Security threat to networked systems

Interaction with networked systems is increasingly becoming part of everyday life: a morning look at the smartphone, telephone calls via the home router, switching on the heating with an Alexa-controlled thermostat. The multitude of »mini-computers« found in private homes, public spaces and offices offers a huge target for computer crime. To address the risk factor of vulnerable networked systems, the Fraunhofer FKIE has developed the »Firmware Analysis and Comparison Tool« (FACT).

FACT, initially developed with the support of the German Federal Office for Information Security (BSI), aims to provide a publicly available tool for the automated analysis of firmware, the basic operating software of a computer system. The tool makes investigating the security of any device manageable for analysts and users.

The »Firmware Analysis and Comparison Tool« (FACT) is based on a multi-level procedure. At each level, appropriate modular tools are used to analyze the firmware and its components.

It is important to understand at the outset that firmware usually consists of a large number of components. The latest generation of home routers usually use Linux as the basis for their firmware, as indicated in the »Home Router Security Report 2020«. However, the number of files contained in a minimally configured Linux system optimized for a router's special requirements is still in the four to five-figure range.

The initial stage of FACT is therefore to extract the firmware into its individual components. Since many manufacturers use their own format for their firmware, FACT uses a variety of extraction modules developed in-house along with the better-known tools.

Once FACT has unpacked the components, it automatically recognizes their respective types in order to analyze them in a meaningful way. An executable file is then inspected to determine the software used and potential coding errors, while text files are searched for passwords and the like.

Finally, FACT collects all the analyses in a well indexed database to present the results via a web interface in a clear and understandable way. The database also makes it possible to collect analyses over a certain time period, which offers administrators, developers and scientists further potential applications.

FACT was publicly used for the first time in the context of the »Home Router Security Report 2020«. For this whitepaper, FACT was used to investigate 127 current home routers for a number of security relevant features.

The results of the report show that in most cases the tested routers exhibited a variety of security problems that could be avoided by better design practices.

Since FACT performs purely static analysis of firmware, the whitepaper alone cannot draw any conclusions about the actual vulnerability of the tested systems. Consequently, the FKIE will continue to develop methods to optimize the validity of the analyses and thus the precision of the security assessments.