Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Using Buildroot for Security Research of IoT and Other Embedded Systems

These days many vendors, like IoT vendors, use Linux running on top of ARM CPU for their embedded solutions. Some of these vendors use a tool called buildroot (https://buildroot.org) to produce a root filesystem for the device. This becomes obvious when grepping through binaries on the filesystem of certain embedded devices. At the same time many binaries useful for security research can be missing on the device. In this post I will show you how to use buildroot to add tools necessary for doing security research on an embedded device.

Imagine we have shell access to the router and while looking at binary strings we've spotted "Buildroot 2012.02" string:

strings – wget | grep -i buildroot
GCC: (Buildroot 2012.02) 4.5.3

This means we can try to reproduce the build environment used by developers using discovered Buildroot version.

Download ubuntu-12.04.5-server-i386.iso from http://releases.ubuntu.com/12.04/

Why use legacy version 12.04? Buildroot 2012.02 most likely was built on that version, so less likely there will be some conflicts with newer versions of dependencies. Why 32-bit? Again, target ARM CPU binaries are 32-bit.

Create a VM and bring it up to date with:

sudo apt-get clean
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update
sudo apt-get upgrade

Followed by installing necessary components:

sudo apt-get install build-essential libncurses5-dev bison flex gettext texinfo unzip

Download buildroot-2012.02 and unpack it:

curl -O https://buildroot.org/downloads/buildroot-2012.02.tar.gz
tar -zxvf buildroot-2012.02.tar.gz
cd buildroot-2012.02
make menuconfig

Select desired utilities to build under the "Package Selection for the target": lsof, ltrace, strace, and then under "System configuration" select "Build gdb server for the Target" and save the config. Finally complete the compilation with:

make

Give it some time to download required components and do the work (may take an hour or so). Once it is done, you can grab just baked binaries from the ./output/target/ directory. For example, the gdb server is at:

./output/target/usr/bin/gdbserver

How can we use them? Well first you need to upload the binaries to the embedded system. In our case, the router has USB slots so it is a matter of copying the binaries to a thumb drive and plugging it into the router. At that point you should have binaries ready to use to research the embedded device.

Here are a few examples that I found very useful:

  1. Trace process starts via the strace utility:
/path/to/usb_drive/strace -f -s 4096 -f -e execve -p <PID>
  1. Remotely debug a process using Hex-Rays IDA:
/path/to/usb_drive/gdbserver --attach 192.168.1.1:9000 <PID>

Now on the IDA machine configure the "Debugger - use remote GDB debugger". Under Debugger->Process options specify proper path to the binary on embedded system, IP and port (192.168.1.1 and 9000 in the example above). Finally use Debugger->Attach to process menu item to actually connect via the network and debug.

  1. Use lsof to get mappings of TCP/UDP ports to processes. Otherwise it can be done manually by examining /proc/net/tcp file and then looking for file descriptors.

On a closing note, sometimes vendors will publish source code for some parts of a device if they use some GPL'ed components. This might be another way to produce the binaries we need - we can get kernel version, some sources and so on. Sometimes it is even possible to build entire root filesystem using instructions from the vendor. Buildroot just saves time by doing a lot of the work for us.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo