In a black-box penetration test – say, for a web application – the attacker has very limited knowledge of how the software works. All that you know is what you can gather from the outside. This makes it difficult to detect vulnerabilities. At the other extreme, copy protection of desktop software has been completely unsuccessful. The attacker controls the hardware and therefore can manipulate the software, bypassing security controls.
For an attacker, an IoT device starts somewhere in the middle. The attacker does not have the firmware and must probe from the outside. If the attacker can obtain or manipulate the firmware, their job becomes much easier. Common ways that an attacker can obtain the firmware are:
Once the attacker has a copy of the firmware, it’s usually easy to figure out what’s inside using standard software security techniques. Binwalk is a firmware analysis tool which can tell you what’s inside a firmware image.
The attacker might be able to find out:
Given a firmware image, the attacker may be able to run it on their own hardware (with greater privileges) or obtain the source code from the Internet. This all gives the attacker more information to work with and more opportunities to find a vulnerability.
An attacker that can modify firmware and have your device run it has some new opportunities:
Some device firmware contains secrets – valuable IP, maintenance passwords, company secrets or content decryption keys.
A common fear of vendors is that their manufacturing partners will manufacture and sell devices without the involvement of the vendor. Pirate SD cards are a real problem, and there have been stories of Kickstarter projects being cloned and sold in China. Low-quality clone devices cost both profits and reputation for the business.
In response, some vendors only have their manufacturing partners write basic bringup firmware to the device – just enough to test that the hardware is working correctly. This probably helps, but there are a multitude of other ways to obtain firmware – assuming that the pirate manufacturer doesn’t just write their own.