At the 2012 DefCon security conference in Las Vegas, Ang Cui, an embedded device security researcher, previewed a tool for analyzing firmware, the foundational software that underpins any computer and coordinates between hardware and software. The tool was specifically designed to elucidate internet-of-things (IoT) device firmware and the compiled “binaries” running on anything from a home printer to an industrial door controller. Dubbed FRAK, the Firmware Reverse Analysis Console aimed to reduce overhead so security researchers could make progress assessing the vast and ever-growing population of buggy and vulnerable embedded devices rather than getting bogged down in tedious reverse engineering prep work. Cui promised that the tool would soon be open source and available for anyone to use.
“This is really useful if you want to understand how a mysterious embedded device works, whether there are vulnerabilities inside, and how you can protect these embedded devices against exploitation,” Cui explained in 2012. “FRAK will be open source very soon, so we’re working hard to get that out there. I want to do one more pass, internal code review before you guys see my dirty laundry.”
He was nothing if not thorough. A decade later, Cui and his company, Red Balloon Security, are launching Ofrak, or OpenFRAK, at DefCon in Las Vegas this week.
“In 2012 I thought, here’s a framework that would help researchers move embedded security forward. And I went on stage and said, I think the community should have it. And I got a number of emails from a number of lawyers,” Cui told WIRED ahead of the release. “Embedded security is a space that we absolutely need to have more good eyes and brains on. We needed it 10 years ago, and we finally found a way to give this capability out. So here it is.”
Though it hadn’t yet fulfilled its destiny as a publicly available tool, FRAK hasn’t been languishing all these years either. Red Balloon Security continued refining and expanding the platform for internal use in its work with both IoT device makers and customers who need a high level of security from the embedded devices they buy and deploy. Jacob Strieb, a software engineer at Red Balloon, says the company always used FRAK in its workflow, but that Ofrak is an overhauled and streamlined version that Red Balloon itself has switched to.
Cui’s 2012 demo of FRAK raised some hackles because the concept included tailored firmware unpackers for specific vendors’ products. Today, Ofrak is simply a general tool that doesn’t wade into potential trade secrets or intellectual property concerns. Like other reverse engineering platforms, including the NSA’s open source Ghidra tool, the stalwart disassembler IDA, or the firmware analysis tool Binwalk, Ofrak is a neutral investigative framework. And Red Balloon’s new offering is designed to integrate with these other platforms for easier collaboration among multiple people.
“What makes it unique is it’s designed to provide a common interface for other tools, so the benefit is that you can use all different tools depending on what you have at your disposal or what works best for a certain project,” Strieb says.
Lily Hay Newman