primitives allow formalisms, reasoning, simulations, and reliability and security risk-tradeoffs to be formulated and argued. In this work, five core primitives belonging to most distributed systems are presented. These primitives apply well to systems with large amounts of data, scalability concerns, heterogeneity concerns, temporal concerns, and elements of unknown pedigree with possible nefarious intent. These primitives are the basic building blocks for a Network of ‘Things’ (NoT), including the Internet of Things (IoT). This document offers an underlying and foundational understanding of IoT based on the realization that IoT involves sensing, computing, communication, and actuation. The material presented here is generic to all distributed systems that employ IoT technologies (i.e., ‘things’ and networks). The expected audience is computer scientists, IT managers, networking specialists, and networking and cloud computing software engineers. To our knowledge, the ideas and the manner in which IoT is presented here is unique.

Click to access NIST.SP.800-183.pdf

ARM IoT security using TLS

Wilfred Nilsen of ARM wrote a new post on the ARM IoT blog, click on blog URL below for video:

IoT Security: Creating X.509 Chain of Trust
Learn the entire process of setting up the chain of trust for your IoT solution. The video, which is available on YouTube, provides a practical example that you can follow and setup on your own computer for learning purposes. The comprehensive video tutorial guides you through the process of setting up secure and trusted communication. After completing the hands-on tutorials, you will be an expert in using SSL for secure communication and how to create and manage SSL certificates. The video shows how to create an Elliptic Curve Cryptography (ECC) certificate for the server, how to install the certificate in the server, and how to make the clients connecting to the server trust this certificate. The server in this video is installed on a private/personal computer on a private network for test purposes.