Daniel: All right welcome back to IT Pro TV. I'm your host Daniel our we're here back at RSA 2018 here in San Francisco. I'm here with Terry Dunlap from ReFirm Labs. Terry, can do us a favor tell us a little about yourself in your company?
Terry: Sure. I started ReFirm Labs back in August, but before that it actually goes back to 1986 when I was arrested for computer hacking. But it didn't stop me from getting a top-secret security clearance to work for the National Security Agency.
Daniel: Well, that's good to know.
Terry: Yeah, so I started a company called Tactical Network Solutions, which is still around, focused primarily on offensive cyber. And then we had this capability that could reverse engineer firmware looking for vulnerabilities. We decided to spin that out into ReFirm Labs and turn it into a commercial product.
Daniel: So you're actually looking into the firmware of different devices and looking for vulnerabilities so that you can fix them? Or just explain to the company that's producing them how to fix them?
Terry: Both. To explain to the manufacturer how to fix them and to let enterprises understand what threats are in their internet connected devices; IOT devices like your Polycom phones in the boardroom, the security cameras that are deployed throughout the enterprise, even that Smart TV is sometimes pretty smart as to what it can do and where information goes. You'd be surprised.
Daniel: Yeah. IoT's kind of a thing nowadays, and I guess if it is connected to our network, we probably need to look into some security when it comes to that. So tell us a little bit about what's the process of that. What does it look like for your company to go in and and do your thing?
Terry: Yeah, well we have a platform that is a SaaS model subscription base. So, for example, if our enterprise customers are interested in the security of their widely deployed security cameras, they can take the firmware from that security camera, which is usually available on the vendor website, put that into the platform and within about 30 minutes you can get detailed information on vulnerabilities that are known, crypto keys that are actually embedded, both public and private password hashes - which would normally reveal backdoored accounts. And, in fact, we actually had a Fortune 100 customer do exactly what I was saying and they discovered a backdoor account in their security cameras that were deployed around the globe. What they were shocked to find was that their corporate network traffic was being sent through these cameras to a foreign IP address.
Daniel: That could be shocking to someone to find that out.
Terry: Absolutely. So I mean armed with that information, they were able to actually block the malicious traffic and then justify the replacement of every single one of those cameras globally in their enterprise.
Daniel: So this was a this is a big deal for them, yeah?
Terry: It was huge.
Daniel: So you say they take their firmware and they can upload it into your platform. Your platform actually just does some sort of vulnerability scan. Is this an automated scan or do you actually have text looking at it as well?
Terry: Ah, no, it's completely automated. You take a compiled firmware image - we don't even need access to source code, we don't need any special agents running or any libraries embedded into the firmware. We don't even need access to the network. So if you can just take a vendor provided firmware image, which usually are freely available on their support pages, and just drop it into the platform, we show you current vulnerabilities, potential zero-days that might be in the firmware, password hashes and crypto keys.
Daniel: That is amazing! And how do you do this? How is the vulnerability scanner doing that that job?
Terry: Right now we have two different engines that we fire up. One's a traditional static analysis engine that will look for your common buffer overflows, insecure coding practices, command injections. Then we also have a dynamic emulation environment, where we will take specific binaries from the underlying operating system. For example, let's say it's an HTTP server that's part of this this firmware image. We will actually identify user input variables where we can modify those inputs, run that web server in an emulated environment and see if we can cause a crash or an overflow. If we can, then we will flag that as a potential zero-day vulnerability.
Daniel: That's extremely impressive that it can do all of that - and built into an automated system! Obviously anybody that has IoT devices or firmware embedded devices as well are gonna want to start working this into their threat vector to see, 'do I have a problem here.' Because we have to look at every single angle, and firmware is no - it's not off the table when it comes to that.
Terry: Right I mean there are not many solutions that we've come across that can look at firmware in as short amount of time as we can and uncover known vulnerabilities, potential zero-days, crypto keys and password hashes all at the same time. Now, there are individual platforms out there that do some of that stuff individually but this is the first comprehensive all-in-one to do that.
Daniel: That is amazing stuff. Ok, so now I'm hooked. Let's start here - if I was interested in this, who do I need to be to say 'ok I want to go to ReFirm Labs' and do I need to be a large company? Obviously you work with the enterprise level people but are small businesses also in your target range?
Terry: Yeah, so we have a number of clients that range from small mom-and-pop embedded device manufacturers in the Midwest all the way up to your Fortune 100 customers and SISOs who are concerned about connected devices that are on their enterprise. So really it's wide-ranging. It's a subscription platform based on volume, so if you're a high-volume user, you know, we have a plan that can accommodate that. So, yeah, anybody that is involved with firmware development or concerned about the connected devices on their network, we'd be able to help them. So we're looking at three specific verticals: the developers/integrators of these devices, enterprise security and certification labs, like working with Underwriter Laboratories or CableLabs to help them develop policies and procedures to make sure devices are as secure as I can be.
Daniel: Awesome! Well it sounds like a great product. I can't wait to check it out more and learn more about it. If folks are out there like myself who want to learn more about this, how would they do so?
Daniel: Well thank you so much for joining us. ReFirm Labs - check it out everyone. But stick around we'll have more from RSA 2018 to come so we'll see you then.