Firm up your Firmware Security

A quick Google search for “firmware vulnerabilities” returns an impressive list of recent cyber attacks against IoT devices, hardware, switches, and other networking components. Within the last two weeks alone, researchers have disclosed vulnerabilities in Xiomi pet feeders and two popular home security cameras. In addition, D-Link, a prominent networking equipment manufacturer, announced that it will not patch a critical vulnerability in several of its routers, choosing instead to sunset support for these older devices, leaving users with the option of buying new equipment or remaining insecure.

This is just the tip of the iceberg; billions of connected devices around the world are running firmware, yet manufacturers are not beholden to any cyber security standards, let alone regulations that would require a foundational set of practices that improve the security of these devices or the device supply chain.[i] The problem has been recognized widely and efforts are underway to create industry-wide compliance mandates, but at present, firmware remains a large, overlooked vulnerability and a broadening attack surface. Suffice it to say, though overfeeding one’s pet might not rank as a high-priority cyber security concern (you can always choose to stop using a connected pet feeder), the repercussions of exploited medical devices, industrial control systems, telecommunications equipment, voting systems, and weapons systems are not so innocuous.

The need for embedded device security is not new. In fact, experts have known for decades that firmware and hardware need protection from cyber attacks. That said, until more recently, firmware security has taken a back seat to threats from malicious software, vulnerable applications, and social engineering. But not for the founders of ReFirm Labs, a SaaS provider of firmware vulnerability scanning.

Reduce reliance on manual vulnerability hunting

Leveraging years of experience at the NSA where they identified and tested vulnerabilities in embedded devices for offensive purposes, co-founders Peter P. Eacman and Terry J. Dunlap founded their first firmware security company in 2007. Three years later, the team released Binwalk, an open source tool for analyzing, reverse engineering, and extracting firmware images. Binwalk became a staple in the penetration testing community, as well as the foundation for ReFirm Labs, launched in 2017.

Centrifuge, the company’s flagship product, automatically scans customers’ firmware and identifies issues like unauthenticated access, weak authentication mechanisms, hidden backdoors, hard-coded passwords, exposed encryption keys, instances of insecure string handling functions, known open source vulnerabilities, and debug services in production systems that could inadvertently expose sensitive information. Centrifuge then generates a report of found vulnerabilities and exposures that the user can fix, or, if resources are not available internally, ReFirm offers remediation and training services.

"At present,” explained ReFirm Labs’ CEO Derick Naef during a recent call, "companies doing this kind of firmware vulnerability scanning and management are most likely doing it manually. It’s labor-intensive and incomplete; environments are always changing, CVE’s are found, and new devices are deployed on the network constantly and sometimes without security’s knowledge. Assessments have to be ongoing for companies to maintain good cyber hygiene.”

Because the exploding IoT device landscape is a tricky thing for companies to manage, I asked Derick how they account for the abundance and variation of firmware that could potentially be connected to a customer’s environment. "ReFirm specializes in embedded Linux and QNX,” he told Ed and me, “and our platform ingests NVD (National Vulnerability Database) information, and we maintain a private signature database that detects known exploits." The platform's component discovery feature gives customers a way to track components used to build their firmware, which means that any vulnerabilities introduced in the supply chain will also be identified.

ReFirm offers three deployment models: on premises, cloud-based, and a version for air-gapped systems. Integration is through an API and can be incorporated into existing third-party tools. Notably, Centrifuge does not require access to source code and agents do not need to be installed. All the platform needs to execute its analysis and generate a report is the binary firmware image.

Add firmware to your security “priority” list

Firmware in embedded devices is inarguably a weakness, and the number of embedded devices deployed on companies’ networks is growing at an accelerated pace. All it takes is one initial vulnerability—a configuration error, an unpatched system—to result in network infiltration. It may be overwhelming to think about adding firmware to the list of entities on the network that need protection, but it’s essential nonetheless. Especially if your company is in critical infrastructure, it’s imperative to be able to identify and monitor all components, vulnerabilities in deployed/connected devices, and weaknesses in the downstream supply chain.

Whether your company category is part of critical infrastructure or you want to cover your bases by gaining visibility into the risks of your firmware/IoT/supply chain, give the team at ReFirm Labs a call and test out their automated security analysis. When IoT devices can be attacked with something as simple as a laser pointer from a few hundred feet away, it’s time to start taking firmware and device security seriously. Centrifuge seems like a good place to start if you have more to protect than just your dinner conversation.

______________________________________________________________________________________________________________________________________________

[i] The Department of Defense (DoD) maintains the Defense Federal Acquisition Regulation Supplement (DFAR) which has issued a Cybersecurity Matrix Maturity Model (CMMC). Any business wanting to do business with the DoD starting in late 2020 will be required to achieve a CMMC certificate, but this regulation only applies to the DoD, not private or other government entities.