With the spread of technology Internet of Things (IoT), connected devices are becoming more and more “popular” in the industrial, professional and private sectors. These smart devices—such as thermostats, security cameras, smart lights, and connected appliances—combine to deliver a level of automation unthinkable in the past. However, the increase in the number of IoT devices it has also led to increased concern about network and data security. What’s new is that an anti-malware tool like Microsoft Defender now it can also analyze the firmware of Linux-based embedded devices.
Microsoft Defender analyzes the firmware of devices connected to the local network
The basic concept is that modern cyber attacks can exploit safety issues present within unsuspected components, which in turn are connected to the corporate network. Ignore a potential threatfor example hidden in an IoT device, can be open to attacks that often have important repercussions on the entire infrastructure.
As Derick Naef (Microsoft) explains, thefirmware analysis carried out by Microsoft Defender examines images in binary format and is aimed at identifying potential vulnerabilities and weak points in the various devices. Defender is capable of signaling the presence of login credentials hardcoded i.e. encoded in the firmware of a device connected via LAN, highlight the use of obsolete and vulnerable open source packages and libraries as well as the use of manufacturer’s private keys culpably inserted in the programming code.
The Redmond company’s antimalware also manages to identify the compiled binaries without resorting to security flags (absence of protection against attacks buffer overflow), ensures that password hashes use secure cryptographic algorithms, and checks for the presence of expired or revoked certificates within the firmware.
This is an epochal novelty for Microsoft which obviously does not require the installation of any agent on client devices, allows you to perform a software inventory, keeping track of the weaknesses and certificates used in each individual case. At the moment there is no way to start a scan directly on devices connected to the corporate infrastructure: instead it is necessary to manually upload the firmware of each of them.
How to use the new Defender for IoT
To take advantage of the new Defender per IoTusers are advised to select the Firmware analysis (preview) item in the dashboard application then upload the firmware image of each local networked Linux device.
The system decompresses the image to detect the file system used and perform a analysis procedure looking for potential threats. Only compiled, unencrypted Linux-based firmware images obtained from the device vendor can be scanned using the built-in functionality in Defender for IoT. Also, the image must not be larger than 1GB.
The advice is to check the firmware version used on each IoT device, download it then submit it to Defender. In some cases it is possible manually extract the image using Telnet or SSH.
The steps for requesting a firmware image scan are outlined by Microsoft in the tutorial dedicated.