This talk is about finding obvious security bugs in embedded devices. He will not tell anything about which things you shouldn’t do – that is stuff that you should already know. Still, these obvious bugs are present in embedded devices (that are never updated).
Supply chains in embedded work like the waterfall model. Therefore, it is extremely expensive to fix things downstream. Bugfixes are not applied to the SDKs of older products and are certainly not actively pushed downstream. ODMs react with “this device is EOL anyway, consumers should buy a new one”. Also the fixes are not propagated to the source where the ODM got its software from in the first place.
To at least identify the lowest hanging fruit, the kind of bugs that have been known for years, Armijn is working on the Deep Firmware Inspection tool (sponsored by the Dutch National Cyber Security Center). The goal is to scan (3d party) embedded devices before they’re deployed. The project is done as much as possible in the open, with defensive publications etc. Armijn is also talking to upstream chipset manufacturers.
Subprojects: ClamAV, binary analysis of CVEs, …
Primary building block is Binary Analysis Tool (which Armijn wrote for license compliance). It’s actually a toolbox with several analysis capabilities. The files are extracted from the firmware blobs, then it looks for identifiers and string constants (which are not stripped) and compares them to source code. With enough data, it’s possible to make a really good guess of which program was used. Based on that, you can correlate this version with licensing information or security information.
Next to CVEs, he can also search the source code for known smells, and then check if this source file was actually used in the binary. The CERT has a list of known smells that is a good basis.
The end results is a list of potential vulnerabilities that he can give to an auditor, which have to be manually vetted.
With this tool, it will be easier for third parties to evaluate if a device is vulnerable. For instance, the Dutch government can use this in their buying decisions.
But still… For companies and for consumers, device security is not a feature, so who will invest in it?
You need a database with signatures to match against. Building that is a lot of work. Maybe it should be crowdsourced, so people who find some new source can add to it.