Microsoft Defender for IoT Gets Firmware Analysis Preview
The firmware analysis preview will show open source software use, plus common vulnerabilities and exposures, for Internet of Things devices.
Microsoft Defender for IoT now has a firmware analysis capability that's at the preview stage, per a Microsoft announcement this week.
The Internet of Things (IoT) firmware analysis capability aims to address the lack of transparency in IoT devices. It works by generating information from uploaded Linux-based firmware images. No agents are deployed and information on security vulnerabilities gets automatically generated.
Users of the firmware analysis capability have to upload an unencrypted image that's less than 1GB in size, per Microsoft's tutorial. "The image needs to be acquired from the device vendor," the announcement clarified.
The firmware in IoT devices is somewhat equivalent to operating systems in personal computers, Microsoft explained in this document on firmware analysis:
Just like computers have operating systems, IoT devices have firmware, and it's the firmware that runs and controls IoT devices.
However, IoT firmware has "traditionally lacked basic security measures," the document added. Worse, IoT firmware has been found to contain "hardcoded user accounts, outdated and vulnerable open-source packages, or a manufacturer's private cryptographic signing key."
Organizations using Microsoft Defender for IoT's firmware analysis preview will get a software bill of materials, which will show a list of open source software used, as well as its licensing. The firmware analysis also will show common vulnerabilities and exposures information about the firmware components. Firmware analysis will display a list of "expired and revoked TLS/SSL certificates." It'll also determine if the public and private keys used are "necessary and not accidental."
The firmware analysis preview also checks that secure cryptographic algorithms get used for "user account password hashes." It'll provide binary hardening analysis, identifying any lack of security flags during compilation for things like "buffer overflow protection, position independent executables, and more common hardening techniques."
In essence, Internet of Things (IoT) devices are like "black boxes" for organizations in terms of security. Firmware analysis can help avoid the audit scrambles that happened with the Log4Shell attacks in late 2021, Microsoft argued. Back then, organizations were suddenly tasked with tracking Apache Log4j open source code use in various software and devices.
IoT devices also have a bad security reputation from the purported hack of an unnamed casino using an Internet-connected fish tank, widely reported back in 2017, such as this CNN report.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.