Microsoft has introduced a firmware analysis feature for Microsoft Defender for IoT, aimed at identifying potential security vulnerabilities in IoT devices. This new feature performs an automated analysis of a binary firmware image running on an IoT device, providing a detailed inventory of open-source packages found in the firmware image.
Detection of IoT and OT Device Vulnerabilities
The introduction of this feature is a response to the growing concern over IoT and OT device vulnerabilities. Many organizations have thousands of endpoints running outdated, unpatched SSH servers, and with the recent discovery of the log4shell vulnerability, the need for improved visibility into network devices has become more pressing. Microsoft Defender for IoT Firmware Analysis can detect log4shell and similar threats.
The majority of attacks observed so far have involved mass-scanning, crypto mining, establishing remote shells, and red-team activity. However, it is highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits. Microsoft has observed both sophisticated adversaries (like nation-state actors) and commodity attackers taking advantage of these vulnerabilities.
How Firmware Analysis Works
To use the firmware analysis feature, IT admins need to navigate to the Firmware analysis (preview) blade in Microsoft Defender for IoT and upload an unencrypted Linux-based firmware image received from the device vendor. Once the image is unpacked and the embedded file system is identified, a thorough security analysis of the firmware image identifies hidden threat vectors.
Microsoft Defender for IoT Firmware Analysis helps security teams scan the firmware components for publicly known Common Vulnerabilities and Exposures (CVEs). This information can then be passed on to organizations and device manufacturers. The analysis creates an inventory of open-source packages akin to a Software Bill of Materials (SBOM), helping manufacturers track components and detect vulnerabilities.
Additionally, the firmware analysis feature assesses binary hardening beyond vulnerability identification. It checks code construction and adherence to security practices like Stack Canaries, measuring security hygiene and binary exploitation risks. Moreover, it identifies built-in user accounts and the cryptographic algorithms used for the encryption of password hashes.
Cryptographic Material Detection
Microsoft Defender for IoT Firmware Analysis has the ability to detect any cryptographic material that may exist in devices. This includes expired, revoked, or self-signed SSL certificates that could compromise communication between the device and a cloud service. Such an eventuality could potentially leak organizational data and make the device vulnerable to exploitation.
Microsoft Defender for IoT Firmware Analysis is now available in public preview for enterprise customers. For more information about firmware analysis, you can visit the official Microsoft page.
