Microsoft recently held a closed security bounty challenge for Azure Sphere, an application platform for internet-connected devices. While we did not participate in the three-month challenge which closed in August 2020, we were curious about the Azure Sphere devices which were designed with the “seven properties of highly secured devices” in mind.
Since development boards are cheap, we bought a few and took them apart. We tested the Seeed MT3620 Mini Dev Board running MS Azure Sphere OS 20.05.
We developed several tools to help with the exploration and identified a couple issues that were also identified by teams participating in the closed bounty challenge.
The issues we and others found have been fixed in the latest release, so our reverse engineering notes may be out of date.
During our reverse engineering, we identified three potential issues with the MS Azure Sphere operating system:
- ASXipFS Device Nodes - It was possible to create app images with device nodes to allow an app to access devices it otherwise could not access.
- Peripheral Disable DoS - A malicious app on the device can disable peripherals used by other apps.
- Image Metadata Parsing DoS - Our image metadata parsing fuzzer can reliably cause the device to become non-bootable and require a recovery action.
We compiled our notes together in the form of a GitHub Wiki.
Our tools include:
- Anvil Azure Sphere Test App - Spawns a busybox shell for system exploration and includes a few other testing commands.
- Toolchain/Libc - A compiled musl libc and gcc toolchain for the Azure Sphere devices. Mainly useful for a more complete set of headers.
- Package Tools - A set of Python scripts to parse image metadata, sign images with a developer certificate, and upload images.
- ASXipFS Unpacker - A modified cramfs-tools project to extract the files from an ASXipFS file system.
- Recovery Entry - A simple Python script to put the device into recovery mode.
- Fuzzers - Some fuzzers to test image metadata parsing and HTTP parsing.
Other information security companies and teams have also published their findings and notes on the MS Azure Sphere device: