Firmware.RE: Firmware Unpacking, Analysis and Vulnerability-Discovery as a Service

Presented at Black Hat Europe 2014, Oct. 16, 2014, 5 p.m. (60 minutes)

As embedded systems are more than ever present in our society, their security is becoming an increasingly important issue. However, with many recent analysis of individual firmware images, embedded systems acquired a reputation of being very insecure. However, we still lack a global understanding of embedded systems security as well as the tools and techniques needed to support such general claims.

In this talk, we present the first public, large scale, analysis of firmware images: we unpacked 32K firmware images into 1.7M individual files, which we then analyze. We leverage this large scale analysis to bring new insights and outline several open challenges when performing such experiments. We also show the main benefits of looking at many different devices at the same time and of linking our results with other large scale datasets, such as the ZMap SSL collection. We discuss results that would not have been possible to achieve without such a wide-scale analysis.

In summary, without performing sophisticated static analysis, we discovered a total of 38 previously unknown vulnerabilities in over 693 firmware images. Moreover, by correlating similar files inside apparently unrelated firmware images, we were able to extend some of those vulnerabilities to over 123 different products. We also confirmed that some of these vulnerabilities altogether are affecting at least 140K devices accessible on the public Internet.

We believe that this project, which we plan to provide as a service on the long term, will help shed some light on the security of embedded devices.


Presenters:

  • Davide Balzarotti - EURECOM
    I am an Assistant Professor at the Eurecom Graduate School and Research Center, located in Sophia Antipolis on the French riviera. My research interests include most aspects of system security and in particular the areas of binary and malware analysis, reverse engineering, computer forensics, and web security.
  • AurĂ©lien Francillon - EURECOM   as Aurelien Francillon
    Aurlien Francillon is an assistant professor in the Networking and Security department at EURECOM, where he is co-heading the System and Software Security group (http://s3.eurecom.fr). Before this he received PhD degree in 2009 from INRIA and Grenoble INP, then he was a postdoctoral researcher in the System Security Group at ETH Zurich. He is mainly interested in practical aspects of the security of embedded devices. In this context he has worked on topics such as code injection, code attestation, random number generation, hardware support for software security, bug-finding techniques as well as on broader security and privacy topics. He served in many program committees and was program co-chair of CARDIS 2013.
  • Jonas Zaddach - EURECOM
    Jonas Zaddach is a Computer Science graduate of the Technische Universitaet Muenchen and Telecom ParisTech, where he wrote his thesis on securing infrastructure-as-a-service clouds in a double-degree program. Results from this research is the basis of the well-received presentation "SatanCloud: A Journey Into the Privacy and Security Risks of Cloud Computing." In his youth he spent his time making his Lego Mindstorms robot do things it was not supposed to do by hacking its firmware. Since then he has shifted his attention to hard drives, and is currently a PhD candidate with EURECOM in the field of dynamic analysis of embedded devices' firmware.
  • Andrei Costin - EURECOM
    Andrei is a Computer Science graduate of the Politehnica University of Bucharest where he did his thesis work in Biometrics and Image Processing. While starting out his IT-career in the computer games industry, he has worked in the Telecom field and also was a senior developer at a specialized firm programming various GSM/UMTS/GPS sub-systems. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publicly available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family and is known as the "printer guy" for his "Hacking MFPs" and "Hacking PostScript" series of hacks & talks at various international conferences. Lately he was spotted security-harassing airplanes with ADS-B hacks, though no planes were harmed during the experiments. He is passionate about security in a holistic fashion. Currently, he is a PhD candidate with EURECOM in field of "Security of Embedded Devices."

Links:

Similar Presentations: