1. Overview

In recent years, the Internet of Things (IoT) has been deeply integrated with technologies such as 5G, artificial intelligence, blockchain, big data, and IPv6, leading to a continuous emergence of new technologies, products, and models. With the acceleration of digital transformation and intelligent upgrading of the economy and society, IoT has been widely applied in various fields including smart cities, digital villages, intelligent transportation, smart agriculture, intelligent manufacturing, smart construction, and smart homes, becoming an important component of new infrastructure. According to IDC’s prediction, the number of global IoT devices is expected to reach 41.6 billion by 2025.

Firmware is a key component of IoT devices, typically stored in non-volatile memory devices such as ROM, EEPROM, and flash in embedded devices, containing essential content required for device operation. Firmware interacts with underlying hardware and supports various device applications.

Due to the possibility that IoT device manufacturers reuse open-source components and third-party code with security vulnerabilities during firmware development, and insufficient consideration of security audits and network security protection for the developed firmware, vulnerabilities in IoT device firmware have emerged one after another. The firmware vulnerabilities and supply chain security issues of IoT devices have become increasingly prominent. In 2020, JSOF released the Ripple20 vulnerability affecting the Treck TCP/IP stack, impacting billions of IoT devices produced by more than 500 manufacturers worldwide. In 2021, Nozomi Labs disclosed serious vulnerabilities in the P2P video surveillance device development kit (SDK) from ThroughTek, affecting tens of thousands of IoT smart devices such as cameras, where attackers could exploit the vulnerability to eavesdrop on real-time audio and video, or even control devices developed based on this kit.

In response to the security risks of IoT firmware, security researchers have proposed various methods for comprehensive testing and evaluation of IoT firmware security from perspectives such as static analysis, symbolic execution, vulnerability correlation, and fuzz testing, enabling the identification and analysis of vulnerabilities in individual firmware or batches of firmware. The CNCERT IoT Security Research Team has long focused on the security issues of IoT device chips and firmware, conducting research based on two directions: monitoring the security situation of IoT device firmware and large-scale analysis of IoT device firmware vulnerabilities.

Based on monitoring data and firmware security analysis systems, this report attempts to analyze and assess the overall security situation of firmware from three aspects: the dissemination and download trends of typical format firmware files in the past month, the dissemination and download situation of key types of firmware, and the analysis of vulnerabilities in key types of firmware.

Specific content includes:

1) Analyzing the dissemination and download trends of typical format firmware files, monitoring and identifying behaviors such as frequent dissemination and bulk downloads.

2) Monitoring the dissemination and download trends of firmware from 22 typical router manufacturers, identifying frequent access and bulk download behaviors on different router manufacturers’ official websites.

3) Conducting in-depth analysis of nearly 1,000 router firmware from 22 typical router manufacturers, discovering common issues such as sensitive information leakage, hard-coded passwords, and vulnerable configurations, and analyzing supply chain security issues such as firmware code reuse, component reuse, and same-origin vulnerabilities.

2. Dissemination and Download Trends of IoT Firmware Files

2.1 Dissemination and Download Trends of Typical Format Firmware Files

(1) Monitoring of Firmware File Format Dissemination and Download

The formats of IoT firmware files are complex and diverse, with no unified standards, typically provided in the form of single binary files or compressed files. Typical firmware binary file formats include bin, img, hex, etc., and typical firmware file compression formats include zip, rar, gz, etc.

In the past month, we monitored the dissemination and download of 43 typical format firmware files, with a total of 4,730,119 dissemination and download events detected, involving 958,996 dissemination and download links and 33,843 source sites.

Among all dissemination and download events, analysis revealed that many common compressed formats such as zip and rar did not contain IoT firmware files. After filtering out non-firmware files, there were 219,209 dissemination and download events involving IoT firmware, with 20,614 dissemination and download files and 3,720 source site IPs. Through verification analysis of the availability of dissemination and download links, the ranking of firmware file formats and quantities obtained is shown in Figure 1. It can be seen that most firmware files are disseminated and downloaded in compressed formats, with zip, rar, gz, bz2, and 7z being the most common.

IoT Device Firmware Security Monitoring Report

Figure 1 Distribution of Successfully Verified Firmware Format Quantities

In the files with higher dissemination and download frequency, based on the naming conventions of firmware, complete firmware files are named as Device.bin, etc.; firmware update packages and patch files are named wlan_update_v2.zip, DCUpdate2_0000.zip, patch_update_11.1.6.31.002.zip, etc.; and some firmware filenames lack readability, such as 75801.bin.

(2) Monitoring of Firmware Dissemination and Download Sites

Table 1 lists the number of events and access IPs for dissemination and download sites of typical format firmware, showing differences in access frequency and IP quantities among different sites: some sites have high access frequency but few unique IPs, such as 185.*.*.150; while some sites have both considerable access frequency and a large number of unique IPs, such as 104.*.*.102.

Table 1 Event Count and Access IP Situation of Typical Dissemination and Download Sites

Further analysis of the hostname information and site content of the download sites, such as the addresses 34.*.*.141 and 10.*.*.198-205, whose domains are igpsort.com and service.mercurycom.com.cn, respectively, are official firmware download addresses of IoT device manufacturers; the address 185.*.*.150 has the domain technet24.ir, which is a general resource download site providing firmware, software, e-books, teaching videos, and other resources; the sites 104.*.*.102 and 104.*.*.102 are nodes of a web security vendor, using Cloudflare’s CDN for distribution.

(3) Monitoring of Firmware Acquisition Behavior

Analysis of the IP behavior acquiring firmware files revealed a total of 20,733 unique downloading IPs. Analyzing the most frequently downloading domestic IPs, their ranking is shown in Table 2. It is evident that the firmware downloading behavior of different IP addresses shows significant differences: some IPs are bulk downloading hundreds of different firmware files, while others frequently attempt to download a single firmware file.

Based on threat intelligence, historical malicious behavior associated with the IP addresses was correlated, and IP address 112.*.*.27 was suspected to be a bot, with analysis revealing that this IP frequently accessed gowincg.com (which is inactive), attempting to download 22 site files, involving 2,369 download events, with a maximum download frequency of 127 per minute, making its behavior quite suspicious.

Table 2 Top 10 Domestic User IPs by Download Frequency

In summary, monitoring the dissemination and download trends of typical format files reveals that the disseminated firmware files are primarily in compressed formats; the sources of firmware dissemination and download include manufacturer official websites, CDN cloud service providers, and general resource download sites; and malicious IP addresses exhibit bulk acquisition behavior for firmware files.

2.2 Monitoring and Analysis of Router Device Firmware Dissemination

In recent years, router devices, especially home wireless routers, have been widely used and are in vast numbers. As a critical relay node in networks, routers have also become important attack targets for hackers, used for information theft, resource consumption, and control exploitation. There have always been numerous routers exposed on the public internet globally. Resource mapping has revealed the online status of mainstream router brands as shown in Figure 2.

Figure 2 Online Status of Mainstream Router Brands

It can be seen that mainstream router brands such as Huawei, TP-Link, and Cisco have a significant number of devices online. However, the network security status of router devices is not optimistic. As early as 2018, research by the American Consumer Association pointed out that among 186 tested sample routers, 155 (83% ratio) had firmware vulnerabilities of varying severity, indicating that on average, five out of six wireless routers have security vulnerabilities. Therefore, we focused on monitoring and analyzing the dissemination and download status of router device firmware.

(1) Monitoring of Official Channel Firmware Dissemination and Download

Within a month, we identified 56,686 firmware dissemination and download events from the official websites of 22 router manufacturers, including NETGEAR, ASUS, UTT, WAYOS, TP-Link, and D-Link, involving 2,052 download addresses and 322 source site IPs. Table 3 lists the top 15 source site IP download event rankings. It is evident that mainstream brands such as NETGEAR, WAYOS, Xiaomi, and D-Link have firmware dissemination and download events, with brands like D-Link and NETGEAR having the highest number of firmware downloads.

