Embedded Device Security Assessments For The Rest Of Us
The Internet of Things has grown large enough to affect us all in a variety of ways (both positively and negatively!). Whether you are a penetration tester or working in IT security for your organization, you've encountered an embedded device (or 10) that likely contains vulnerabilities. The challenges we all face is how to assess the security of these devices accurately, efficiently, and thoroughly. If you've wondered how much damage attackers can do with devices such as printers, wireless routers, thermostats, TVs, and even Wi-Fi-enabled treadmills, look no further than this course. If you've wondered just how to test "The Internet of Things" for security without crashing the device and uncover its hidden secrets, this course will satisfy your curiosity. The goal of this course is to enable you to uncover embedded system's vulnerabilities as part of your duties as a security professional.
You Will Learn:
- Popular methods of firmware layout, how firmware is built, and customizing firmware for common embedded systems platforms
- How to uncover common firmware vulnerabilities in popular embedded systems quickly and safely and integrate these methods into your testing methodology
- Effectively assess the risk of embedded systems in the course of your penetration testing and/or duties as an IT security professional
- Defend against attacks against embedded systems in your environment and create actionable and reasonable recommendations to clients and/or management on how to appropriately secure embedded systems
- Engage embedded systems vendors in the processes of embedded device security, from development, implementation to end user awareness
HST.1: Understanding Embedded Systems & Firmware
Wed Feb 25th, 2015
9:00 AM - 5:00 PM
The first day of this course will take a look at the embedded systems landscape, the different types of devices, various industries which use them, and some common embedded hardware and software platforms. While there are several different types of embedded systems, there are certain commonalities that are important to point out. Firmware layout will be covered in-depth, allowing you to understand the popular ways in which firmware is constructed, such that you can apply that knowledge to all different types of devices. We will also run labs to analyze firmware components and run firmware in emulation mode; setting you up to do some further analysis.
CPE/CMU Credits: 6
Module 1: What is an embedded system?
- Examples of embedded systems in various categories
- Why we should care about embedded systems security
- Anatomy of Embedded Systems Vulnerabilities & Attacks
- Attack Examples
Module 2: What is firmware?
- Examples of various embedded systems firmware and operating systems
- Firmware layout and operating systems
- Introduction to binwalk
- Lab #1.1: Obtaining & Analyze Firmware (binwalk)
- Embedded Systems Hardware Overview
- Embedded Processors Overview
- Homework: Download Firmware From The Internet and Analyze The Structure
Module 3: Analyzing Firmware Offline
- Running Firmware in Emulation
- Introduction to Qemu
- Lab #3.1: Running OpenWrt in Qemu
- Introduction to the Firmware Modification Toolkit
- Lab #4.1: Using The Firmware Modification Toolkit
- "Scanning" Embedded Systems
- Lab #5.: Nmap Scanning Embedded Systems
- Discovering Authentication Backdoors
- Lab #6: Scan live targets!
- Homework: Scan an Embedded System You Own (or have permission to scan)
HST.2: Attacking & Securing Embedded Systems
Thu Feb 26th, 2015
9:00 AM - 5:00 PM
Day 2 of this course will focus on more in-depth means of vulnerability identification. We will review some of the common file system types and extract them from firmware. Mounting the file system is the first step, as once mounted you will learn ways in which to discover more vulnerabilities and information about the device. Building on your skills learned in this course we will extract and run binaries from the firmware. Web applications will also be covered, allowing the students to learn and develop attacks specific to web applications running on embedded systems. The day will come to a close with a discussion of defensive techniques organizations and vendors can implement to apply more security to embedded systems.
CPE/CMU Credits: 6
Analyzing Firmware: More In-Depth
- Embedded System Filesystem Types
- Extracting & Mounting File Systems
- Lab #2.1: Locating, Extracting, File Systems
- Finds binary files from firmware
- Extracting binaries from firmware
- Building the environments for binaries
- Lab #2.2: Locating, Extracting & Running Binaries
Web Applications & Embedded Systems
- Lab #2.3: Discovering & Exploiting Web Applications
- Authentication Bypass
- Lab #2.4: Finding Authentication Bypass Vulnerabilities
- CSRF & XSS in Embedded Web Application Servers
- Lab #2.5: Exploiting & Weaponizing CSRF in Embedded Web Servers
Defensive Recommendations for Embedded Systems Security
- Updating Firmware
- Embedded Systems Hardening
- Authentication Management
- Common Embedded Systems Protocols (Attack & Defense)
- Review the "Top Ten Embedded Systems Security Elements"
VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion.
