Firmware Reviewer Cloud Service provides in-depth firmware analysis (binaries, file systems, containers, virtual machines, IoT, UEFI, Appliances, Network Devices, Smart Meters, Surveillance devices, Drones, etc.), allowing to explore vulnerabilities at the same time to keeping the software securely in your own hands, for your eyes only. It can be used for a bunch of binary file formats, withNo need of related physical device. Further, we offer a Firmware Image Check certification.

Quick Overview in PDF Format.

Firmware Reviewer is part of Security Reviewer Suite.

...

Main Topics

Task Automation

Firmware analysis is a tough challenge with a lot of tasks, completely automated by Firmware Reviewer, either with new approaches or incorporation of existing tools, so that a security analyst can focus on his main task: Analyzing the firmware (and finding vulnerabilities).

...

It is available in Cloud only. For further explanation, please take a look to FAQ section.

System Requirements

Firmware Reviewer is a Cloud service accessible via Internet through a Standard Browser. Latest versions of Edge Chromium, Google Chrome and Mozilla FireFox are supported.

...

• Minimum RAM: 4GB (8GB is recommended)

• CPU Cores: 2 (4 is recommended)

• Free Disk Space: the minimum required by your browser. In case the Client App is used, you need triple the size of your Firmware Image available on your disk.

Main Topics

Cloud Service

Firmware Reviewer offers a Cloud platform for Analyzing and continuously Monitoring your Firmware images.

...

Keep your Firmware Secured

A For Linux Users, a Client App (Firmware Reviewer Submit InterfaceLocal Analyzer) is optionally available, enabling teams to scan locally.

Registered Linux Customers simply use this App for retrieving image’s relevant information and send it encrypted to Firmware Reviewer engine.

...

• Firmware images won’t be uploaded to the internet

• Firmware images never leave your workstation.

• Firmware Analysis' Results and Reports will be stored and downloaded using AES-256 encryption.

• Nor the Cloud server administrator can access the results and reports.

• The encryption key is known only by you.

Compliance

Firmware Reviewer provides Reports compliant to:

• OWASP TOP 10 INTERNET OF THINGS 2018 and OWASP IoT Security Verification Standard and Embedded Best Practices

• ENISA - Baseline Security Recommendations for IoT and Guidelines for Securing the Internet of Things

• NIST Security Feature Recommendations for IoT Devices

• DCMS GOV.UK - Code of Practice for consumer IoT security

• ETSI TS 103 645 V1.1.1 - Cyber Security for Consumer Internet of Things and Cyber Security for Consumer Internet of Things: Baseline Requirements

• BITAG - Broadband Internet Technical Advisory Group

• SB-327 Information privacy: connected devices

• GSMA IoT Security Guidelines

• CTIA Cybersecurity Certification Program for IoT Devices

• CSDE C2 Consensus on IoT Device Security Baseline Capabilities

• CCDS Connected Consumer Device Security Council

• Automotive Grade Linux Software Defined Connected Car

• CSA Internet of Things Security Landscape

• CISCO-NSA Router Security Configuration Guide

• CVE Common Vulnerabilities and Exposures

• CWE Common Weakeness Enumeration

• CVSSCommon Vulnerability Scoring System

IoT

With widespread publicity of the Internet of Things (IoT), more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as routers, managed switches, medical devices, Industrial Control Systems (ICS), VoIP phones, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include, but are not limited to, the Original Design Manufacturer (ODM) supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint.

...

Firmware Reviewer results are enriched with threat intelligence from Shodan and the NIST NVD.

Supported Devices

Firmware Reviewer has been tested with the following devices types:

• 3D-Printers

• Appliances

• Base Stations

• Biometric

• BIOS

• Cameras

• Drones

• Industry 4.0 Devices

• IoT Gateways

• Mobile

• Network (Consumer, Core, Radio)

• Receivers

• Satellite

• SCADA-PLC-PAC

• Smart Meters

• Smart TV

• Surveillance (Home, Industry, Government, Banking)

Supported Vendors

Firmware Reviewer supports several file types:

...

Further, eCos hardware is supported. Some of the types might seem curious. E.g. postscript while being used for text mainly is seen as container for update formats of printer firmware.

