IoTGoat: Deliberately Insecure IoT firmware


IoTGoat: Deliberately Insecure IoT firmware

IoTGoat is an intentionally insecure firmware developed to educate software developers and security experts about the different vulnerabilities commonly found in IoT (Internet of Things) systems.

oTGoat: Deliberately Insecure IoT firmware Logo

IoTGoat: Deliberately Insecure IoT Firmware

This Deliberately Insecure IoT Firmware allows the user to explore numerous vulnerabilities such as weak passwords, insecure network services and insecure web interfaces within the devices. IoTGoat is based on the OpenWrt operating system and maintained by the Open Web Application Security Project foundation (OWASP) to show the users how common faults can be exposed and what implications they can have for organizations and individuals. The vulnerability challenges are based on the ‘OWASP IoT Top 10 2018’, in addition to secret vulnerabilities placed by the firmware developers.

Vulnerabilities Challenges in IoTGoat

– Weak, Guessable, or Hardcoded Passwords
– Insecure Network Services
– Insecure Ecosystem Interfaces
– Lack of Secure Update Mechanism
– Use of Insecure or Outdated Components
– Insufficient Privacy Protection
– Insecure Data Transfer and Storage
– Lack of Device Management
– Insecure Default Settings
– Lack of Physical Hardening

Features:

  • Shows the user different vulnerabilities within IoT devices.
  • 10 common vulnerabilities are included
  • Easy to install on any IoT device

Supported Platforms:

  • IoT Device
  • Linux

Requirements:

  • See below

IoTGoat Install

1. To extract the filesystem, analyze configurations and binaries statically, download the latest precompiled firmware release from here.

2. For dynamic web testing and binary runtime analysis, the quickest way to get started is downloading the latest “IoTGoat-x86.vmdk” (VMware) and create a custom virtual machine using the IoTGoat disk image. (For more details, click on “documentation” button below).

3. IoTGoat can be viewed through open-source tools such as Firmadyne and FAT which run the firmware virtually. This allows the user to get a taste of how IoTGoat behaves when it is run on a real device. Navigate the filesystem to analyze application and network services.

4. In addition to this, the user can opt to run IoTGoat on their own virtual machines or on a Raspberry Pi 2 through image files available here.

Building From Source

Thanks to OpenWRT flexibility, you can flash IoTGoat on supported OpenWrt hardware.

Requirements: Ensure 10-15GB disk space is available with at least 4GB of RAM and a supported Linux distribution such as Ubuntu 18.04.

* Root or sudo aren’t needed when building.

Clone the repo and navigate to OpenWrt directory:

$ git clone https://github.com/OWASP/IoTGoat.git
$ cd IoTGoat/OpenWrt/openwrt-18.06.2/

Then run the following commands:

$ ./scripts/feeds update -a
$ ./scripts/feeds install -a
$ make menuconfig # select your preferred configuration for the toolchain, target system & firmware packages.
$ make # Build your firmware with make. This will download all sources, build the cross-compile toolchain and then cross-compile the Linux kernel & all chosen applications for your target system.

Once built, the compiled firmware will be placed in this directory IoTGoat/OpenWrt/openwrt-18.06.2/bin/targets/ depending on the target selected in menuconfig.

Usage

IoTGoat will automatically run on any device/system which it is installed on.

BusyBox v1.28.4 () built-in shell (ash)

                                                           .--,\\\__         
 ██████╗ ██╗    ██╗ █████╗ ███████╗██████╗                  `-.    a`-.__    
██╔═══██╗██║    ██║██╔══██╗██╔════╝██╔══██╗                   |         ')   
██║   ██║██║ █╗ ██║███████║███████╗██████╔╝                  / \ _.-'-,`;    
██║   ██║██║███╗██║██╔══██║╚════██║██╔═══╝                  /     |   { /    
╚██████╔╝╚███╔███╔╝██║  ██║███████║██║                      /     |   { /    
 ╚═════╝  ╚══╝╚══╝ ╚═╝  ╚═╝╚══════╝╚═╝            ..-"``~"-'      ;    )     
                                           ╦┌─┐╔╦╗╔═╗┌─┐┌─┐┌┬┐   ;'    `     
                                           ║│ │ ║ ║ ╦│ │├─┤ │   ;'    `      
                                           ╩└─┘ ╩ ╚═╝└─┘┴ ┴ ┴  ;'    `       
 ------------------------------------------------------------ ;'             
 GitHub: https://github.com/OWASP/IoTGoat                                                
 ------------------------------------------------------------   
root@IoTGoat:/# 
Documentation Box
Download Box