Have you created a hardware product or software application? Do you sell it to end users? Have you evaluated the security issues that may be present within the product? Have you assessed the attack surface and how this could be hijacked or used by malicious users?
In a world of increasing online connectivity, the ability for malicious attackers to compromise innocent products and systems is ever growing. Botnets, worms as well as targeted attacks are all being used within cyber-attacks and an increasing number of weaknesses within 3rd party products are becoming available to attackers as users and organisations place this within their networked environments.
Nettitude can deliver an in-depth product teardown and security review against a wide range of manufactured products, software applications and components.
If you need to provide a level of assurance to your board, customers or industry that your product has been tested for cybersecurity weaknesses, then a product teardown is an essential element of your product lifecycle.
What Is A Product Teardown?
In essence, a product teardown is the reverse engineering of a hardware and/or software system to understand the real vulnerabilities, attack surfaces and weakness that reside within its composition and structure. Looking in-depth at each component, as well as the overall integration and communications between components allows for an in-depth review of the issues present.
From this, real changes can be made to secure, harden and manage the weaknesses present to ensure that a high security posture will be presented within your product.
We break product teardowns into 6 steps as shown in the diagram below:
Legal and regulatory requirements are increasingly geared towards ensuring that sensitive data is secured, monitored and reported if compromised. Establishing and maintaining an effective Incident Response capability can be a costly exercise for most organisations. Having a managed service gives you peace of mind that you have certified and experienced incident response experts available to conduct an effective investigation immediately.
- Hardware type and structure.
- Software components, languages and libraries.
- Document the threats and the most critical scenarios that could be played out against the targets product.
4. Security configuration review
- Manual review of configuration settings, defaults, firmware/software versions, vendor manuals, CVE research, etc.
2: Threat intelligence
- Understand the types of threats likely to target this product, and the attack surface, capabilities and motivations likely to be up against.
- OSINT, Interview, documentation and research.
- Document the threat intelligence found and how that would shape the approach and assurance work required for this context.
5. Product teardown/reverse engineering
- Fuzzing, reverse engineering and in-depth security assessment.
- Monitoring and debugging.
- Cryptography Research.
- Web Applications.
- Network & protocol analysis, data identification & extraction.
- Exploit Development.
- Penetration Testing.
3. Critical component identification
- What critical components, (physical and software), network links, connections are in place?
- Passive network analysis.
6. Recommendations & reporting
- Management report, debrief and recommendations around best practice.
- Technical reports, vulnerability disclosure, debriefs and recommendations.
A high-level general application approach can be detailed as followed:
- Document review – An open discussion with the vendor to understand the technical design and expected operations of the software/products will enable much faster analysis of the vulnerabilities and weakness that can be found. Datasheets and published information will be reviewed (Vendors documentation, previous research, blogs & forum comments. Default credentials, settings, etc.).
- Product teardown – The product (hardware or software) will be taken apart into its parts and each element identified in terms of its build, language, libraries, physical parts and key building blocks.
- Log file analysis – Data that is logged, options for logging will Penetration Testing be fully explored. This can sometimes give a clue on what is the next step in discovery bugs/vulnerabilities. What sort of data is stored and where?
- Application crashes – All application crashes from functional testing will be captured. The exact conditions/environments/variables under which the application can reveal vital information for us. Full memory dumps (not just dumps of the process) of the host device will be done for detailed analysis.
- Network analysis – All protocols, services and ports being used will be captured and analysed. Weak session authentication and encryption methods will be identified and exploitation attempted. Access to keys, certificates and other mechanisms to secure protocols will be investigated to try to bypass, intercept and manipulate the expected behaviour. Server/client communications can be captured, dissected and replayed in an attempt to control and manipulate behaviour.
- Fuzzing – A range of fuzzing attack vectors will be tested to identify weakness and vulnerable areas within the application. Variables, protocols, file formats, memory dumps as well as application inputs (UI, CL, files etc.). Based on the objectives of the test, the appropriate techniques will be used.
- Process monitoring – Through a detailed analysis on the host and conducting various reverse engineering techniques, process monitoring, native and OS/3rd party API tracking will be analysed. Functions an application calls can indicate possible injection points as well as any additional processes that can be manipulated to cause unintended behaviour. The use of 3rd party functions, libraries and code may point to a secondary line of attack.
- Open source vs commercial – Always check if there is an open source tool that can be used. Are there any OS components that are used that have known issues or for which the source code is available?
- Dynamic analysis/reverse engineering – Reverse engineering of relevant sections or areas of the application and dynamic analysis of the application will be conducted, if source code is not available.
- Regular penetration test – Our standard tools and methods for conducting penetration testing will also be deployed looking for the low hanging fruit.
- Protocol analysis and abuse – Any changes in the use of standard protocols will be examined. Known weaknesses in existing protocols will be identified & any customer changes reviewed in detail.
- Static analysis and code reviews – If source code can be made available or obtained, relevant analysis can be within the time possible if this will be conducted to identify design flaws and security concerns.
- Hardware vulnerability assessments – For example, device disassembly can also be undertaken looking at the physical circuit design and operation.
Nettitude have evaluated many devices and software applications on a range of end products in recent years. Staff have collectively many decades of experience working with low level programming, reverse engineering, vulnerability research and security assessments and evaluations.
Each year we conduct over 1000’s of penetration tests and security assessments against software applications, products and environments. These range from web apps, mobile apps and hardware devices, software applications, social engineering engagements, wireless and many other areas.
In addition we conduct 100’s security assessments and audits of systems and environments against a range of industry standards including NCSC, PCI (DSS and PA-DSS), ISO27001, Finance/Banking (UK and US), SANS Critical Controls, NIST and US Healthcare standards.
Nettitude have researched and tested in depth consumer tablets and phones released on the high street (both from a hardware and OS/Application level), banking systems such as ATM’s and payment card devices, hardware security modules (HMS’s), payment applications and many other types of mobile and end user systems where sensitive data has been used.
Nettitude are certified by the payment card industry security standards council (PCI SSC) to perform Payment Application Data Security Standard (PA DSS) assessments on authorised payment applications and conduct regular assessments throughout each year.
Nettitude is an award-winning global leader in the delivery of cybersecurity assurance testing, risk management, consultancy, incident response and threat intelligence services. We provide our clients with infrastructure, application, mobile and social engineering penetration testing services.
Nettitude also provide security assessment, architecture design and penetration testing of Industrial Control System and SCADA environments.