Cyber Security - Firmware Encryption

**Disclaimer: I am posting this on my own, with no relation to the manufacturer I work for. I have been interested in this for a while, and finally got around to building a linux VM to play.**

I am starting this discussion for people to be able to discuss about firmware encryption. This may not be the most scientific method, just what I know about so far...

Many hackers and researchers find vulnerabilities by reviewing firmware to see the file system, code, database, user list & password hashes, etc. Once they find what operating system/files are present, they can then look for weak algorithms, client side hashing, or buffer overflows.

Link to video showing a hacker playing with firmware...

Encrypting the firmware makes this a lot harder. The hacker instead needs access to a device that they already have user access to, as opposed to just reviewing the firmware and then attempting to access a device on the Internet.

I have chosen models based on common manufacturers that I could access firmware for. I am not familiar with all of the lines for each manufacturer, so let me know if there is a better, newer model to test. If you can point me to a firmware link, I am happy to take a look.

Below are screenshots of firmware that is not encrypted.

You can then use the software to extract the contents to examine:

I had to manipulate the file to remove a header. Then I was able to extract the firmware archive.

Here is the web filesystem:

Here is a firmware that is encrypted. Note that it states that the file uses OpenSSL encryption.

Some firmware files I was not able to tell, which may mean the firmware has been obfuscated or it may also be encrypted, but I was unable to tell with the tools I have.

Arecont surrountvideo omni g2 av20275dn v65199 unknown/Possibly encrypted

Avigilon H4 ES camera line ACC6.0.0.24 h4HD-FW-t200-3.16.2.52 no encryption

Axis P3225-LVE no encryption

Bosch dinion ip dynamic 7000 hd cpp 6.32.0099 unknown/Possibly encrypted

Canon vbh43 v.1.25 not encrypted

Dahua DH-IPC-HDBW42A1FN-AS v432105 not encrypted

Digital watchdog wdc-md421d 2.1.5.3 not encrypted

Flir quasar gen II fs20160805nsz - broadcom header, appears not enc.

Hanwha Techwin QND-7080R v1.01 Encrypted

Hikvision DS-4x12 v5.4.0 not encrypted

Panasonic SFV78L v2.53es unknown/Possibly encrypted

Pelco Sarix IME+ next gen dome cameras - IME329 v6.2.1.73 no encryption

Sony G6 v2.7.3 No encryption

Vivotek FD8369A-V v0200e not encrypted

Anyone else think that this is important, and that firmware should be encrypted or at least have an MD5 hash listed so you can confirm that the file has not been tampered with?

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

***** ***, **** ****!

********** *** ******** ***** **** * *** ******.

********** ******** *** **** *************/******** ******, *** ** ** ******** to **** ** **********. * *** **** ** *** ******* with **** *****, ***, ** **** *** *** ******* * large **** ** ******* ******* **** ********** ******/******. *** ****** only **** ** **** ** ** *** **** ** *** process *** **** *** '**********' ** ****.

*******, ***** ******** ********** ** **** **** ***** ******** ** not *** **** ** * ********, *** ***** ** ***** the **** **** ** ***** ******** ********** ***** ** ********** through ***** ***** (******* ******** ******* ****** *** *******/*******/********, ******* guessing, *****-***** *******).

* ** *** *** *** ********* ** **** ** ****** to ****** **** * ***** ******** ***** ** *** ******** with ** ******* ******.

* ********** ***** **** ********** ****** *** ** **** ** hide **** *********** . ** ****** **** ** ******* ***** of ******* *** **** ****** ********* ** ******* *** ****/**** your *****.

********* ******** ***** ****** **** *** ******... "*'* ****** *****", and ********* ** "*******", ****** ******** ** ** ****.

* ***** **'* ****** ** **** ** * *** **** open... *******, *** ********* ***** ***** ** ** ********* ****** it ***** ** ********, *** ***** **** ** *** ****** and ******* **** ****** ***, ** ****'* *** ******** *******...

*******, * ***** **** ** *****, **** ****. **** ** that :)

* ***** *** ******* ****** ** **** ********* ******** ** to ******* ******* **** ******** * ********* ******** ****.

