Firmware Firmware January 2020 Protect Our Power Brad Whipple - Researcher

www.inl.gov Firmware Firmware January 2020 Protect Our Power Brad Whipple - Researcher – Best Practices Best Overview

•Why firmware is significant •Best practices • When to trust & NOT trust firmware • Updating • Encrypt & sign •Examples •What INL is doing in this area

2 Significance of Firmware Why is firmware 10010101110010 important? • Firmware defines the device • Can contain hardcoded passwords • Can be very difficult to detect malicious alterations • Can contain vulnerabilities

3 Best Practices at a Glance Asset Owners/Engineers: • Lock down ability to update firmware • Version Control • Acquire Firmware from Trusted Sources • Have back ups of firmware • Update firmware (if reasonable to do so)

OEM: • Encrypt/sign Firmware • Library Management • Lock debugging ports down

4 Red Team Process Steps I would typically take • Acquire an OEM copy of firmware • Web • Customer Service • Extract from on-chip debug resources • Firmware update familiarization • How to initiate? • Authentication mechanisms? • Inspect for potential vulnerable libraries, passwords, any things else (a lot can be learned through strings) • Exploit vulnerability or reverse engineer then modify firmware and re-upload

5 Example 1 – Smart Meter • Firmware readily available • Firmware easy to extract • Vulnerable library used in Firmware (not exploitable)

Extraction and Decompression Process

Plain Text .upg Hex Zlib Uncompressed 1001010 1110010 SREC File compressed Binary 10010…..

1001010 Extract Decompress 1110010 10010…..

6 Example 1 Cont. • Smart meter equipped with 4G module

• Many examples of public facing devices

7 Example 2 – Ubiquitous Library Vulnerability

• BusyBox is a popular embedded library (many unix functions compiled into one file) • Busy box used OpenNTPd library for its NTP implementation • OpenNTPd had a vulnerability patched 2019 • BusyBox didn’t recognize or incorporate that patch into their source code until 2016 (~ 7 years)

8 Example 3 - PLC

For proof of concept I deface the landing page of a PLC.

9 Example 3 – PLC cont.

10 Example 3 – PLC cont.

OOPS!… I broke it

I somehow corrupted the Hardware ID. Device will no longer accept firmware because the Hardware ID does not match. I was able to identify the Hardware ID signature in the firmware file, now I must edit to match this unknown Hardware ID the PLC identifies as

FIXED!… sort of

11 INL Related Work

Related Work in Firmware Security • Supply Chain Security • Indicators of Compromise + Remediation • Software Library Detection

12 INL Related Work - Indicators Create Indicators of Compromise (Firmware Update)

Indicators written in STIX format using a tool called STIG

13 INL Related Work - Indicators Extract a copy of firmware from network - In the process of releasing “Firmware Extractor”

14 INL Related Work – Library Detection

Use machine learning to identify what's in a firmware image.

15 INL Related Work – Why use Machine Learning?

Same code, different compiler options. Drastically different output

16 17 INL Related Work

18 COTS Library Identification Software

Unfortunately I can’t share too much on this topic (endorsement)

Ask for a demo first before purchasing

19 Questions?

Summary: • Firmware is a lucrative target for adversaries • Updates are important, keep track of what device is loaded with what firmware • Ensure firmware is coming from a trusted source • Ideally firmware should be encrypted and signed