IoTGoat: Deliberately Insecure IoT firmware
IoTGoat is an intentionally insecure firmware developed to educate software developers and security experts about the different vulnerabilities commonly found in IoT (Internet of Things) systems.
IoTGoat: Deliberately Insecure IoT Firmware
This Deliberately Insecure IoT Firmware allows the user to explore numerous vulnerabilities such as weak passwords, insecure network services and insecure web interfaces within the devices. IoTGoat is based on the OpenWrt operating system and maintained by the Open Web Application Security Project foundation (OWASP) to show the users how common faults can be exposed and what implications they can have for organizations and individuals. The vulnerability challenges are based on the ‘OWASP IoT Top 10 2018’, in addition to secret vulnerabilities placed by the firmware developers.
Vulnerabilities Challenges in IoTGoat
– Insecure Network Services
– Insecure Ecosystem Interfaces
– Lack of Secure Update Mechanism
– Use of Insecure or Outdated Components
– Insufficient Privacy Protection
– Insecure Data Transfer and Storage
– Lack of Device Management
– Insecure Default Settings
– Lack of Physical Hardening
Features:
- Shows the user different vulnerabilities within IoT devices.
- 10 common vulnerabilities are included
- Easy to install on any IoT device
Supported Platforms:
- IoT Device
- Linux
Requirements:
- See below
IoTGoat Install
2. For dynamic web testing and binary runtime analysis, the quickest way to get started is downloading the latest “IoTGoat-x86.vmdk” (VMware) and create a custom virtual machine using the IoTGoat disk image. (For more details, click on “documentation” button below).
3. IoTGoat can be viewed through open-source tools such as Firmadyne and FAT which run the firmware virtually. This allows the user to get a taste of how IoTGoat behaves when it is run on a real device. Navigate the filesystem to analyze application and network services.
4. In addition to this, the user can opt to run IoTGoat on their own virtual machines or on a Raspberry Pi 2 through image files available here.
Building From Source
Thanks to OpenWRT flexibility, you can flash IoTGoat on supported OpenWrt hardware.
*
Root or sudo aren’t needed when building.Clone the repo and navigate to OpenWrt directory:
$ git clone https://github.com/OWASP/IoTGoat.git $ cd IoTGoat/OpenWrt/openwrt-18.06.2/
Then run the following commands:
$ ./scripts/feeds update -a $ ./scripts/feeds install -a $ make menuconfig # select your preferred configuration for the toolchain, target system & firmware packages. $ make # Build your firmware with make. This will download all sources, build the cross-compile toolchain and then cross-compile the Linux kernel & all chosen applications for your target system.
Once built, the compiled firmware will be placed in this directory IoTGoat/OpenWrt/openwrt-18.06.2/bin/targets/ depending on the target selected in menuconfig.
Usage
IoTGoat will automatically run on any device/system which it is installed on.
BusyBox v1.28.4 () built-in shell (ash)
.--,\\\__
██████╗ ██╗ ██╗ █████╗ ███████╗██████╗ `-. a`-.__
██╔═══██╗██║ ██║██╔══██╗██╔════╝██╔══██╗ | ')
██║ ██║██║ █╗ ██║███████║███████╗██████╔╝ / \ _.-'-,`;
██║ ██║██║███╗██║██╔══██║╚════██║██╔═══╝ / | { /
╚██████╔╝╚███╔███╔╝██║ ██║███████║██║ / | { /
╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═╝╚══════╝╚═╝ ..-"``~"-' ; )
╦┌─┐╔╦╗╔═╗┌─┐┌─┐┌┬┐ ;' `
║│ │ ║ ║ ╦│ │├─┤ │ ;' `
╩└─┘ ╩ ╚═╝└─┘┴ ┴ ┴ ;' `
------------------------------------------------------------ ;'
GitHub: https://github.com/OWASP/IoTGoat
------------------------------------------------------------
root@IoTGoat:/#
