Search
Close this search box.

SRAN IoT First Trust

Why Firmware Inspection is Important: Vulnerabilities Found… in 1 Day, 1 Month, 1 Year

Every month, there are more than 1,000 new vulnerabilities discovered. Each year, over 1 billion new IoT devices are added. Half of these devices are at risk of being hacked. Therefore, inspecting the firmware of these devices is crucial.

CIPAT IoT First Trust

The main objectives are as follows:

1. Add Value to Manufacturers, Retailers, and Consumers: This program helps consumers be confident in the safety of the IoT devices they use.

2. Compliance with Cybersecurity Standards and Regulations: This program references and utilizes widely accepted cybersecurity standards and regulations for testing IoT devices to ensure consumer safety.

3.Provide the “IoT Security Check” Certification: Products that pass the tests are awarded the “IoT Security Check” label in conjunction with internationally recognized certification bodies.

4.Provide Detailed Information via QR Code or Approval Number on the Product Label: Information can be accessed through a QR code or approval number on the product label.

IoT First Trust Services

In IoT devices, firmware security inspection involves critical steps that can be referenced from international standards such as OWASP (FSTM), ETSI EN 303 645 cybersecurity testing, and NIST 8259. The technical testing details are as follows:

SOURCE CODE ANALYSIS

Analyzing the embedded code in firmware to detect issues such as coding defects, the use of risky components, or configurations that may pose security risks.

PENETRATION TESTING

Testing firmware by simulating attacks to identify vulnerabilities and weaknesses, compared against risk levels defined by CVE (Common Vulnerabilities and Exposures).

FUNCTIONAL AND SYSTEM TESTING

Examining the functionality of firmware through automated testing processes to identify potential vulnerabilities, including testing for defects related to improper memory management, authentication issues, and other security problems.

MEMORY MANAGEMENT CHECKS

Inspecting memory management to find vulnerabilities such as buffer overflows or memory leaks.

Testing Standards

The inspection follows the OWASP Firmware Security Testing Methodology (FSTM), ETSI EN 303 645 cybersecurity testing, and NIST 8259 standards as follows:

Information Gathering

Collecting technical information and documents related to the firmware functions of the device being tested.

Obtaining firmware

Starting the examination of the firmware content. The system will create a firmware image file for analysis.

Analyzing Firmware

Analyzing the firmware functions, checking the characteristics of the firmware functions submitted for inspection.

Dynamic Analysis

Performing dynamic security testing on the firmware functions and application interfaces.

Extracting the Filesystem

Extracting the filesystem to separate the filesystem contents from the firmware functions.

Analyzing Filesystem Contents

Analyzing the extracted filesystem contents to review configuration files and binaries for vulnerabilities.

Emulating Firmware

Creating a virtual system of the firmware functions for testing files and components of the firmware.

Runtime Analysis

Analyzing binaries during runtime, examining compiled binaries while the device is in operation.

Binary Exploitation

Exploiting binaries to take advantage of vulnerabilities found in previous steps to access systems or execute code.

Inspection Process

The Cyber Technology Innovation Promotion Association has a verification process through a platform system used to identify vulnerabilities and risks in the firmware of IoT devices.