Microsoft Defender for IoT Gets Firmware Analysis against IoT Vulnerabilities

This new feature performs an automated analysis of a binary firmware image running on an IoT device.

has introduced a firmware analysis feature for Microsoft Defender for IoT, aimed at identifying potential security vulnerabilities in IoT devices. This new feature performs an automated analysis of a binary firmware image running on an IoT device, providing a detailed inventory of open-source packages found in the firmware image.

Detection of IoT and OT Device Vulnerabilities

The introduction of this feature is a response to the growing concern over IoT and OT device vulnerabilities. Many organizations have thousands of endpoints running outdated, unpatched SSH servers, and with the recent discovery of the log4shell vulnerability, the need for improved visibility into network devices has become more pressing. for IoT Firmware Analysis can detect log4shell and similar threats.

Log4Shell is a set of remote code execution (RCE) vulnerabilities in Apache Log4j 2 (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832) that has gained widespread attention due to its severity and potential for widespread exploitation. The vulnerabilities are present in an open-source component that is widely used across many suppliers' software and services. This means that not only applications that use vulnerable libraries are affected, but also any services that use these applications. The vulnerabilities allow attackers to execute arbitrary code on a target system by exploiting the Java Naming and Directory Interface (JNDI) within Log4j. This is typically done by sending a specially crafted string to a system that uses Log4j for logging, which then triggers the vulnerability and allows the attacker to execute their code.
 

The majority of attacks observed so far have involved mass-scanning, crypto mining, establishing remote shells, and red-team activity. However, it is highly likely that attackers will continue adding for these vulnerabilities to their toolkits. Microsoft has observed both sophisticated adversaries (like nation-state actors) and commodity attackers taking advantage of these vulnerabilities.

How Firmware Analysis Works

To use the firmware analysis feature, IT admins need to navigate to the Firmware analysis (preview) blade in Microsoft Defender for IoT and upload an unencrypted Linux-based firmware image received from the device vendor. Once the image is unpacked and the embedded file system is identified, a thorough security analysis of the firmware image identifies hidden threat vectors.

Microsoft Defender for IoT Firmware Analysis helps security teams scan the firmware components for publicly known Common Vulnerabilities and Exposures (CVEs). This information can then be passed on to organizations and device manufacturers. The analysis creates an inventory of open-source packages akin to a Software Bill of Materials (SBOM), helping manufacturers track components and detect vulnerabilities.

Additionally, the firmware analysis feature assesses binary hardening beyond vulnerability identification. It checks code construction and adherence to security practices like Stack Canaries, measuring security hygiene and binary exploitation risks. Moreover, it identifies built-in user accounts and the cryptographic algorithms used for the encryption of password hashes.

Cryptographic Material Detection

Microsoft Defender for IoT Firmware Analysis has the ability to detect any cryptographic material that may exist in devices. This includes expired, revoked, or self-signed SSL certificates that could compromise communication between the device and a cloud service. Such an eventuality could potentially leak organizational data and make the device vulnerable to exploitation.

Microsoft Defender for IoT Firmware Analysis is now available in public preview for enterprise customers. For more information about firmware analysis, you can visit the official Microsoft page.