{"id":7228,"date":"2023-07-27T21:43:20","date_gmt":"2023-07-27T19:43:20","guid":{"rendered":"https:\/\/jeffreyappel.nl\/?p=7228"},"modified":"2023-07-28T22:53:17","modified_gmt":"2023-07-28T20:53:17","slug":"how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses","status":"publish","type":"post","link":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/","title":{"rendered":"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses"},"content":{"rendered":"\n<p>Recently Microsoft announced a new firmware scanning feature in Defender for IoT. With the new Defender for IoT Firmware analysis, it is possible to upload firmware images for security analysis and checking against vulnerabilities and weaknesses. <\/p>\n\n\n\n<p>Currently, the feature is released in public preview. The Defender for IoT&nbsp;Firmware Analysis&nbsp;feature is automatically available when the Defender for IoT is opened via the Security Admin, Contributor, or Owner role. More information related to the permission model is explained in this blog.  <\/p>\n\n\n\n<p>This new tool comes from the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/06\/02\/microsoft-acquires-refirm-labs-to-enhance-iot-security\/\">Refirm Labs acquisition<\/a> and is now integrated into the Defender for IoT stack. Let&#8217;s explore this new feature more in-depth. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong><strong>Blog information:<br><\/strong><br><\/strong>Blog published: July 27, 2023<br>Blog latest updated: July 27, 2023<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Defender for IoT Firmware Analysis<\/h2>\n\n\n\n<p>Defender for IoT Firmware analysis is a new feature included in the Defender for IoT portal. With the new feature, it is possible to get visibility into the vulnerability posture of devices. This feature is really useful since there is no need to deploy anything, there is no Defender for IoT agent required or additional tooling for scanning the firmware. This is especially interesting for appliance-level devices where you can\u2019t install EDR toolings\/ IoT sensors or a vulnerability scanning agent. <\/p>\n\n\n\n<p>Compared with network traffic analysis, the firmware analysis gives more in-depth results. This feature is useful when you build the firmware in-house or receive firmware from the supply chain &#8211;  before it was difficult to review the firmware and check for potentially known vulnerabilities. Based on recent attacks; never trust the vendor or supply chain. And even when developing firmware by internal teams it is good to run additional checks against known weaknesses and vulnerabilities. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Modern solutions and black box for IoT\/ OT devices<\/strong><\/h3>\n\n\n\n<p>With modern endpoint solutions, Defender for IoT capabilities, and EDR solutions, IT and security analysts can get visibility into the software inventories and vulnerabilities. A good example is Defender for Endpoint where the Threat Vulnerability Management gives a broad view of the threat scope for application\/ drivers and hardware components. <\/p>\n\n\n\n<p>For IoT and OT devices without an agent, it is more of a black box, without full in-depth insights into the known vulnerabilities and potential anomalies around the firmware. Good examples are vulnerable open-source packages\/ hardcoded user accounts or manufacturers&#8217; private signing keys. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How works the Firmware Analysis<\/strong><\/h3>\n\n\n\n<p>The new Defender for IoT Firmware Analysis runs the analysis based on the uploaded binary firmware images. For running the analysis there is no additional agent needed.<\/p>\n\n\n\n<p>The firmware image must have the following prerequisites:<\/p>\n\n\n\n<ul>\n<li>Compiled firmware image<\/li>\n\n\n\n<li>Firmware image is unencrypted and Linux-based<\/li>\n\n\n\n<li>Firmware image is less than 1GB in size<\/li>\n<\/ul>\n\n\n\n<p>When the firmware is uploaded it will upload the firmware image to a configured selected region. After the upload, it will perform the analysis. The analysis time will vary based on the size of the firmware image and the number of files discovered in the image. <\/p>\n\n\n\n<p>In general, the following high-level steps are taken:<\/p>\n\n\n\n<ol>\n<li>Firmware image uploaded via Defender for IoT portal<\/li>\n\n\n\n<li>Firmware stored in the configured region<\/li>\n\n\n\n<li>Microsoft extracts the firmware images (status Extracting) <\/li>\n\n\n\n<li>Microsoft performs the analysis (status analysis)<\/li>\n\n\n\n<li>Microsoft will show the firmware analysis when the status is ready (status ready)<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Configure the Firmware Analysis workspace\/ feature<\/h2>\n\n\n\n<p>First, it is important to configure the region for storing the firmware images and prepare the Firmware Analysis feature. <\/p>\n\n\n\n<p>When opening the Defender for IoT portal it requires the following roles: <\/p>\n\n\n\n<ul>\n<li>Security Admin<\/li>\n\n\n\n<li>Contributor<\/li>\n\n\n\n<li>Owner role<\/li>\n<\/ul>\n\n\n\n<p>When the SecurityReader role is assigned it is possible to give permissions to the following role for standalone access to the new FirmwareAnalysisfeature. <\/p>\n\n\n\n<ul>\n<li>FirmwareAnalysisAdmin<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Configure the portal<\/strong><\/h3>\n\n\n\n<p>Open the Azure portal and search for Defender for IoT. Firmware analysis is part of the Defender for IoT portal. <\/p>\n\n\n\n<p>Open <strong>Firmware analysis (preview) <\/strong>in the right menu part of the Defender for IoT page. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"417\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-106-1024x417.png\" alt=\"\" class=\"wp-image-7230\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-106-1024x417.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-106-300x122.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-106-768x313.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-106-1536x626.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-106-2048x835.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-106-585x238.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The first requirement is to select the subscription and configure the region. The region is needed for storing and processing all uploads. <\/p>\n\n\n\n<p>1: Select the subscription<\/p>\n\n\n\n<p>2: Configure the region<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"398\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-107-1024x398.png\" alt=\"\" class=\"wp-image-7231\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-107-1024x398.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-107-300x117.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-107-768x298.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-107-1536x597.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-107-2048x795.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-107-585x227.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Currently, only the regions West Europe and East US are available: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"407\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-108-1024x407.png\" alt=\"\" class=\"wp-image-7232\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-108-1024x407.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-108-300x119.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-108-768x305.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-108-1536x610.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-108-2048x814.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-108-585x232.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Set-up of workspace<\/strong><\/h3>\n\n\n\n<p>On the backend the firmware analysis workspace will be created &#8211; it can take some time before the workspace is created. When the region is configured the result is a new Resource group in Azure with the name convention: <strong>FirmwareAnalysisRG<\/strong> and a workgroup with the name <strong>default<\/strong>. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-111-1024x538.png\" alt=\"\" class=\"wp-image-7235\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-111-1024x538.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-111-300x158.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-111-768x404.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-111-1536x807.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-111-2048x1076.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-111-585x307.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Upload the firmware images<\/h2>\n\n\n\n<p>When the workspace is created we are ready to upload the first firmware image. Navigate to the Firmware analysis (preview) blade in Defender for IoT and upload the firmware images using the upload button. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"244\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-125-1024x244.png\" alt=\"\" class=\"wp-image-7250\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-125-1024x244.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-125-300x71.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-125-768x183.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-125-1536x366.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-125-2048x488.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-125-585x139.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Firmware requirements <\/strong><\/h3>\n\n\n\n<ul>\n<li>Compiled firmware image<\/li>\n\n\n\n<li>Firmware image is unencrypted and Linux-based (encrypted images will not work)<\/li>\n\n\n\n<li>Firmware image is less than 1GB in size<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s start with a recent firmware image of the Ubiquiti Dream machine. Upload the firmware image and fill in the Vendor\/ Model\/ Version and optional description for reference and visibility. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"400\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-126-1024x400.png\" alt=\"\" class=\"wp-image-7251\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-126-1024x400.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-126-300x117.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-126-768x300.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-126-1536x600.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-126-2048x800.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-126-585x228.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 1: Extracting the uploaded firmware<\/strong><\/h3>\n\n\n\n<p>During step 1 the firmware file will be extracted on the backend of Microsoft. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"368\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-113-1024x368.png\" alt=\"\" class=\"wp-image-7237\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-113-1024x368.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-113-300x108.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-113-768x276.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-113-1536x552.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-113-2048x737.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-113-585x210.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 2: Firmware analysis<\/strong><\/h3>\n\n\n\n<p>During Step 2 the firmware will be analyzed. This step can take some time (depends on the size of the firmware and type of files). <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"398\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-130-1024x398.png\" alt=\"\" class=\"wp-image-7260\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-130-1024x398.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-130-300x117.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-130-768x299.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-130-1536x597.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-130-2048x796.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-130-585x227.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Firmware is ready<\/strong><\/h3>\n\n\n\n<p>During step 3 the firmware will be ready. When the status is showing Ready the report is ready and the firmware analysis is completed. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"539\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-112-1024x539.png\" alt=\"\" class=\"wp-image-7236\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-112-1024x539.