| name | crypto-weakness |
| description | Cryptographic weakness and insecure crypto implementation hunting in IoT firmware. Use when analyzing encryption implementations, TLS/SSL configurations, key management, random number generation, or any cryptographic operations in embedded device firmware. Triggers on crypto analysis, weak encryption, insecure TLS, or key management tasks. |
Cryptographic Weakness Hunting
Find weak or broken cryptographic implementations in IoT firmware.
Workflow
- Identify crypto library usage
- Check TLS/SSL configuration
- Analyze key management
- Verify random number generation
- Check for known weak algorithms
Crypto Library Detection
readelf -d <binary> | grep -i "ssl\|crypto\|mbedtls\|wolfssl\|openssl"
ldd <binary> 2>/dev/null | grep -i "ssl\|crypto"
strings <binary> | grep -iE "aes|des|rsa|sha|md5|rc4|ssl|tls|encrypt|decrypt|cipher|hmac"
strings <binary> | grep -i "openssl"
find extracted_fs/ -name "libssl*" -o -name "libcrypto*" | xargs strings | grep "OpenSSL"
Weakness Categories
1. Weak Algorithms
| Algorithm | Status | Why |
|---|
| MD5 | Broken | Collision attacks |
| SHA-1 | Deprecated | Theoretical collisions |
| DES/3DES | Deprecated | Small key/block size |
| RC4 | Broken | Biased output stream |
| RSA < 2048-bit | Weak | Factorable |
| ECB mode | Weak | Pattern preservation |
strings <binary> | grep -iE "^(md5|des|rc4|ecb)"
2. Hardcoded Keys/IVs
strings <binary> | grep -E "^[0-9a-fA-F]{32,64}$"
strings <binary> | grep -E "^[A-Za-z0-9+/]{22,44}={0,2}$"
3. Weak Random Number Generation
srand(time(NULL));
rand() % range;
getpid() as random source;
time(NULL) for session token;
4. TLS/SSL Issues
nmap --script ssl-enum-ciphers -p 443 <device_ip>
openssl s_client -connect <device_ip>:443 </dev/null 2>/dev/null | openssl x509 -text
find extracted_fs/ -name "*.pem" -o -name "*.crt" | while read f; do
echo "=== $f ==="
openssl x509 -in "$f" -text -noout 2>/dev/null | grep -E "Issuer|Subject|Not After|Signature Algorithm"
done
5. Firmware Update Verification
strings <update_binary> | grep -iE "verify|signature|rsa|ecdsa|sha256|digest"
CWE References
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-328: Use of Weak Hash
- CWE-330: Use of Insufficiently Random Values
- CWE-326: Inadequate Encryption Strength
- CWE-295: Improper Certificate Validation
- CWE-347: Improper Verification of Cryptographic Signature