Table 3 Monitoring Situation of Source Site Dissemination and Download Events

Based on the analysis of the firmware file names for dissemination and download, we discovered over 5,000 firmware files, with Figure 3 listing the product models corresponding to the most frequently downloaded firmware files, among which Xiaomi and NETGEAR’s product firmware had the highest download frequency.

Figure 3 Typical Products with High Firmware Download Frequency

Analyzing the IP addresses acquiring firmware, we monitored a total of 13,324 unique IPs obtaining downloaded firmware. Ranking the top 15 IPs by download quantity, the situation is shown in Table 4. It is evident that multiple foreign IP addresses have been bulk acquiring firmware files over the past month.

Table 4 Top 15 User IPs by Download Quantity

By correlating threat intelligence information, we identified 9 IP addresses with malicious tags, including bot, scanning, and exploitation labels. For instance, IP address 216.*.*.202 is suspected to be a bot, with 306 download events involving 261 files, including 258 NETGEAR files and 3 files from DrayTek.

In summary, monitoring and analyzing the dissemination and download trends of typical router device firmware effectively detects firmware dissemination and download activities from mainstream router brands such as NETGEAR and WAYOS, and reveals that malicious IPs frequently access and bulk download from different router manufacturers’ official websites.

(2) Analysis of Router Firmware Available Through Official Channels

We verified the router firmware dissemination and download addresses over the past month and successfully acquired 663 firmware files, with manufacturers including NETGEAR, ASUS, UTT, WAYOS, Xiaomi, and D-Link, among which NETGEAR had the highest number of firmware files. The distribution of firmware quantities by brand is shown in Figure 4.

Figure 4 Distribution of Verified Firmware Brands and Quantities

The verified 663 firmware files primarily include 8 types of formats such as img, chk, bin, and zip, with the corresponding format and quantity distribution shown in Figure 5.

Figure 5 Distribution of Firmware File Formats Obtained from Official Websites

In the past month, the 663 firmware files were involved in a total of 8,115 dissemination and download events, with an average of 198 daily dissemination and download events, and 1,194 unique download IPs distributed across 52 countries and regions including the USA, China, and France, as shown in Figure 6.

Figure 6 Distribution of Download IP Quantities by Country

The dissemination and download event situation of the manufacturers of these firmware is shown in Figure 7.

Figure 7 Dissemination and Download Event Situation of Firmware Manufacturers

Analyzing the firmware downloading behavior of single IPs revealed that 68 IPs downloaded more than 10 firmware files, with the IP with the highest download count acquiring 71 files. The distribution of these IPs by country is shown in Figure 8.

Figure 8 Distribution of Countries of High Frequency Download IPs

Table 5 lists the IP addresses with the highest number of firmware downloads, clearly showing that multiple IP addresses located in the USA frequently acquired firmware files from the sites of 7 manufacturers including NETGEAR, D-Link, and WAYOS.

Table 5 Situation of IP Addresses with the Most Firmware Downloads

In summary, by verifying and acquiring router firmware dissemination addresses, we obtained 663 router firmware files, primarily in img, chk, bin, and zip formats; based on monitoring firmware dissemination and download events, malicious IPs were identified frequently accessing and acquiring firmware files from multiple router manufacturers.

3. Batch Security Analysis of Router Firmware

Through long-term accumulation, our firmware library has collected over 140,000 firmware files. We randomly selected 957 firmware from 22 router manufacturers for batch analysis based on the firmware security analysis cluster, with the analysis results as follows.

3.1 Batch Analysis of Basic Firmware Information

(1) Unpacking Analysis

Out of 957 firmware files, 724 were successfully unpacked, yielding an unpacking success rate of 84.5%. The main reasons for unsuccessful unpacking include firmware file encryption and the presence of garbage data in the firmware file header.