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-112-300x158.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-112-768x404.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-112-1536x808.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-112-2048x1078.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-112-585x308.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>When clicking on the item the analysis details are visible. As an example, we uploaded the Ubiquiti UI Dream Router firmware (recent version). Defender firmware analysis is showing the following information as a result of the scan. Microsoft scanned the file in 2 minutes and 4 seconds. <\/p>\n\n\n\n<ul>\n<li>Total extracted size: 64.9 MB<\/li>\n\n\n\n<li>Root file system: 0<\/li>\n\n\n\n<li>Firmware file size: 556.3 MB<\/li>\n\n\n\n<li>Files extracted: 2.077<\/li>\n\n\n\n<li>Analysis duration: 2 min 4 sec<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"562\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-114-1024x562.png\" alt=\"\" class=\"wp-image-7238\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-114-1024x562.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-114-300x165.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-114-768x421.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-114-1536x843.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-114-2048x1124.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-114-585x321.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Part of the analysis is the button <strong>View results<\/strong> with the results view the vulnerability analysis will be opened with more in-depth security insights around the discovered vulnerabilities and findings. <\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Vulnerability report<\/h2>\n\n\n\n<p>When the result is ready and the <strong>View Results <\/strong>button is clicked all items are visible. What can be wrong with a recently released firmware for the UniFi OS Dream Router 3.1.14? <\/p>\n\n\n\n<p>Teaser; it is not good and I was surprised with the results from discovered CVEs. <\/p>\n\n\n\n<p>Firmware download link: https:\/\/community.ui.com\/releases\/UniFi-OS-Dream-Router-3-1-14\/a8c131a2-7045-414f-9144-42b252ba8288<\/p>\n\n\n\n<p>It starts with an overview page based on 6 widgets: The 6 widgets are based on the following information: <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Item<\/strong><\/td><td><strong>Explanation<\/strong><\/td><\/tr><tr><td>SBOM (Software bill of materials) <strong>(1)<\/strong><\/td><td>A detailed listing of open-source packages used during the firmware&#8217;s build process.<\/td><\/tr><tr><td>CVE analysis <strong>(2)<\/strong><\/td><td>Firmware components have publicly known security vulnerabilities and exposures.<\/td><\/tr><tr><td>Binary hardening analysis <strong>(3)<\/strong><\/td><td>Identify binaries that haven&#8217;t enabled specific security flags during compilation like buffer overflow protection, position independent executables, and more common hardening techniques.<\/td><\/tr><tr><td>SSL certificate analysis <strong>(6)<\/strong><\/td><td>Reveal expired and revoked TLS\/SSL certificates.<\/td><\/tr><tr><td>Public and private key analysis <strong>(5)<\/strong><\/td><td>Verify that the public and private cryptographic keys discovered in the firmware are necessary and not accidental.<\/td><\/tr><tr><td>Password hash extraction <strong>(4)<\/strong><\/td><td>Ensure that user account password hashes use secure cryptographic algorithms.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>From the dashboard view the first insights are visible. Based on the dashboard we can directly see that the component glibc is used with 12 CVEs. In the weaknesses breakdown we see that a major count is part of the critical severity. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"657\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-117-1024x657.png\" alt=\"\" class=\"wp-image-7241\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-117-1024x657.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-117-300x192.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-117-768x493.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-117-1536x985.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-117-2048x1314.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-117-585x375.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Each component is explained more in-depth in the specific subpages. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"657\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-118-1024x657.png\" alt=\"\" class=\"wp-image-7242\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-118-1024x657.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-118-300x192.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-118-768x493.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-118-1536x985.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-118-2048x1314.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-118-585x375.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Software components<\/h2>\n\n\n\n<p>List of the software components, version, and executable paths part of the image. With this view there is insight into the used components part of the firmware. The below examples show the component OpenSSL and the executable paths of the firmware. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"556\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-119-1024x556.png\" alt=\"\" class=\"wp-image-7243\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-119-1024x556.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-119-300x163.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-119-768x417.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-119-1536x834.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-119-2048x1112.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-119-585x318.