What is Penetration Testing?
Penetration Testing has been evolving throughout the year with a robust increase in highly sophisticated attacks. Every organization is now aware of the damage caused by cyber-attacks. Private and Government organizations are now conducting scheduled penetration tests for every three months or less than that. The attacks are increasing day by day and now almost every device is vulnerable to an unpatched zero-day vulnerability. Attacks like Meltdown and Spectre have gone too deep that it exploits a vulnerability at the processor level. Likeways, the firmware is also one of the important attack vectors. This paper discusses multiple methods for reverse engineering a router firmware and the process of backdooring it.
What is Firmware?
Firmware is used to control a piece of hardware through software. Firmware comes pre-installed in devices like Routers, Smartphones, Computers, and other IoT devices. Firmwares are hardware-specific. Not only do they differ from other manufacturer’s devices, but they also do differ from devices with the same manufacturer. Firmwares typically act as an operating environment in highly complex devices. On the other hand, in less complex devices, they act as an Operating system and are responsible for complete hardware control. Firmwares are held in ROM; non-volatile memory. In routers mostly, the firmware file system is based on the Linux operating system. Firmwares can be replaced but cannot be deleted by the user
What is Reverse Engineering?
Reverse Engineering is the process of decompiling a product to expose its internal architecture and learn how it was built. Router firmware is mostly in binary format since they are hardware-specific and cannot be read.
Therefore, they are reverse engineered to decompress the file system present in it. After decompressing the file system, the files inside the file system are visible. The file is then analyzed by a security researcher for discovering security flaws in the code. Or the files in the file system can be manipulated and a backdoor can be added into the file system that allows the attacker to control the router as well as the network and other devices connected to the network. Reverse engineering allows the researchers to understand the file system, the flow of code and functionalities of the firmware.
There are multiple methods available for reverse engineering a router firmware. Recently, the National Security Agency (NSA) had released its reverse engineering tool – Ghidra. Linux has several inbuilt utilities allowing users to decompress the firmware file system without the use of any third-party tools.
Reverse Engineering Tools:
- Binwalk – is an inbuilt Linux utility that allows us to carve and analyze binary files.
- Unsquashfs – is a tool to decompress or extract the squashfs file system.
- Hexdump – allows the users to view the hexadecimal view of the specific input data with ability to extract file contents into multiple formats like decimal, octal, and ASCII.
- Objdump – displays information about the object files and used to disassemble executable files.
- Strings – extracts the strings embedded inside the binary files and other executable files
- GDB – the GNU Debugger helps in decompiling executables and binary files that are written in embedded C, C++, etc.
- Radare2 – is a framework built for reverse engineering and analyzing binaries.
- Ghidra – consists of a set of reverse engineering tools and licensed open source by NSA.
- IDA – is commercial software that allows debugging and decompiling the source code from executables.
- Firmware mod kit – allows decompression of various firmware in embedded devices. It supports various file systems and versions such as SquashFS 2.0, 3.0 and 4.0.