IoT devices are often "Set and Forget". Manufacturers rarely update them. Step 1 of hacking an IoT device is getting the firmware. You can download it from the vendor's site (Support page) or dump it from the flash chip (SPI) physically.
Binwalk: The Magic Wand
Firmware is just a binary blob (0s and 1s). How do you find files inside?
binwalk -e firmware.bin
Binwalk looks for "Magic Bytes" (headers). It sees "0x1F8B" and says "Aha! That's a GZIP file." It extracts it. Inside, it might find a SquashFS filesystem. It extracts that.
Suddenly, you have the full /etc/shadow and /var/www/ folders of the device.
1. The Analysis Loop
- Extract Filesystem: Use Binwalk.
- Find Secrets: `grep -r "password" .` or look in `/etc/shadow`. If hashes are MD5/DES, crack them with John the Ripper.
- Analyze Binaries: Convert MIPS/ARM binaries to readable code using Ghidra. Look for `strcpy()` (buffer overflows) in the web server binary (often `httpd` or `goahead`).
- Backdoor: Add your own SSH key to `/root/.ssh/authorized_keys`, repack the firmware, and flash it back to the device.
2. Emulation (QEMU)
You don't need the physical device.
You can run the router's web interface on your laptop using QEMU.
qemu-mips -L . ./usr/sbin/httpd
This lets you fuzz the interface for vulnerabilities without bricking the real hardware.
3. Common Flaws
1. Hardcoded Telnet Credentials: "root" / "admin".
2. Command Injection: Web interface ping tool performs `system("ping " + input)`. Input: `; rm -rf /`.
3. Open UART Ports: Physical pins on the board that give you a root shell if you connect a USB-to-TTL adapter.
Security Tips
As a user: Change default passwords. Put IoT devices on a separate Guest VLAN. Update firmware immediately.
As a dev: Sign your firmware. Encrypt the filesystem. Disable UART/JTAG in production (eFuses).