Finding N-Day Firmware Vulnerabilities in Embedded Devices

Stage 2

This session will describe an automated system for identifying n-day vulnerabilities in embedded ICS endpoints via firmware analysis … and as you can imagine it finds many in ICS embedded devices. When a critical vulnerability is disclosed in an operating systems or libraries, the device it was found in is disclosed, but the vast number of other affected devices remain undisclosed often due to manufacturer ignorance or end of life lack of support. Asset owners typically do not have sufficient access to their own devices to easily determine whether there is software running with these known vulnerabilities.

Attackers, however, as a first step when analyzing target devices will reverse engineer the firmware and quickly find such n-day vulnerabilities. Shedding light on these black box firmware images in order to notify the public about n-day vulnerabilities is a critical step towards improving the overall security posture of embedded systems.

Multiple n-day vulnerabilities, n-days in previously undisclosed devices, and a path forward towards a systemic automation of finding n-days in embedded device firmware will be presented. The session will also demonstrate current defenses that can protect devices despite such vulnerabilities. A generic VxWorks 5.5 vulnerability and a wide range of PLC’s and building controllers will be used as examples. Something close to a Cyber Reasoning System is used to generate proof of vulnerability given a high-level description of a vulnerability.

Attacks and Attackers