IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is the open-source firmware scanner, created by penetration testers for penetration testers. Project page: https://github.com/e-m-b-a/emba Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596

1. #BHASIA @BlackHatEvents
EMBA
Firmware
security
analyzer
@securefirmware
https://github.com/e-m-b-a
Michael Messner, Pascal Eckmann

2. #BHASIA @BlackHatEvents
# whoami
Michael Messner
Penetration tester
Firmware analysis
Hardware analysis
Siemens Energy AG
@s3cur1ty_de
https://github.com/m-1-k-3
@ michael.messner@siemens-energy.com

3. #BHASIA @BlackHatEvents
# whoami
Pascal Eckmann
Cybersecurity Engineer
Security Research
Siemens AG
@_p4cx
https://github.com/p4cx
@ pascal.eckmann@siemens.com

4. The landscape

5. What the firmware analysis
• Firmware is the operating system
• Linux analysis techniques can be used quite often and are well known
• Commercial tools are available, but they are expensive and limited
• EMBA has no limits, costs no money and gives the best results

6. The typical workflow
• Do some strings
• Do some binwalk
• Do some find
• Do some regex
• Do a lot google
• Load something into IDA/Ghidra
• Do something

7. EMBA to the rescue
Get the firmware (vendor, hardware)
Extract the firmware (e.g., Linux filesystem, Kernel)
Analyze the firmware
Report all the things
Firmware
binary file
EMBA
extractor
modules
EMBA
analyzer
modules
EMBA live
tester
modules
EMBA final
aggregator
Web
report
generator
Access the
firmware

8. Get the firmware
• Updates from vendor / web site
• Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device
• Other vulnerabilities e.g., command injection
• JTAG / SWD
• Communication sniffing (e.g., SPI)
• Desolder Flash memory and extract the content

9. The easiest way
Binwalk all the things

10. The EMBA extraction process
EMBA
extraction
modules
Identify Linux
root
filesystem
Ext/UFS
filesystems
VMWare
images
Encrypted
images
Special
images
Other
systems
Mount &
copy
Mount &
copy
Decrypt
(leaked keys)
Custom
tool
Binwalk
EMBA
analyzer
Deep
extraction
Ext/UFS filesystems
VMWare images
Encrypted images
Special images
Other systems
Mount & copy
Mount & copy
Decrypt (leaked keys)
Custom
tool (e.g. Freetz NG)
Binwalk
Identify Linux
root
filesystem
OK
Not OK
Always
Basic
compression
Extract
(patool)

11. Finally, we have something extracted
Which files and directories are there?
Which binaries, configuration files, …
Which architecture are we dealing with?
Which binary protections are in use?
Which Software versions in use?
Is some outdated software in use?
Which areas are from the vendor, which are open source?
Where are possible weak spots or interesting functions used?
Which kernel?
Are there hard-coded passwords?
Scripting issues (shell, python, php, …)?
Insecure permissions?
Weak configurations?
Public exploits?
Dynamic analysis?
Reporting
EMBA
analyzer
modules

12. Don’t reinvent the wheel
See also: https://github.com/e-m-b-a/emba/wiki/Installation#dependencies
Multiple Linux tools
binwalk
Freetz-NG
Checksec.sh
CVE and CVSS databases
CVE-Search
CVE-Searchsploit
cwe-checker
GHIDRA
Docker
Radare2
fdtdump
linux-exploit-suggester
OpenSSL
uboot mkimage
objdump
pixd
bandit
progpilot
Qemu
shellcheck
sshdcc
tree
unzip
sudo parser
sshdc
Yara
and others …

13. #BHASIA @BlackHatEvents
System mode emulation
Fully automated

14. What is emulation?
In computing, an emulator is hardware or software that enables
one computer system (called the host) to behave like another
computer system (called the guest).
An emulator typically enables the host system to run software or
use peripheral devices designed for the guest system.*
* https://en.wikipedia.org/wiki/Emulator

15. Modes of emulation
• User-mode emulation
QEMU can launch Linux processes compiled for one CPU on another
CPU, translating syscalls on the fly.

16. Modes of emulation
• System-mode emulation
QEMU emulates a full system, including a processor and various
peripherals such as disk, ethernet controller etc.
Challenges:
• Architecture
• Kernel
• Filesystem
• Peripherals
• Furthermore

17. EMBA live tester modules
• Full system mode emulation goes to automated firmware analysis
• Based on firmadyne and FirmAE*
• Both projects are not actively maintained anymore
• Complete re-implementation as EMBA modules
• Automated testing of emulation and basic checks as additional testing modules
• Multiple improvements of emulation capabilities are already in place
• A lot of room for future improvements (e.g., new kernels)
https://github.com/firmadyne/firmadyne and https://github.com/pr0v3rbs/FirmAE/

18. EMBA live tester modules - Benchmark*
* https://github.com/pr0v3rbs/FirmAE/#dataset

19. Demo time

20. #BHASIA @BlackHatEvents
@ pascal.eckmann@siemens.com @ michael.messner@siemens-energy.com
EMBA
Firmware
security
analyzer
@securefirmware
https://github.com/e-m-b-a
Michael Messner, Pascal Eckmann