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Weakness<\/strong><\/h3>\n\n\n\n<p>Shows the weakness score for the detected components. The CVE list is derived from the NIST NVD <em>(The&nbsp;NVD&nbsp;is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP) <\/em>database based on the open-source components. For the Ubiquiti UniFi UI Dream Router firmware, there are a couple of critical weaknesses detected related to the OpenSSL\/glibc component. <\/p>\n\n\n\n<p>Detailed page shows the CVSS score\/ CVSS version\/ Component and Component version: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"603\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-120-1024x603.png\" alt=\"\" class=\"wp-image-7244\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-120-1024x603.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-120-300x177.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-120-768x452.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-120-1536x904.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-120-2048x1206.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-120-585x344.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Detailed view of the specific CVE: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-127-1024x573.png\" alt=\"\" class=\"wp-image-7257\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-127-1024x573.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-127-300x168.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-127-768x430.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-127-1536x859.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-127-2048x1146.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-127-585x327.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Binary hardening<\/strong><\/h3>\n\n\n\n<p>Binary hardening shows the common hardening techniques and binaries that haven&#8217;t enabled specific security flags. Currently, Microsoft supports the following recommended security settings: NX, PIE, RELRO, CANARY, STRIPPED<\/p>\n\n\n\n<p>Microsoft <em>&#8220;After identifying vulnerabilities, firmware analysis goes a step further by assessing binary hardening. It looks at how the code that runs the device was built, and whether it conforms to security best practices such as Stack Canaries. Binary hardening analysis shows the difficulty or ease of possible binary exploitation and is also a good proxy for the overall security hygiene taken by the manufacturer&#8221;<\/em> More information is available here: <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-defender-for-iot-blog\/analyze-iot-ot-device-firmware-with-microsoft-defender-for-iot\/ba-p\/3853474\">Analyze IoT\/OT device firmware with Microsoft Defender for IoT<\/a><\/p>\n\n\n\n<p>Mitigations like RELRO, NX, Stack Canaries, and PIE are basic mitigation measures. With the binary hardening analysis there is an overview of the security hygiene and applied hardening in the firmware. <\/p>\n\n\n\n<p><strong>NX<\/strong>:&nbsp;stands for \u201cNon-Execute\u201d. NX markets areas of the program as non-executable. This implies that stored input or data cannot be executed as code. <\/p>\n\n\n\n<p><strong>PIE:<\/strong>&nbsp;stands for \u201cPosition Independent Executable\u201d. This indicates that the executable was built in such a way (PIE) that the &#8220;text&#8221; section of the program can be relocated in memory.<\/p>\n\n\n\n<p><strong>RELRO:<\/strong>&nbsp;stands for \u201cRelocation Read-Only\u201d. RELRO is a generic mitigation technique to harden the data sections of an ELF binary\/process. More information: <a href=\"https:\/\/www.redhat.com\/en\/blog\/hardening-elf-binaries-using-relocation-read-only-relro#:~:text=In%20conclusion%2C%20RELRO%20is%20a,before%20entering%20the%20main%20function).\">Hardening ELF binaries using Relocation Read-Only (RELRO)<\/a><\/p>\n\n\n\n<p><strong>Stack Canary:<\/strong>&nbsp;is used to detect a stack buffer overflow. A Stack Canary is a &#8220;secret value&#8221; placed on the stack which forces a change when the program is started. <\/p>\n\n\n\n<p>Blog tip: Check the following medium post: <a href=\"https:\/\/medium.com\/@n80fr1n60\/linux-binary-security-hardening-1434e89a2525\">Linux binary security hardening<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"616\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-121-1024x616.png\" alt=\"\" class=\"wp-image-7245\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-121-1024x616.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-121-300x181.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-121-768x462.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-121-1536x924.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-121-2048x1233.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-121-585x352.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Password Hashes<\/strong><\/h3>\n\n\n\n<p>The Password Hashes data view gives visibility to the embedded accounts and associated password hashes part of the firmware. Select the user account for more information. In the example of the UI firmware the users; root and UI are embedded in the firmware. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"265\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-122-1024x265.png\" alt=\"\" class=\"wp-image-7246\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-122-1024x265.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-122-300x78.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-122-768x199.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-122-1536x397.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-122-2048x530.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-122-585x151.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Detailed view: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"340\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-128-1024x340.png\" alt=\"\" class=\"wp-image-7258\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-128-1024x340.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-128-300x100.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-128-768x255.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-128-1536x511.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-128-2048x681.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-128-585x194.