The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.
IMPORTANT NOTE: You will also be required to disable your anti-virus (or any other host-based protection) tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.
Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.
You will use VMware to run a Linux operating system simultaneously when performing exercises in class. You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class.
Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time- limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.
We will give you a USB full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.
You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.
Mandatory Laptop Hardware Requirements
- x86- or x64-compatible 1.5 GHz CPU Minimum or higher
- DVD Drive (not a CD drive)
- A usable USB port (This is important, USB drives will be used to distribute the VM required for class!)
- 2 GB RAM minimum with 4 GB or higher recommended
- Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)
- 5 GB available hard drive space
During the workshop, you will be required to connect to a network with your classmates (which could be one of the most hostile networks on planet Earth!) Your laptop might be attacked, despite our script warnings that students refrain from this activity. Do not have any sensitive data stored on the system. SANS and/or SANS instructors are not responsible for your system if someone in the class attacks it in the workshop.
By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
Who Should Attend
- Individuals responsible for securing systems in an organizations
- Consultants performing penetration testing for clients
- Systems administrators who are responsible for maintaining embedded systems
- Knowledge and Experience with Linux-based Operating Systems. No really, we are serious about this one. If you are not familiar with using the Linux command line (Bash), editing files in Linux (vi is the editor), you may want to consider taking other courses from SANS that teach these skills before taking this course. Having familiarity with embedded systems hardware, firmware constructs, and scripting languages is helpful, it is not a requirement. However, in order to learn about embedded systems, you must have familiarity with Linux, as the embedded systems covered in this course will primarily run Linux, and given the small environment we have to work with, the most basic set of Linux tools is all that is available to us.
- Basic knowledge of TCP/IP and various common protocols (Such as HTTP, TELNET, etc.)
What You Will Receive
- A Virtual Machine (Linux-Based Ubuntu Distribution) configured with all of the tools required for class
- Several different firmware distributions to analyze and run
You Will Be Able To
- More accurately assess the security vulnerabilities and perform risk assessments against embedded devices entering your environments
- Perform more in-depth vulnerability assessments of embedded systems encountered on penetration tests
- Analyze firmware for vulnerabilities, including file system and binary file extraction
- Configure and run firmware in emulation (using Qemu) to test for vulnerabilities
- Develop custom scripts and extensions for popular tools to allow for more comprehensive security testing of embedded systems
- Make better defensive recommendations for securing embedded systems both inside your own organization and to the vendors providing solutions on embedded platforms
- Understand how web applications are implemented on embedded systems and use customized techniques for discovering vulnerabilities
- Apply a repeatable process of vulnerability discovery applicable to most embedded systems in use by various organizations large or small
- Identify and exploit web application vulnerabilities on embedded systems and show the risk of such vulnerabilities specific to their environment
- Detect how attackers are using, and will use, embedded systems in malicious ways then adjust your defenses accordingly
- Students will perform hands-on exercises analyzing firmware from popular device, identifying the layout, extracting files and file systems, and running extracted software from the firmware images
- Several embedded systems will be made available to students on a live network, allowing for discovery and analysis of network-based vulnerabilities
- Students will "Weaponize" vulnerabilities on embedded systems, to gain an understanding of risk and convey those risks to management
What To Take Next?
Courses that Lead-in
- SEC401: Security Essentials Boot camp Style
- SEC504: Hacker Tools, Techniques, Exploits and Incident Handling
- SEC560: Network Penetration Testing and Ethical Hacking
Courses that are Pre-reqs
- SEC506: Securing Linux/Unix (Not an official Pre-Requisite; however, SEC506 will develop the skills required for this course)
Course that are good follow-ups
I have been researching embedded systems vulnerabilities for several years. In 2007 we published a book on hacking Linksys WRT54G routers. That experience provided me with a foundation for understanding embedded systems vulnerabilities and exploits, and I have been "hooked" ever since. The market has exploded with all sorts of embedded systems, everything from remote management devices inside your servers, to home smoke detectors. Devices of today, also dubbed "The Internet of Things"(IoT) are commonplace. However, the security landscape remains unchanged for the past 10 years or more. I was intrigued by printer vulnerabilities 10 years ago, and many of the vulnerabilities being reported today existed in devices back then. It is clear that things need to change, and my goal of this course is two-fold: 1) Teach people how embedded systems work and how to discover common vulnerabilities 2) raise awareness in the community such that we are poised to affect change in the industry and be able to purchase more secure embedded systems in the future.