Firmware Security Testing Methodology

The OWASP Firmware Security Testing Methodology is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments. Firmware analysis is a tough challenge with a lot of tasks. Many of these tasks can be automated (either with new approaches or incorporation of existing tools) so that a security analyst can focus on its main task: Analyzing the firmware (and finding vulnerabilities). Firmware Reviewer implements this automation leading to more complete analysis as well as a massive speedup in vulnerability hunting and is able to assist you during all the nine stages:

...

There is obviously no silver bullet (read tool) that can cover (test) the whole Firmware/IoT eco-system attack surface. Our aim is to reach as close as possible i.e. to cover as many Firmware/IoT protocols, hardware platforms and products as possible. We will explain the coverage of the framework based on protocols and technologies including the what, why and how of each plugin.

Code Of Practice

In October 2018, Government of UK published code of practice for IoT vendors to improve the security of consumer IoT products, The document listed 13 guidelines for consumer IoT devices that are connected to the Internet and/or home network such as smart cameras, TVs, home appliances and home automation systems. The GOV.UK guidelines can also be mapped to several industry standards and best practices on IoT security that includes ENISA and IoT Security Foundation. A detailed mapping between these guidelines has been published in a separate document. The following guidelines were concerned with secure firmware development:

Firmware Reviewer automatically addresses those UK Government Guidelines. However, there have been different IoT Security guidelines published by different parties as good practices or baselines while there is no global standard for IoT Device Security, which as a result has created confusions in both vendors and users. They not only know which guidelines they should follow or which practices they should apply but also find a significant number of the practices impractical or irrelevant to their cases.

Unique Features

• Analyze files on multiple different environments in parallel

• Use any prepared image to detect APTs and harden against evasive malware

• Unique, Highly configurable Hybrid Analysis Technology that analyzes full process memory

• Extensive third-party integrations (e.g. IP cross-reference checks, whitelisting)

• Advanced anti-analysis detection (e.g. action scripts that simulate human behavior)

• Threat Score (quickly understand the malicious impact of your artifact), further to Compliance Standards

• Compare between different versions

Supported

...

CPUs

Firmware Reviewer supports the following CPU Architectures:

    'ARM': ['ARM'],
    'AARCH64': ['aarch64'],
    'PPC': ['PowerPC', 'PPC'],
    'MIPS': ['MIPS'],
    'x86': ['x86', '80386', '80486', 'i386'],
    'SPARC': ['SPARC'],
    'RISC': ['RISC', 'RS6000', '80960', '80860'],
    'S/390': ['IBM S/390', 's390'],
    'SuperH': ['Renesas SH', 'sh4', 'sh4eb'],
    'Alpha': ['Alpha'],
    'hppa': ['hppa', 'pa-risc'],
    'sb4': ['sb4'],
    'ia64': ['ia64', 'itanium', 'ia-64'], 
    'cuda': ['cuda'],
    'avr': ['avr', 'atmel', 'Atmega32A'], 
    'dlx': ['DLX'],
    'mico': ['mico32'],
    'mmix': ['MMIX'],
    'M68K': ['m68k', '68020'] 

Supported Platforms

Firmware Reviewer analyzes cyber threats on:

...

• Windows (XP, Vista, W7, W7 x64, W8, W10)

• Linux (RedHat, CentOS, Fedora, Ubuntu, Debian, FreeBSD, NetBSD, and OpenBSD)

• Unix (A/UX, AIX, HP-UX, illumos, IRIX, OpenServer, Solaris, Tru64 UNIX)

• Mac OSX

• Android

• iOS

Supported File Systems

Firmware Reviewer is able to analyze several file systems like:

...

The main idea is to provide a tool for rapid analysis of filesystem images as part of a firmware security. Firmware Reviewer takes a configuration file that defines various rules for files and directories and runs the configured checks against a given filesystem image. 

...

