Tutorial: Analyze an IoT/OT firmware image

This tutorial describes how to use Defender for IoT's Firmware analysis page to upload a firmware image for security analysis and view analysis results.


The Defender for IoT Firmware analysis page is in PREVIEW. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.



The Defender for IoT Firmware Analysis feature is automatically available if you currently access Defender for IoT using the Security Admin, Contributor, or Owner role. If you only have the SecurityReader role or want to use Firmware Analysis as a standalone feature, then your Admin must give the FirmwareAnalysisAdmin role. For additional information, please see Azure User Roles and Permissions.

To use the Firmware analysis page to analyze your firmware security, your firmware image must have the following prerequisites:

  • You must have access to the compiled firmware image.

  • Your image must be an unencrypted, Linux-based firmware image.

  • Your image must be less than 1 GB in size.

Select the region for storing firmware images

If this is your first interaction with Firmware analysis, then you'll need to select a region in which to upload and store your firmware images.

  1. Sign into the Azure portal and go to Defender for IoT.

    Screenshot that shows the Defender for IoT portal.

  2. Select Firmware analysis.

  3. Select a region to use for storage.

    Screenshot that shows selecting an Azure Region.

Upload a firmware image for analysis

  1. Sign into the Azure portal and go to Defender for IoT.

  2. Select Firmware analysis > Upload.

  3. In the Upload a firmware image pane, select Choose file. Browse to and select the firmware image file you want to upload.

    Screenshot that shows clicking the Upload option within Firmware Analysis.

  4. Enter the following details:

    • The firmware's vendor
    • The firmware's model
    • The firmware's version
    • An optional description of your firmware
  5. Select Upload to upload your firmware for analysis.

    Your firmware appears in the grid on the Firmware analysis page.

View firmware analysis results

The analysis time will vary based on the size of the firmware image and the number of files discovered in the image. While the analysis is taking place, the status will say Extracting and then Analysis. When the status is Ready, you can see the firmware analysis results.

  1. Sign into the Azure portal and go to Microsoft Defender for IoT > Firmware analysis.

  2. Select the row of the firmware you want to view. The Firmware overview pane shows basic data about the firmware on the right.

    Screenshot that shows clicking the row with the firmware image to see the side panel details.

  3. Select View results to drill down for more details.

    Screenshot that shows clicking view results button for a detailed analysis of the firmware image.

  4. The firmware details page shows security analysis results on the following tabs:

    Name Description
    Overview View an overview of all of the analysis results.
    Software Components View a software bill of materials with the following details:

    - A list of open source components used to create firmware image
    - Component version information
    - Component license
    - Executable path of the binary
    Weaknesses View a listing of common vulnerabilities and exposures (CVEs).

    Select a specific CVE to view more details.
    Binary Hardening View if executables compiled using recommended security settings:

    - NX
    - PIE
    - RELRO
    - CANARY

    Select a specific binary to view more details.
    Password Hashes View embedded accounts and their associated password hashes.

    Select a specific user account to view more details.
    Certificates View a list of TLS/SSL certificates found in the firmware.

    Select a specific certificate to view more details.
    Keys View a list of public and private crypto keys in the firmware.

    Select a specific key to view more details.

    Screenshot that shows the weaknesses (CVE) analysis of the firmware image.

Delete a firmware image

Delete a firmware image from Defender for IoT when you no longer need it analyzed.

After you delete an image, there's no way to retrieve the image or the associated analysis results. If you need the results, you'll need to upload the firmware image again for analysis.

To delete a firmware image:

  1. Select the checkbox for the firmware image you want to delete and then select Delete.

Next steps

For more information, see Firmware analysis for device builders.