embedded security researcher,fresh dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 ·...
TRANSCRIPT
![Page 2: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/2.jpg)
2/94
• Embedded security researcher,fresh Dr. :)
# whoami
![Page 3: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/3.jpg)
3/94
Intro
![Page 4: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/4.jpg)
4/94
Embedded DevicesAre Everywhere
by Wilgengebroed on Flickr [CC-BY-2.0]
![Page 5: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/5.jpg)
5/94
Embedded DevicesSmarter and More Complex
by Wilgengebroed on Flickr [CC-BY-2.0]
![Page 6: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/6.jpg)
6/94
Embedded DevicesMore Interconnected
by Wilgengebroed on Flickr [CC-BY-2.0]
![Page 7: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/7.jpg)
7/94
Embedded SoftwareFirmware is Everywhere
• Embedded devices are diverse – but all of them run software, commonly referred to as firmware
![Page 8: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/8.jpg)
8/94
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
![Page 9: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/9.jpg)
9/94
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 14)
• By 2014, there were 14 billion Internet connected objects (Cisco, Internet of Things Connections Counter, 2014)
![Page 10: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/10.jpg)
10/94
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
• By 2014, there were 14 billion Internet connected objects (Cisco, Internet of Things Connections Counter, 2014)
• By 2020, there will be between 20 and 50 billion interconnected IoT/embedded devices (Cisco, The Internet of Everything in Motion, 2013)
![Page 11: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/11.jpg)
11/94
Importance of Embedded Systems' Security
• Embedded devices are ubiquitous– Even invisible, they are essential to our lives
• Can operate for many years– Legacy systems, no (security) updates
• Have a large attack surface– Web interfaces– Networking services– Debug interfaces (forgotten, backdoor)– ...
![Page 12: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/12.jpg)
12/94
Many Examples of Insecure Embedded Systems
● Routers
![Page 13: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/13.jpg)
13/94
● Routers● Printers
Many Examples of Insecure Embedded Systems
Networked printers at risk(30/12/2011, McAfee Labs)
![Page 14: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/14.jpg)
14/94
● Routers● Printers● VoIP
Cisco VoIP Phones Affected By On Hook Security Vulnerability(12/06/2012, Forbes)
Many Examples of Insecure Embedded Systems
![Page 15: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/15.jpg)
15/94
● Routers● Printers● VoIP● Cars
Hackers Reveal Nasty New Car Attacks – With Me Behind The Wheel (12/08/2013, Forbes)
Many Examples of Insecure Embedded Systems
![Page 16: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/16.jpg)
16/94
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones
![Page 17: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/17.jpg)
17/94
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks
Remote Control
Firing Module
![Page 18: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/18.jpg)
18/94
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks● Etc.
![Page 19: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/19.jpg)
19/94
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks● Etc.
Each of the above is a result of individual analysis
Manual and tedious efforts → Does not scale
![Page 20: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/20.jpg)
20/94
ReviewManual Analysis Process
●
firmware
![Page 21: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/21.jpg)
21/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
IHEX format
plain text firmware
![Page 22: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/22.jpg)
22/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
detect CPU,static analysis
dynamic analysis
Motorola m68k-based CPU
![Page 23: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/23.jpg)
23/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns? 802.15.4 functions
UART “boot>” prompts
detect CPU,static analysis
dynamic analysis
![Page 24: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/24.jpg)
24/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy devicedetect CPU,static analysis
dynamic analysis
![Page 25: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/25.jpg)
25/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device setup devicedetect CPU,static analysis
dynamic analysis
![Page 26: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/26.jpg)
26/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
setup devicedetect CPU,static analysis
dynamic analysis
![Page 27: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/27.jpg)
27/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
Open Problem: Hard to automate
setup devicedetect CPU,static analysis
dynamic analysis
![Page 28: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/28.jpg)
28/94
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
Goal: Automate these steps
setup devicedetect CPU,static analysis
dynamic analysis
![Page 29: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/29.jpg)
29/94
Goals and Challenges
![Page 30: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/30.jpg)
30/94
Idea → Goal
Perform large scale automated analysis to better understand, classify and analyze firmware images, without using devices
![Page 31: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/31.jpg)
31/94
Challenges
• Large number of devices → Analysis without devices
• Large number of firmware files → Scalable architectures
• Highly heterogeneous systems → Generic techniques
• Increasingly “smart”, “connected” → Focus on web interfaces & APIs
• Highly unstructured firmware data → Large dataset classification
• Vulnerable devices exposed → Technology-independent device fingerprinting
![Page 32: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/32.jpg)
32/94
Challenges → Solutions
• Large number of devices → Analysis without devices
• Large number of firmware files → Scalable architectures
• Highly heterogeneous systems → Generic techniques
• Increasingly “smart”, “connected” → Focus on web interfaces & APIs
• Highly unstructured firmware data → Large dataset classification
• Vulnerable devices exposed → Technology-independent device fingerprinting
![Page 33: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/33.jpg)
33/94
Large Scale Challenge 1:Firmware and Device Classification
![Page 34: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/34.jpg)
34/94
Firmware ClassificationWhy and How?
