In this introductory article, we discuss the challenges around extracting binaries – especially from embedded systems – and how ObjectSecurity’s VAPT series is designed to support you.

Manual extraction

security policy automation

Extracting the firmware from embedded systems is currently a cumbersome, manual task that often involves significant trial & error, and significant skill. A technical expert needs to probe various connectors on the device, incl. pin layouts, baud rates, voltages etc. Once successful, the technical expert may be presented with a console shell, which may sometimes ask for login information. Once logged in, there is often a stripped-down operating system that makes mounting external storage challenging. Upon successfully mounting external storage (e.g. via USB), the firmware can be extracted and uploaded into the binary analysis solution.

Manufacturer tools

security policy automation

If you are fortunate, your device manufacturer may provide you with diagnostics tools for the device under test. If so, these tools often make extraction much easier and more reliable. However, many organizations do not have access to such manufacturer specific diagnostics tools, or manufacturers do not offer them. Also, you likely need a manufacturer specific diagnostics tool for each kind of device.

Extraction device platform

cannot enforce policies

Unfortunately there is currently no one-size-fits-all device that can extract the firmware from all embedded systems.

We have developed a pre-release of a handheld device platform that supports extraction from a (small-ish) number of embedded systems out of the box, via common connectors such as console serial ports, USB, UART etc. If you are interested in how this works, please check out the demo video on our VAPTBOX page. This pre-release device hardware/software platform makes it easier for organizations to develop repeatable and automated extraction tools for their devices – and ObjectSecurity can also assist.

In conclusion, there is really no one-size-fits-all, easy way to extract the firmware from embedded systems for binary vulnerability analysis. Please talk to us about your experiences and/or requirements in this area, and please check back regularly as we have exciting features planned for the full release of the connect/extract device.

Contact us. Let’s get the conversation started.

security policy automation

ObjectSecurity securely brings together data & analytics to create intelligence and automation.

We are leading experts in technologies and services to drive the information age in your organization –  including:
c
ybersecurity, data analytics, supply chain risk analysis, and artificial intelligence.