Supported Protocols

Further to NRF24, Wifi, and IP-networking, the following protocol are supported:

• AMQP

• BACNet

• Bluetooth LE

• CANBus

• CoAP

• DICOM

• DNP3

• DNS

• HL7

• I2C

• LoRA

• mDNS

• Modbus

• MQTT

• NFC

• ProfiBus

• RFID

• SPI

• SSH

• UART

• UDP

• UPnP

• XMPP

• WebSocket

• Wireless HART

• Zigbee

• Zwave

Comparison between Versions

The File Compare check is a mechanism to compare a file from a previous run with the file from the current run. It provides more insights into file changes, since it allows comparing two versions of a file rather than comparing only a digest. Last, the Tree Check will produce an informational output listing new files, deleted files, and modified files. Firmware Reviewer can compare several images or single files. Furthermore, Unpacking, analysis and compares are based on plug-ins guaranteeing maximal flexibility and expandability.

...

In many cases you might want to compare Firmware samples. For instance, you might want to know if and where a manufacturer fixed an issue in a new firmware version. Or you might want to know if the firmware on your device the original firmware is of provided by the manufacturer. If they differ, you want to know which parts are changed for further investigation. Again, Firmware Reviewer is able to automate many of these challenges, like: Identify changed / equal files and Identify changed software versions.

Find other affected Firmware Images
If you find a new vulnerability or a new container format, you might want to know if other firmware images share your finding. Therefore, FIrmware Reviewer stores all firmware files and analysis results in a searchable database visible to authorized users only. You can search for byte patterns on all unpacked files as well as any kind of analysis result.

Accuracy

For validating our result’s accuracy, we have developed a fully automated framework and used it to test vulnerability discovery at large scale. Our system was able to find statically 38 new vulnerabilities for each of 16785 firmware packages. In addition to this, our system was able to discover dynamically 225 high-impact vulnerabilities (OWASP IoT Top Ten 2018) in at least 20% of emulated embedded web interfaces.

...

In our evaluation, we used the score fusion technique to improve the accuracy of identification. The Score Fusion technique is widely and actively used in various research fields, such as biometrics and sensors data. It is used to increase the confidence in the results and to counter the effect of imprecisely approximated data (e.g., fingerprints in biometrics) and unstable data readings (e.g., sensors data). We take as input the decreasingly ordered rankings from each of the scoring systems described above. Then, we apply majority voting to each ranking from these three scoring systems. This allows our system to decide which match is the most accurate based on its scores computed using the three different scoring systems.

DISCLAIMER: Firmware Reviewer never operates on physical devices. Security Reviewer declines all responsabilities derived by inappropriate use of Firmware Reviewer software.

...

Firmware Reviewer Security Policy

Firmware Reviewer Cloud Service provides in-depth firmware analysis via Web GUI. Does not require installation on client-side. It needs a Web Browser only.

Firmware Reviewer does not require the Firmware source code.

Users must download the Firmware image themselves. Firmware Reviewer never access to physical devices.

Our Cloud infrastructure guaranteed to stay always up to date on Firmware Vulnerabilities analysis, while maintaining your data secured.

Firmware Reviewer does not handle Sensitive or Personal Data. Usernames are represented by a sequence of alphanumeric characters from which is impossible to reveal information about the real Users. Once the Users got their Username and Password, they can login and Upload the Firmware Image they want to analyze.

The Firmware Image will be encrypted using AES-256, Uploaded using TLS 1.3 secure protocol and stored in a crypted DB Table.

Before Uploading, it is mandatory for the User to accept a Disclaimer to avoid improper use of Analysis’ Results and Reports, and to confirm the User is fully authorized by the Customer and by the Vendor (the Firmware owner).

The Analysis Results will be available between 48 hours from the Upload.

Temporary files and intermediate data, generated during the analysis, even intercepted, do not permit to reverse engineering neither the Firmware Image, nor the Analysis’ Results. They will be securely removed on each Analysis’ step.

The Analysis’ Results and Reports won’t be shared to anyone else, further than authorized internal Users. They won’t be visible neither fully nor partially on the Internet, neither on Social Media, nor in Electronic nor in Paper publications.

Analysis’ Results and Reports will be stored in crypted DB Tables, even intercepted, it will be impossible to relate them to the original Firmware Image.

Not the Firmware Reviewer Cloud Service administrator can download Firmware Images, Results and Reports, without express, written, authorization by Customer.

Users, once the Reports has been downloaded, can decide to erase them or not. The same for Analysis’ Results.

DISCLAIMER: Firmware Reviewer never operates on physical devices. Security Reviewer declines all responsabilities derived by inappropriate use of Firmware Reviewer software.