● Why?– There are hundred thousands
firmware packages (Costin et al., USENIX Security 2014)
– Any volunteer for manual triage? :)● How?
– Machine Learning (ML)– E.g., python's scikit-learn
![Page 35: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/35.jpg)
35/94
Firmware ClassificationML Details
● Random Forests, Decision Trees● File size● Entropy value● Extended entropy information● Category strings● Category unique strings
![Page 36: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/36.jpg)
36/94
Firmware ClassificationML Examples
![Page 37: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/37.jpg)
37/94
Firmware ClassificationML Summary
● The local optimum for our setup– Features [size, entropy, entropy extended,
category strings, category unique strings]
– Random Forests classifier
– Training sets based on 40% of each category
– Achieves more than 90% accuracy
![Page 38: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/38.jpg)
38/94
Large Scale Challenge 2:Automated Static Analysis
![Page 39: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/39.jpg)
39/94
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
![Page 40: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/40.jpg)
40/94
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
FirmwareAnalysis Cloud
![Page 41: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/41.jpg)
41/94
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
FirmwareAnalysis Cloud
Password Hash Cracker
![Page 42: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/42.jpg)
42/94
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
Firmware Analysis & Reports DB
FirmwareAnalysis Cloud
Password Hash Cracker
Data Enrichment
Correlation Engine
![Page 43: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/43.jpg)
43/94
Static Firmware AnalysisTypes of Tests
● Misconfiguration● Web-server configs, Code repositories
● Credentials● Weak/Default/Hard-coded
● Data enrichment● Versions → Software packages● Keywords → Known problems (telnet, shell, UART, backdoor)
● Correlation and clustering● Based on: Fuzzy hashes, Private SSL keys, Credentials
![Page 44: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/44.jpg)
44/94
Example:Firmware content correlation
Firmware 1
![Page 45: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/45.jpg)
45/94
Example:Firmware content correlation
Firmware 1
![Page 46: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/46.jpg)
46/94
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 47: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/47.jpg)
47/94
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 48: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/48.jpg)
48/94
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 49: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/49.jpg)
49/94
Example:Firmware HTTPS keys correlation
![Page 50: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/50.jpg)
50/94
Example:Firmware HTTPS keys correlation
![Page 51: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/51.jpg)
51/94
Example:Firmware HTTPS keys correlation
![Page 52: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/52.jpg)
52/94
Example:Firmware HTTPS keys correlation
Vendor A
![Page 53: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/53.jpg)
53/94
Example:Firmware HTTPS keys correlation
Vendor A
![Page 54: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/54.jpg)
54/94
Example:Firmware HTTPS keys correlation
Vendor A
![Page 55: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/55.jpg)
55/94
Example:Firmware HTTPS keys correlation
Vendor A
![Page 56: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/56.jpg)
56/94
Example:Firmware HTTPS keys correlation
Same key
Vendor A
![Page 57: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/57.jpg)
57/94
Example:Firmware HTTPS keys correlation
Same key
Vendor A
Vendor B
![Page 58: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/58.jpg)
58/94
Example:Firmware HTTPS keys correlation
Vendor B
Same key
Vendor A
![Page 59: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/59.jpg)
59/94
Example:Firmware HTTPS keys correlation
For one certificate, we found at least: - 1 vulnerability
- 2 vendors
- 35K online devices
In total: - 109 private RSA keys for HTTPS certificates
Same key
![Page 60: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/60.jpg)
60/94
Static Firmware AnalysisSome Results
● 38 new vulnerabilities
● 693 firmware images with at least one vulnerability
● 140K online devices correlated to some vulnerabilities
![Page 61: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/61.jpg)
61/94
Large Scale Challenge 3:Automated Dynamic Analysis
![Page 62: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/62.jpg)
62/94
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 63: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/63.jpg)
63/94
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 64: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/64.jpg)
64/94
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 65: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/65.jpg)