(2) Firmware File System Analysis

Due to the limited storage space of router devices, firmware file systems are usually stored in compressed form within the firmware format. Common router firmware file systems include Squashfs, Cramfs, JFFS2, Ubifs, and others. The Squashfs file system is a compressed read-only file system used by the Linux kernel, known for its high compression ratio and is one of the most widely used compressed formats; Cramfs is a compressed read-only file system mainly applied in embedded systems with less content and no user write access; JFFS2 is a Flash-specific file system with power failure protection, a typical log-structured file system; Ubifs is one of the successor file systems to JFFS2, primarily used on solid-state storage devices.

Analysis found that most router firmware files consist of a single file system, meaning they only include one compression format. The distribution of identified file system types is shown in Figure 9, where the squashfs file system has the highest proportion, with 140 firmware files not recognized for their file system, either due to the firmware lacking a file system or the file system being unrecognizable.

Figure 9 Distribution of Single File System Types

Additionally, we found that some firmware files contained multiple file systems, meaning the firmware included various compression formats, as shown in Figure 10, where all multi-system firmware utilized the main compression format + cpio auxiliary format (cpio is a command that packages backup and restores files through redirection, capable of decompressing files ending in .cpio or .tar), with squashfs paired with cpio being the most common.

Figure 10 Distribution of Multi-File System Types

(3) Firmware Instruction Set Analysis

Common CPU architectures for routers include MIPS, ARM, X86, PowerPC, etc. Figure 11 presents the distribution of CPU architectures for firmware, where MIPS architecture accounts for 52.5%, ARM architecture accounts for 14.2%, X86 architecture accounts for 8.5%, and PPC architecture accounts for 3.9%. It is evident that MIPS and ARM architectures are the most commonly used system architectures in current router firmware.

Figure 11 Firmware Instruction Set Architecture Situation

(4) Firmware Operating System Version Analysis

Analyzing the operating systems used in router firmware reveals that 46.08% of the firmware uses operating systems based on the Linux kernel, with involved Linux version numbers including 2.4.X, 2.6.X, 3.2.X, 3.3.X, 3.4.X, 3.10.X, 3.14.X, 4.4.X, and others.

3.2 Batch Analysis of Firmware Vulnerabilities

(1) Configuration Risks, Sensitive Information Leakage, and Code Security Risks

Analyzing vulnerabilities at the configuration level within firmware, the main risk points are shown in Table 6: significant security risks exist in configuration risks, sensitive information leakage, and code security within router firmware. Configuration risks mainly refer to insecure configuration items in the firmware, sensitive information leakage typically results from non-standard development practices leading to telnet service and database leaks, while code security primarily refers to detecting whether the firmware contains source code.

Table 6 Typical Risks such as Configuration Risks and Sensitive Information Leakage

(2) Firmware Key and Password Security

Files such as *.pem, *.key, *.crt, shadow, passwd, and host_key in router firmware store keys and passwords, which are core critical information for the operating system. We conducted focused detection on such information and found the distribution of related files as shown in Figure 12 and Table 7, with the number of identified passwd files reaching as high as 795, and brute-forcing this file could yield system passwords.

Figure 12 Distribution of Identified Key File Types

Table 7 Top 10 Firmware Containing Key Files

Through attempts to crack passwords for the detected key files, we found that commonly hard-coded usernames include admin, root, user, etc., with admin accounting for 64.33%, root and user accounting for 12.74% and 10.19%, respectively.

Figure 13 Distribution of Weak Passwords

The firmware information with the highest number of files containing weak passwords is shown in Table 8.

Table 8 Top 10 Firmware Containing Weak Password Files

We found that different firmware from the same brand often contains the same weak passwords. For example, the firmware INSYS_SDSL_1.0_Router_Firmware_2.12.12.zip and INSYS_RSM_Router_Firmware_2.12.1.zip both contain the same shadow and libmoros.so files, which include the username user and password user.

(3) Firmware Component Identification and Nday Vulnerability Correlation

In detecting and identifying components contained in router firmware, we found a total of 124 types and 816 common components, with an average of more than 4 components used per firmware. The firmware with the highest number of identified components is ranked in Table 9.

Table 9 Top 10 Identified Firmware Component Counts

These components have historically been exposed to related vulnerabilities, and the number of associated vulnerabilities for the components is shown in Figure 14.

For example, the firmware NETGEAR_WNDR3400v3_Router_Firmware_1.0.1.28_Hotfix.zip contains components such as OpenSSL and Samba, associated with 249 vulnerabilities, as shown in the following screenshots.

Figure 15 Vulnerability Situation of Associated Firmware Components

Analyzing the vulnerability levels of router firmware components, the statistics of the involved vulnerability levels are shown in Figure 16.

To accurately describe the characteristics of the associated vulnerabilities, we used the CWE (Common Weakness Enumeration) to analyze the firmware vulnerabilities, with the analysis results shown in Table 10.

Table 10 CWE Association Situation of Firmware Vulnerabilities

(4) Firmware Vulnerability Knowledge Graph Association

Using a vulnerability knowledge graph method, we attempted to visualize the associations between firmware and vulnerabilities to support efficient vulnerability detection. Taking NETGEAR_WNDR3400v3_Router_Firmware_1.0.1.28_Hotfix.zip, which is associated with 249 vulnerabilities, as an example, Figure 17 presents the multi-level association relationships between this firmware and vulnerabilities.

Figure 17 Knowledge Graph of Vulnerabilities Associated with Firmware

From the graph, it can be seen that this firmware includes components such as Busybox 1.7.2, Samba 3.0.13, Open SSL 0.9, Dnsmasq 2.3, and Dnsmasq 2.7, which are associated with multiple CVE vulnerabilities. The different colors in the graph represent different danger levels of the associated vulnerabilities. In addition to components, the graph also includes associations with CWE, operating systems, and key certificates, which can be used for further in-depth exploration.

In summary, through batch security detection and analysis of nearly 1,000 router firmware using the firmware analysis system, we found that MIPS and ARM architectures are the two most commonly used system architectures in router firmware; most router firmware consists of a single file system, with squashfs being the most commonly used; nearly half of the router firmware uses Linux kernel-based operating systems. Through analyses of configuration security, sensitive information security, code security, key security, CVE vulnerability correlation, component identification, and CWE identification, we found numerous issues exposed in router firmware, including 5,585 configuration risks, 1,169 sensitive information leaks, and 1,730 code security issues; multiple routers have hard-coded weak password issues involving combinations like admin, root, and user; the most frequently used components in router firmware are busybox and openssl, and our analysis found that vulnerable components often exist in multiple firmware.

5. Conclusion

This report relies on data from monitoring and analyzing IoT device firmware across the entire network, focusing for the first time on monitoring the security situation of IoT device firmware and large-scale analysis of IoT device firmware vulnerabilities in two dimensions, conducting monitoring and analysis from three aspects regarding limited firmware formats and key device types.

First, by monitoring the sources of dissemination and download events, and user behavior of typical format firmware files across the entire network in the past month, we identified malicious IPs frequently accessing specific sites to download firmware files.

Second, focusing on router firmware, we monitored the firmware download situation from the official websites of 22 router manufacturers, detecting malicious IPs bulk downloading firmware from different router manufacturers’ official websites.

Third, we selected nearly 1,000 router firmware from 22 manufacturers for in-depth analysis through the firmware analysis system, discovering common issues such as sensitive information leaks, hard-coded passwords, and vulnerable configurations, and identifying and analyzing supply chain security issues such as firmware code reuse, component reuse, and same-origin vulnerabilities.

Due to the complex heterogeneity of the underlying hardware platforms of IoT devices, many traditional security analysis methods applicable to PCs and x86 general platforms cannot be directly applied to IoT firmware analysis, making security analysis of IoT firmware a long-term challenge. In the future, the CNCERT IoT Research Team will continue to focus on the security of IoT chips and firmware, conduct ongoing monitoring of the security situation of firmware across the entire network, and continuously assess the security of the IoT firmware supply chain to safeguard the new infrastructure action plan for IoT.

Original source: Critical Infrastructure Security Emergency Response Center

“Contact for submissions: Sun Zhonghao 010-82992251 [email protected]”

2.2 Monitoring and Analysis of Router Device Firmware Dissemination

Related posts

Leave a Comment Cancel reply