Microsoft Previews Defender for IoT Firmware Analysis Service

Cyber Security Threat Summary:
“Microsoft announced a new Defender for IoT feature that will allow analyzing the firmware of embedded Linux devices like routers for security vulnerabilities and common weaknesses. Dubbed Firmware Analysis and now available in Public Preview, the new capability can detect a wide range of weaknesses, from hardcoded user accounts and outdated or vulnerable open-source packages to the use of a manufacturer's private cryptographic signing key” (Bleeping Computer, 2023). "Firmware analysis takes a binary firmware image that runs on an IoT device and conducts an automated analysis to identify potential security vulnerabilities and weaknesses," Microsoft's Derick Naef says. "This analysis provides insights into the software inventory, weaknesses, and certificates of IoT devices without requiring an endpoint agent to be deployed."

The following features are currently available to analyze IoT devices' firmware security:

  • Software Bill of Materials (SBOM): Provides an inventory of open-source packages used to build the firmware, indicating the package version and the corresponding licensing agreements.
  • CVE Analysis: Offers insights into firmware components with publicly known security vulnerabilities and exposures.
  • Binary Hardening Analysis: Identifies binaries compiled without security flags, such as buffer overflow protection, position-independent executables, and other common hardening techniques.
  • SSL Certificate Analysis: Uncovers expired and revoked TLS/SSL certificates within the firmware.
  • Public and Private Key Analysis: Verifies the necessity and authenticity of public and private cryptographic keys found in the firmware
  • Password Hash Extraction: Ensures that user account password hashes use secure cryptographic algorithms
Security Officer Comments:
To use it, users have to go to the "Firmware analysis" blade in Defender for IoT and upload the Linux-based firmware image from their device. The system will then unpack the image to detect the embedded file system and analyze the loaded firmware for hidden threat vectors. It's important to note that only compiled and unencrypted Linux-based firmware images obtained from your device's vendor can be analyzed using the Defender for IoT Firmware Analysis feature. Also, the image must not exceed 1 GB in size.

Suggested Correction(s):
"The Defender for IoT Firmware Analysis feature is automatically available if you currently access Defender for IoT using the Security Admin, Contributor, or Owner role," Microsoft says. "If you only have the SecurityReader role or want to use Firmware Analysis as a standalone feature, then your Admin must give the FirmwareAnalysisAdmin role."

Link(s):
https://www.bleepingcomputer.com/