* ****** **** ** ********* ** ********* ******** ********* ***'* take *** **** ***'* ********* ** ****** ** *** ***** party.

** ******** *** ******* ****** * ******* ** ****** *** firmware ***** ** ****** ************, ***.... **** ***** ****. ** someone ** **** ** **** **** ** ** ** ** the ***** ******** *** *** ****** ******* *** **** * nice *** *** ****....

*** ** * *** ***** *** ********** ** ****** * malicious ****, * *** ************* **** **-******* **.

****** ** ********** *********.

***, ***'* *** ***** *** ****** *** **-**** ****?

* ********** **** *****, *** ** ***** ** * **** that *******, *** ***** ******* ** ** **** *** *** to ******* (** ****** *** ** **** **** *** *****). From ***** *** **** ** ** ** ****, ** ********** the ****** ******** ******. **** *** ******* ****** *** ***** some ***** ***, **** ******** ** ******** *** ******** *** checksum.

*******, * ***** **** *** **** **** ** ********* ******, and ****** *** ** ******** **** *********.

* ***** ***** ** * ********* **** ******* ********** *** digital *******. ********** ** **** **** ***** **** ** '****' the ******** ** *** ********. ** **** ***** *** ******** would **** ** ** ********* ** *** ****** *** ** to ** **** ** *** - **** ********** *** **** be '*********' - ********* *** **** ****** ** **** ** get ** *** ******** **** * ****** ******. ** ***** if *** **** **** ***** ** *** ****** / ******** and ** *** *** *** *** *** ** ******** *** want.

****** ******* ** *** ***** **** ** * ****** ******* at *** ******** ***** **** ******* (******) ******** ***** ** allowed ** ***. ** **'* *** ****** **** ** ****** doesn't ***.

**** ** *** * **** ** * ******* ** ***** approach ** ** ***** ********. ***** *** **** ***** ****** of ******* **** **** **** ** ** **********. ********** ** anything *******, ************, ****** *********** *******, *** ** *****.

******** ********* ** ** ** ****** ** ******** ** * multi-faceted ******* **** ******** * ****** ** ******** ******** **** the ****** **. ** ** *** ********* **** *** *** slap * '******** *******' ** *** ** ***** *** ****.

******

**'* ******** ** ***** **** ** *** *** ****** ** such * *** **** ** ** **** ********* ** ******* the *** **** ** ******* ********. **'** ******* **** ** weeks ** ****, ********* ****** ** ***** ****** **********.

****'* ** **** ** **, ******* ******** ******** *** ********* recommendations *** *******.

******** ******* ** * *********. **'* ***** **** **** ******* firmware *** ** ****** **** **** ****** ******* ******* ****** (e.g. *** ******* ********** ****** ***** ******** ** ****). ******* this ** *****, *** ****** ****** **** *** ******** *** are ******* ** ******* *** *** *********.

******** ********** ** *** * *********, *** ** **** ***** casual *** **** ********** ******* **** ********** *** ********. **** of *** *************** ***** ******** ***** ** ********* ********** ** find *** * *****-*** ********. ** ** ****** **** ***** vulnerabilities *** ***** ****** *********** *** ******** ******* ** **** the ************* ********* ** ******* ***** ****** *******, ****** **** potentially ****** * ***** ****** ******** ********** **** * *-*** on ***.

****** *** ***** **** *****-***** *********** ******* *************** *** ************* improving ******** *** *****. *** ****** ** ****** **** *** found *** **** ******** ** * **** ***-**** **** *****-*** access ** ******.

****** *** ***** **** *****-***** *********** ******* *************** *** ************* improving ******** *** *****. *** ****** ** ****** **** *** found *** **** ******** ** * **** ***-**** **** *****-*** access ** ******.

** * ******* *****, ***. ** *** **** ** *** recent ******** ***** ** ******** ********, ***** *** *** **** to ** ** ****** *** *****-*** ****** ** *** ******. So, *** ******** ***** ** ******** *********** **** ************* ******** awareness, *** **** ****** ******* ********, ** *** ******* **** generally ********* ** ********/******** ********.