www.inl.gov Firmware Firmware January 2020 Protect Our Power Brad Whipple - Researcher – Best Practices Best Overview
•Why firmware is significant •Best practices • When to trust & NOT trust firmware • Updating • Encrypt & sign •Examples •What INL is doing in this area
2 Significance of Firmware Why is firmware 10010101110010 important? • Firmware defines the device • Can contain hardcoded passwords • Can be very difficult to detect malicious alterations • Can contain vulnerabilities
3 Best Practices at a Glance Asset Owners/Engineers: • Lock down ability to update firmware • Version Control • Acquire Firmware from Trusted Sources • Have back ups of firmware • Update firmware (if reasonable to do so)
OEM: • Encrypt/sign Firmware • Library Management • Lock debugging ports down
4 Red Team Process Steps I would typically take • Acquire an OEM copy of firmware • Web • Customer Service • Extract from on-chip debug resources • Firmware update familiarization • How to initiate? • Authentication mechanisms? • Inspect for potential vulnerable libraries, passwords, any things else (a lot can be learned through strings) • Exploit vulnerability or reverse engineer then modify firmware and re-upload
5 Example 1 – Smart Meter • Firmware readily available • Firmware easy to extract • Vulnerable library used in Firmware (not exploitable)
Extraction and Decompression Process
Plain Text .upg Hex Zlib Uncompressed 1001010 1110010 SREC File compressed Binary 10010…..
1001010 Extract Decompress 1110010 10010…..
6 Example 1 Cont. • Smart meter equipped with 4G module
• Many examples of public facing devices
7 Example 2 – Ubiquitous Library Vulnerability
• BusyBox is a popular embedded library (many unix functions compiled into one file) • Busy box used OpenNTPd library for its NTP implementation • OpenNTPd had a vulnerability patched 2019 • BusyBox didn’t recognize or incorporate that patch into their source code until 2016 (~ 7 years)
8 Example 3 - PLC
For proof of concept I deface the landing page of a PLC.
9 Example 3 – PLC cont.
10 Example 3 – PLC cont.
OOPS!… I broke it
I somehow corrupted the Hardware ID. Device will no longer accept firmware because the Hardware ID does not match. I was able to identify the Hardware ID signature in the firmware file, now I must edit to match this unknown Hardware ID the PLC identifies as
FIXED!… sort of
11 INL Related Work
Related Work in Firmware Security • Supply Chain Security • Indicators of Compromise + Remediation • Software Library Detection
12 INL Related Work - Indicators Create Indicators of Compromise (Firmware Update)
Indicators written in STIX format using a tool called STIG
13 INL Related Work - Indicators Extract a copy of firmware from network - In the process of releasing “Firmware Extractor”
14 INL Related Work – Library Detection
Use machine learning to identify what's in a firmware image.
15 INL Related Work – Why use Machine Learning?
Same code, different compiler options. Drastically different output
16 17 INL Related Work
18 COTS Library Identification Software
Unfortunately I can’t share too much on this topic (endorsement)
Ask for a demo first before purchasing
19 Questions?
Summary: • Firmware is a lucrative target for adversaries • Updates are important, keep track of what device is loaded with what firmware • Ensure firmware is coming from a trusted source • Ideally firmware should be encrypted and signed
20