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Certificates<\/strong><\/h3>\n\n\n\n<p>Certificates give visibility in the TLS\/ SSL certificates part of the firmware. Each certificate item can be opened for more in-depth information. There is a breakdown between Expired; Expiring Soon; Weak signature; Self-signed; short key size certificates. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"459\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-134-1024x459.png\" alt=\"\" class=\"wp-image-7265\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-134-1024x459.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-134-300x135.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-134-768x344.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-134-1536x689.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-134-2048x919.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-134-585x262.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Keys<\/strong><\/h3>\n\n\n\n<p>Keys gives an overview of the public and private crypto keys in the firmware. Each key item can be opened for more in-depth information. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"265\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-123-1024x265.png\" alt=\"\" class=\"wp-image-7247\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-123-1024x265.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-123-300x78.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-123-768x199.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-123-1536x397.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-123-2048x530.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-123-585x151.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Examples<\/h2>\n\n\n\n<p>TP-Link Deco X50 Mesh product with older firmware scanned, this mesh product is popular for consumers\/ home networks &#8211; since most of the consumers are just using the product. For normal consumers; why update when the product is working fine (-; <\/p>\n\n\n\n<p>325 total CVEs and 153 critical!! &#8211; 162 CVEs in the tcpdump component. Since this is a popular product &#8211; for sure this is used in the wild with other products. CVEs from 2016 with CVSS score of 9.8! <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"482\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-131-1024x482.png\" alt=\"\" class=\"wp-image-7261\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-131-1024x482.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-131-300x141.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-131-768x361.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-131-1536x723.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-131-2048x964.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-131-585x275.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"466\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-132-1024x466.png\" alt=\"\" class=\"wp-image-7262\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-132-1024x466.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-132-300x137.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-132-768x350.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-132-1536x699.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-132-2048x932.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-132-585x266.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Botnet example<\/h2>\n\n\n\n<p>The Mirai botnet was a good example. The malware part of the Mirai botnet was leveraging over 60 default usernames and passwords to take over IoT devices and used them to perform mass Distributed Denial of Service (DDoS) attacks. The Dark.IoT botnet is a new variant based on the Mirai botnet. TP-Link routers were massively under attack from the Dark.IoT botnet. <\/p>\n\n\n\n<p>More information: <a href=\"https:\/\/k4m1ll0.com\/cve-2021-41653.html\">TP-Link TL-WR840N EU v5 Remote Code Execution<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-129-1024x587.png\" alt=\"\" class=\"wp-image-7259\" srcset=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-129-1024x587.png 1024w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-129-300x172.png 300w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-129-768x440.png 768w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-129-1536x880.png 1536w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-129-2048x1173.png 2048w, https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-129-585x335.png 585w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Following <a href=\"https:\/\/www.radware.com\/security\/threat-advisories-and-attack-reports\/dark-iot-botnet\/\">Fortinet<\/a>, Dark.IoT operators are most likely using the default passwords to access devices and use a bug (see above remote code execution) to gain full control of the devices. Most of them were unpatched since the internal components were vulnerable. <\/p>\n\n\n\n<p>It was not only TP-Link since other vendors were attacked (Cisco, Dlink \/MicroFocus routers, and many more). With the recently growing abuse of IoT\/ OT devices, it is important to make sure the firmware is patched and no vulnerabilities are exploited. The new firmware capability in Defender for IoT makes this flow easier for checking against known vulnerabilities\/ misconfiguration. <\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Checked a couple of IoT devices from my home network, and even when running the latest firmware there is a huge amount of detected vulnerable CVEs and misconfigurations. <\/p>\n\n\n\n<p>My favorite part of this new feature is how simple the firmware scanning feature is configured &#8211; there is no sensor\/ agent required and the firmware can be downloaded from the vendor site and manually uploaded to the firmware analysis page for viewing the report and findings. <\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Sources<\/h2>\n\n\n\n<p>Microsoft: <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-defender-for-iot-blog\/analyze-iot-ot-device-firmware-with-microsoft-defender-for-iot\/ba-p\/3853474\">Analyze IoT\/OT device firmware with Microsoft Defender for IoT<\/a><\/p>\n\n\n\n<p>Microsoft: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-iot\/device-builders\/overview-firmware-analysis\">Firmware analysis for device builders<\/a><\/p>\n\n\n\n<p>Microsoft: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-iot\/device-builders\/tutorial-analyze-firmware\">Analyze an IoT\/OT firmware image<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently Microsoft announced a new firmware scanning feature in Defender for IoT. With the new Defender for IoT Firmware analysis, it is possible to upload firmware images for security analysis and checking against vulnerabilities and weaknesses. Currently, the feature is&#8230;<\/p>\n","protected":false},"author":1,"featured_media":7263,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[249,189],"tags":[236],"table_tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses\" \/>\n<meta property=\"og:description\" content=\"Recently Microsoft announced a new firmware scanning feature in Defender for IoT. With the new Defender for IoT Firmware analysis, it is possible to upload firmware images for security analysis and checking against vulnerabilities and weaknesses. Currently, the feature is...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/\" \/>\n<meta property=\"og:site_name\" content=\"Jeffrey Appel - Microsoft Security blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-27T19:43:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-28T20:53:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2374\" \/>\n\t<meta property=\"og:image:height\" content=\"1216\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jeffrey\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffrey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/\",\"url\":\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/\",\"name\":\"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses\",\"isPartOf\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png\",\"datePublished\":\"2023-07-27T19:43:20+00:00\",\"dateModified\":\"2023-07-28T20:53:17+00:00\",\"author\":{\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\"},\"breadcrumb\":{\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#primaryimage\",\"url\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png\",\"contentUrl\":\"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png\",\"width\":2374,\"height\":1216},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jeffreyappel.nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jeffreyappel.nl\/#website\",\"url\":\"https:\/\/jeffreyappel.nl\/\",\"name\":\"Jeffrey Appel - Microsoft Security blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jeffreyappel.nl\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42\",\"name\":\"Jeffrey\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g\",\"caption\":\"Jeffrey\"},\"url\":\"https:\/\/jeffreyappel.nl\/author\/contact\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/","og_locale":"en_US","og_type":"article","og_title":"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses","og_description":"Recently Microsoft announced a new firmware scanning feature in Defender for IoT. With the new Defender for IoT Firmware analysis, it is possible to upload firmware images for security analysis and checking against vulnerabilities and weaknesses. Currently, the feature is...","og_url":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/","og_site_name":"Jeffrey Appel - Microsoft Security blog","article_published_time":"2023-07-27T19:43:20+00:00","article_modified_time":"2023-07-28T20:53:17+00:00","og_image":[{"width":2374,"height":1216,"url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png","type":"image\/png"}],"author":"Jeffrey","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jeffrey","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/","url":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/","name":"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses","isPartOf":{"@id":"https:\/\/jeffreyappel.nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#primaryimage"},"image":{"@id":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#primaryimage"},"thumbnailUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png","datePublished":"2023-07-27T19:43:20+00:00","dateModified":"2023-07-28T20:53:17+00:00","author":{"@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42"},"breadcrumb":{"@id":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#primaryimage","url":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png","contentUrl":"https:\/\/jeffreyappel.nl\/wp-content\/uploads\/2023\/07\/image-133.png","width":2374,"height":1216},{"@type":"BreadcrumbList","@id":"https:\/\/jeffreyappel.nl\/how-to-use-defender-for-iot-firmware-scanning-for-checking-potential-security-vulnerabilities-and-weaknesses\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jeffreyappel.nl\/"},{"@type":"ListItem","position":2,"name":"How to use Defender for IoT\u00a0firmware Scanning for checking potential security vulnerabilities and weaknesses"}]},{"@type":"WebSite","@id":"https:\/\/jeffreyappel.nl\/#website","url":"https:\/\/jeffreyappel.nl\/","name":"Jeffrey Appel - Microsoft Security blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jeffreyappel.nl\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/ebdd80b67674ad29968ad249abc89c42","name":"Jeffrey","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jeffreyappel.nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37bbb7acc360ea70a60f26ca4548d940?s=96&d=mm&r=g","caption":"Jeffrey"},"url":"https:\/\/jeffreyappel.nl\/author\/contact\/"}]}},"amp_enabled":false,"_links":{"self":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/7228"}],"collection":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/comments?post=7228"}],"version-history":[{"count":12,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/7228\/revisions"}],"predecessor-version":[{"id":7339,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/posts\/7228\/revisions\/7339"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media\/7263"}],"wp:attachment":[{"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/media?parent=7228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/categories?post=7228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/tags?post=7228"},{"taxonomy":"table_tags","embeddable":true,"href":"https:\/\/jeffreyappel.nl\/wp-json\/wp\/v2\/table_tags?post=7228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}