Definition of Attacker Model
Attack Surface Analysis (ASA)
Technical Security Audit
Proof of Concept (PoC)
Security Audit Report
For our Embedded Security Audits, we use a well-defined auditing workflow:
Step 1 - Definition of Attacker Model and Audit Depth: Together with our customers, we define the audit depth, aggressiveness, specific customer requirements and types of attackers that should be considered during the security tests. For embedded systems, this also includes the consideration of different types of physical access types.
Step 2 - Attack Surface Analysis (ASA): In accordance with the defined attacker model, we analyze which parts of the embedded hard- and software components can be reached by attackers (attack surface).
Step 3 - Technical Security Audit: This is the main part of the security audit. We typically use a combination of established automated and manual testing techniques to identify security vulnerabilities. Depending on the audit depth this may include hardware analysis, firmware extraction using techniques from our Hardware Security Lab as well as firmware and protocol security testing.
Step 4 - Proof of Concept (PoC): For identified security vulnerabilities, we develop Proof of Concept (PoC) exploits. The PoC exploits demonstrate the identified vulnerabilities, they ensure high reproducibility of our results and they can be utilized for testing purposes during development of subsequent security fixes.
Step 5 - Security Audit Report: In the final step, our customers receive a detailed report that includes a description of the conducted tests, the identified security flaws and suggested security fixes.
Our Analysis Techniques
Communication Protocol Analysis and Testing
Static and Dynamic Code Analysis
(Disassemling, Debugging and Decompilation)
Firmware Reverse Engineering
Source Code Reviews
Manual Code Analysis
Guided Firmware-in-the-Loop Fuzz Testing with the Trustworks Fuzz Testing Suite
Our PROSPECT technology allows us to employ advanced emulation technologies to conduct tests on systems with proprietary peripheral devices
Want to know more ?
Black-Box Security Audit/Penetration Test
In a typical scenario, you have a proprietary hardware or embedded system product installed and/or utilized at your site which should be tested for security. For instance, this could be an embedded office product such as a printer or camera, an IoT device, an automation or critical infrastructure field component, a control unit within an automotive or aviation infrastructure or even a single chip solution such as an NFC chip.
In a Black-Box Security Audit we do not have access to the source code and design documents of the hardware product. Depending on the audit requirements defined together with the customer, we can utilize the broad range of capabilities of our Hardware Security Lab to conduct security tests. In a typical scenario, we start with a lab test system installation in which the component that should be tested is included in a way so that its core functionality can be observed and utilized. At that point, depending on the security audit requirements, high- and low-level tests can be performed. High-level tests typically involve protocol testing such as on web interfaces or proprietary protocols. With low-level tests the firmware and/or the contained logic is extracted from the device for subsequent analysis. In the case of firmware, we work with the binary firmware in the configuration utilized within the device. We have extensive knowledge, internally developed testing tools and a more than 13 year long experience in Black Box security testing. To conduct security tests, we analyze the firmware under test within a product specific security testing environment and leverage established auditing techniques.
White-Box Security Audit and Source Code Review
In a White-Box Embedded Security Audit, the customer such as a hardware manufacturer or an in-house development division provides us with access to the design documents and source code of the product. Depending on the designs and programming languages, we utilize established review tools and manual reviews to identify security threats and vulnerabilities.
A White-Box Security Audit can be extended with static and dynamic code analysis on the embedded systems under test.
Communication Protocol Security Audit
In a Communication Protocol Security Audit, we focus on the security of the communication protocols ranging from high-level web interfaces to low-level proprietary bus or wireless communication protocols. In a typical scenario, we start with a lab test system installation in which the component, that should be tested, is included in a way so that its core functionality can be observed and utilized. Within the test setup we can scan for utilized protocols and services as well as analyze employed communication protocols for vulnerabilities. Depending on the audit requirements, we utilize established scanning and protocol analysis tools as well as manual protocol analysis to identify security threats and vulnerabilities.
Whenever necessary, we can resort to custom protocol testing tools and developments. This may also include the combination with advanced logic and firmware code analysis techniques to identify protocol functions in undocumented, proprietary communication protocols.
Wireless Security Audit
Your equipment uses wireless communication and you are not sure how easily it could get compromised? Are simple wireless replay attacks sufficient to compromise your physical security?
From Wi-Fi networks to digital directional radio links and NFC communication, we can analyze wireless communication channels as well as protocols for security vulnerabilities. Depending on the wireless technologies, we often use a combination of commercial testing equipment combined with Software Defined Radio (SDR) techniques. Especially SDR provides us with sophisticated signal analysis and signal generation capabilities. If in addition to the wireless signal also the wireless systems (e.g. a radio modem, a tag reader, etc.) can be accessed, we can effectively combine a wireless security audit with an embedded software security audit to obtain deep knowledge of proprietary (and possibly cryptographically protected) wireless protocols as well.
Security Concept Review
You are a hardware manufacturer or an embedded system developer and you plan to include your new security concept into an upcoming product release? We can help you address many security challenges through Security Concept Reviews.
We identify potential vulnerabilities and develop possible solutions for your security design and architecture concept. Our security review includes a detailed analysis of your concept, it highlights the concept’s security strengths and weaknesses, provides possible solutions to mitigate the weaknesses and ultimately allows you to increase the security of your upcoming product release at an early state prior to the software implementation.
Security Design & Architecture Consulting
Your embedded systems and/or hardware product needs a new security design or the current one should be improved? We bring in our security expertise and experience to help you in developing a solid security design and architecture that fulfills your requirements. We are used to working together with development teams and we understand many of the typical challenges that need to be addressed in complex embedded products.