At the 2012 DefCon security conference in Las Vegas, Ang Cui, an embedded device security researcher, previewed a tool for analyzing firmware, the foundational software that underpins any computer and coordinates between hardware and software. The tool was specifically designed to elucidate internet-of-things (IoT) device firmware and the compiled “binaries” running on anything from a home printer to an industrial door controller. Dubbed FRAK, the Firmware Reverse Analysis Console aimed to reduce overhead so security researchers could make progress assessing the vast and ever-growing population of buggy and vulnerable embedded devices rather than getting bogged down in tedious reverse engineering prep work. Cui promised that the tool would soon be open source and available for anyone to use.
“This is really useful if you want to understand how a mysterious embedded device works, whether there are vulnerabilities inside, and how you can protect these embedded devices against exploitation,” Cui explained in 2012. “FRAK will be open source very soon, so we’re working hard to get that out there. I want to do one more pass, internal code review before you guys see my dirty laundry.”
He was nothing if not thorough. A decade later, Cui and his company, Red Balloon Security, are launching Ofrak, or OpenFRAK, at DefCon in Las Vegas this week.
“In 2012 I thought, here’s a framework that would help researchers move embedded security forward. And I went on stage and said, I think the community should have it. And I got a number of emails from a number of lawyers,” Cui told WIRED ahead of the release. “Embedded security is a space that we absolutely need to have more good eyes and brains on. We needed it 10 years ago, and we finally found a way to give this capability out. So here it is.”
Though it hadn’t yet fulfilled its destiny as a publicly available tool, FRAK hasn’t been languishing all these years either. Red Balloon Security continued refining and expanding the platform for internal use in its work with both IoT device makers and customers who need a high level of security from the embedded devices they buy and deploy. Jacob Strieb, a software engineer at Red Balloon, says the company always used FRAK in its workflow, but that Ofrak is an overhauled and streamlined version that Red Balloon itself has switched to.
Cui’s 2012 demo of FRAK raised some hackles because the concept included tailored firmware unpackers for specific vendors’ products. Today, Ofrak is simply a general tool that doesn’t wade into potential trade secrets or intellectual property concerns. Like other reverse engineering platforms, including the NSA’s open source Ghidra tool, the stalwart disassembler IDA, or the firmware analysis tool Binwalk, Ofrak is a neutral investigative framework. And Red Balloon’s new offering is designed to integrate with these other platforms for easier collaboration among multiple people.
“What makes it unique is it’s designed to provide a common interface for other tools, so the benefit is that you can use all different tools depending on what you have at your disposal or what works best for a certain project,” Strieb says.
The platform is also unusual for offering advanced, automated repacking mechanisms for firmware binaries. Most reverse engineering tools aid in unpacking but lack extensive repacking capabilities, because even small modifications you make to firmware can incidentally break functionality or change how the program behaves. Repacking was always a core part of how Cui conceived FRAK, though, and Red Balloon has continued to improve it over the years for the company’s own work.
When Cui gave his original FRAK presentation, the project already had support from a now-concluded Defense Advanced Research Projects Agency program. Known as Cyber Fast Track, the DARPA initiative was run by security researcher Peiter Zatko, better known as Mudge.
“The proposal was compelling enough for me to fund it in April 2012, and I worked extremely hard to ensure I was a good steward of such funding,” Mudge says. “This is a valuable tool that significantly facilitated security researchers’ work in the field of applied embedded security. I am very happy to see more of this project being made available to such a wide audience through open source.”
After the end of Cyber Fast Track in 2013, Ofrak continued to receive partial support from DARPA’s Assured Micropatching program.
“Oftentimes, it’s cost prohibitive for organizations to hire reverse engineers with specialized skills to patch embedded devices,” says Sergey Bratus, a DARPA program manager. “A key goal of the AMP program is to make this capability readily available through automation. Automating the application of a fix turns out to be a hard computer science problem with fundamental research challenges. These challenges must be supported with new classes of modular, community-building, research-enabling tools such as Ofrak.”
In other words, Ofrak is not only useful for independent researchers who want to penetrate the black box of embedded devices. It can also help manufacturers assess their own products and play a role in patch development and distribution, a longtime challenge and frequent debacle in IoT.
Red Balloon’s Strieb says the company hopes Ofrak will be widely adopted and that people will develop add-on modules for community use. Red Balloon plans to maintain the tool long-term, and says it is fully committed to keeping licenses for personal use and research free in perpetuity.
For Cui, it all fits into his original FRAK vision from 10 years ago.
“If more people looked inside the things and realized they could change the things, we would have more secure embedded devices,” he says. “So please take Ofrak, realize you have the power to reason about and change the code running on these devices, and then there’s a whole world of things you can create that are better than what we have now.”
