Detecting Undeclared Sanctioned Hardware via Firmware Analysis

Case Study

Challenge

While investigating potential risks involved in introducing a popular industrial communications device into a high-assurance environment, a security researcher was seeking attribution and provenance of the embedded software on the device. Product histories can be complex, especially in operational technology (OT) products where firmware contains a tremendous amount of proprietary software and legacy devices abound. Although the device was available on the U.S. GSA schedule, the companies behind the product had undergone multiple M&As, so the question arose – were there any hidden risks in this device? 

No source code was available. Binary analysis of firmware is reliable but difficult without the right technology and security analysis: 

  • Requires a massive corpus of proprietary data for legacy devices. 
  • The data is not obtainable in open source. 
  • Much of the data is proprietary and can’t be jobbed out to a contractor 

Solution

The Exiger cyber solution, using binary analysis on the device’s firmware, uncovered embedded Huawei modem drivers in the device. Per the FCC tag, these modems were supposed to be Sierra Wireless modems, but the firmware analysis said otherwise. 

Undeclared Huawei modem drivers

Exiger technology identified this corporate entity provenance from the firmware alone. In other words, there was no need to crack open the device(Subsequent physical inspection of the device did confirm presence of Huawei technology.)

Impact

Were there any hidden risks in this device? Yes. But the issue was not that the drivers were bad. The problem is that a sanctioned or precluded Huawei modem in the box was not declared 

Huawei is on the U.S. Bureau of Industry and Security Entity List, prohibiting the sale of new communications equipment and its use in U.S. telecommunication networks. In 2022, the FCC stopped authorizing new Huawei telecom gear for import or sale, while running a “rip-and-replace” reimbursement program to remove existing equipment from smaller carriers’ networks. 

This non-destructive hardware analysis via firmware attribution would enable purchasers of this device (and other devices bearing sanctioned or forbidden technology) to detect the problematic components at a distance, quickly and inexpensively. For organizations pursuing rip-and-replace strategies to meet SCRM mandates, the Exiger solution offers a scalable alternative to physically inspecting a large inventory of devices. 

Exiger’s binary analysis enables software supply chain security and cyber supply chain risk management by exposing hidden cyber risks across a wide variety of technology and ensuring regulatory compliance. 

Binary analysis icon
Industrial icons
regulatory checklist icon

Analysis of binaries to find drivers for undeclared and disallowed hardware.

Capability extends beyond modems to other critical OT devices. 

Scalable alternative to rip-and-replace strategies to meet regulatory requirements. 

Perspectives

Demo The
Exiger Platform