65/94
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 66: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/66.jpg)
66/94
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 67: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/67.jpg)
67/94
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 68: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/68.jpg)
68/94
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 69: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/69.jpg)
69/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 70: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/70.jpg)
70/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 71: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/71.jpg)
71/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 72: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/72.jpg)
72/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 73: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/73.jpg)
73/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 74: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/74.jpg)
74/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 75: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/75.jpg)
75/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 76: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/76.jpg)
76/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 77: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/77.jpg)
77/94
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 78: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/78.jpg)
78/94
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 79: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/79.jpg)
79/94
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 80: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/80.jpg)
80/94
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 81: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/81.jpg)
81/94
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 82: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/82.jpg)
82/94
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 83: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/83.jpg)
83/94
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 84: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/84.jpg)
84/94
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 85: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/85.jpg)
85/94
Dynamic Firmware AnalysisSome Results
● High-severity vulnerability impact● Command injection, XSS, CSRF● Automated+scalable static and dynamic analysis● 225 high-severity vulnerabilities, many previously unknown● 185 firmware images (~10% of original)● 13 vendors (~25% of original)
● Total alerts from the tools● 6068 dynamic analysis alerts on 58 firmware images● 9046 static analysis alerts on 145 firmware images● Manual triage and confirmation is challenging
![Page 86: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/86.jpg)
86/94
Applications
![Page 87: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/87.jpg)
87/94
Application ExampleIndustry Players
● 1 big player in SCADA/ICS/embedded● In ”Top 100” of ”Fortune Global 500” (2015)
● 3 years R&D contract (from 2015)
● Using our frameworks● For their own firmware life-cycle● Firmware collection, unpacking, analysis● Dynamic analysis and symbolic execution
![Page 88: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/88.jpg)
88/94
Firmware.REFirst project of its kind
![Page 89: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/89.jpg)
89/94
Firmware.REDemo Time!
![Page 90: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/90.jpg)
90/94
Conclusions
● Plenty of latent vulnerabilities in embedded firmware● Firmware security analysis is absolutely necessary● Involves many untrivial steps and challenges● A broader view on firmwares is not just beneficial,
but necessary● Security
● Tradeoff with both cost and time-to-market● Clearly not a priority for some vendors
![Page 91: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/91.jpg)
91/94
Summary
● We build-up research expertise and implement our expertise in working prototypes
● First framework for automated large scale security analysis and classification of firmwares and embedded devices● Simple and advanced analysis using dynamic
and static ● Quick identification of (un)known
vulnerabilities● Automated classification and fingerprinting
![Page 92: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/92.jpg)
92/94
References
● www.firmware.re ● www.s3.eurecom.fr/~costin/
![Page 93: Embedded security researcher,fresh Dr. :)powerofcommunity.net/poc2015/andrei.pdf · 2018-01-08 · –Legacy systems, no (security) updates •Have a large attack surface –Web interfaces](https://reader033.vdocument.in/reader033/viewer/2022060307/5f09d31b7e708231d428aa25/html5/thumbnails/93.jpg)
93/94
CollaboratorsAcknowledgements & Thanks
● Dr. Jonas Zaddach
● Prof. Aurelien Francillon
● Prof. Davide Balzarotti
● Dr. Apostolis Zarras