Automated Firmware Reverse Analysis Tool

On Thursday Ang Cui of Red Balloon Security and a graduate student at Columbia, demonstrated a new method for automating the process of reverse engineering firmware.

Cui is a member of the team of researchers that in December announced they had reverse engineered HP printer firmware updates. This resulted in a series of news stories about printers being set on fire because one of the modifications could allow the fuser to remain on, get hot, and burn the paper or the printer. HP countered by saying the fuser had a governor to keep that from happening, but hasn't spoken about the underlying problem with the printer updates.

Cui is now pursuing other embedded systems. In his presentation, he demonstrated how to modify a Cisco Router firmware update.

Cui said that FRAK stands for Firmware Reverse Engineering Analysis Konsole. This grew out of Cui's frustration with having to stare at the binary blob until he understood the proprietary file format being used. With FRAK he's able to automate that process and use it to find strings of useful data. In his presentation, he demonstrated how to modify a Cisco Router firmware update. He replaced an existing string composed of the phrase "this product contains" (a fairly common phrase in firmware) with a pixelated image of John Stewart, CSO of Cisco.

Cui said an open source version of FRAK will be available after Black Hat and DefCon.