FirmwareIQ employs the Common Vulnerability Scoring System (CVSS) to generate security scores for every component of its analytic output. This well-defined, industry-standard methodology for security scoring can be applied across multiple industries and certification bodies.
In just minutes, FirmwareIQ generates a detailed analytic report equivalent to what would take a team of experienced security analysts hours to produce.
Only binaries are required to generate a FirmwareIQ report. The risk of exposing IP in source code is eliminated, without compromising the precision or detail of the analytic output.
Harbor Labs’ patent-pending system for extracting and identifying file types produces high fidelity recreations of the target file system, regardless of naming conventions or file constructs. As a result, vulnerabilities are not overlooked or incorrectly flagged due to an unidentified or misidentified file type.
With many automated tools, the process of reviewing analytic output and distinguishing false positives from genuine vulnerabilities can be a cumbersome and time-consuming process. FirmwareIQ minimizes false positives to maximize the value and usability of its analytic output.
FirmwareIQ’s API seamlessly integrates security analysis into the software build process, allowing for fast and frequent security checks throughout the development cycle.
The FirmwareIQ analytic engine performs thousands of separate inspections on the target software to identify potential flaws, weaknesses, misconfigurations and known vulnerabilities in:
The Common Vulnerability Scoring System (CVSS) is an open-source industry standard for determining the severity of a vulnerability, the impact to the affected system, and the ease of executing the associated exploit. A number value of 1-10 is assigned to the vulnerability, 10 being the most critical, with the intent of providing users a metric for identifying and prioritizing the most severe cybersecurity issues within a target system. FirmwareIQ assigns CVSS v 3.0 scores to each element of the software packages it analyzes, deriving these values from the CVSS consortium’s open-source calculator and scoring methodology.
There are many proprietary methodologies for generating security scores. And while these scoring systems may be well suited for a specific tool or operational setting, they rarely have portability or intuitive meaning outside of that specific environment. All FirmwareIQ scoring is derived from the CVSS standard. This removes any subjectivity from the tool’s scoring logic, and provides a set of security values that are accepted and understood across a broad set of industries, as well as regulatory and certification bodies.
A CVSS score should be regarded as informational, not as an absolute data value. It is intended to inform and alert to the potential severity of a vulnerability, but provides no context that is specific to the target system. The scores within the CVSS scale are not meant to be viewed as ratios of one another, or as relative values. A vulnerability with a CVSS of 8.4, for example, is not necessarily twice as severe as a CVSS of 4.2. CVSS information should be analyzed within the context of the threat model and concept of operations for the target system. A CVSS of 2.4 might require immediate attention if it has the ability to chain to another much more severe attack within the target system. But, a CVSS of 9 that pertains to a function in a library may be irrelevant if the target system uses the library but not that particular function. Please consider the CVSS scoring produced by FirmwareIQ as data that will inform and assist in prioritizing vulnerabilities within the broader context of the specific target system and its operations.
Searchable and sortable fields allow users to quickly identify and organize the security information most relevant to their project. Summary data is contextualized and can be expanded wherever granular analysis is required.
Even after the initial analytic report is completed, FirmwareIQ continues to monitor the threat landscape for new vulnerabilities that might affect the target binary. FirmwareIQ performs a daily query of the National Vulnerability Database for any new entries that could exploit the components of an analyzed binary. When a new exploit that matches a client vulnerability is identified, the client is automatically notified of the threat and is directed to the associated FirmwareIQ report for further inspection.
Since 2011, Harbor Labs has been conducting vulnerability analyses and generating security reports for clients across a broad set of systems and industries. Depending on the scope and complexity of the target system, these engagements could have taken weeks to complete, and result in 100s of pages of analytic text and report data. FirmwareIQ was conceived as a way to codify the manual processes of vulnerability analysis into a series of analytic modules that can generate a comprehensive report in a fraction of the time and cost of a manual report. Moreover, FirmwareIQ allows analytic data to be organized and prioritized for easy navigation, with sorting and customization tools so that the data most relevant to the user can be presented in an intuitive and easily consumable format. The vision of its inventors was to create the next-generation in vulnerability analysis systems, and after more than two years of focused design, development and testing, FirmwareIQ is the result of that ambitious goal.
Designed and developed by leading industry security analysts Dr. Avi Rubin, Dr. Michael Rushanan, Dr. Paul Martin and Dr. Ayo Akinyele, FirmwareIQ represents their decades of experience and collective expertise in vulnerability analysis and analytic tool development. The patent-pending methods contained within FirmwareIQ are the automated equivalent of the analytic processes these experts have been developing and applying to client systems since the company’s founding in 2011. Each of the individual modules that comprise the FirmwareIQ analytic engine reflects the area of expertise of the cyberscientist that designed and maintains it. Our PhDs and their staffs are passionate about FirmwareIQ, and are committed to providing customers with analytic insights and security outcomes that are unmatched in our industry.
Identification of vulnerabilities in the firmware is typically just the first step in fully securing a device. The remediation process that follows often requires further levels of analysis, including pen testing, reverse engineering and custom exploit development. Analysis of the deployment model, access control policies, the PKI architecture, patch management models and integration with other components of the topology also play a role in the overall security outcome of the target device.
Beyond simply identifying vulnerabilities, Harbor Labs’ staff of expert security consultants can develop a remediation plan, conduct additional custom security analyses, and develop and implement the solutions necessary to meet the security requirements of the target system.
When Harbor Labs staff discovers a vulnerability and develops an exploit, we work with the client not only to remediate the vulnerability, but to ensure that it is properly reported and shared with the cyber community. Through our ongoing work with the ICS-CERT, Harbor Labs is committed to making sure our discoveries are registered as CVEs and recorded in the NVD to prevent future exploits.
FirmwareIQ can unpack and analyze all common archive and compression formats on Linux, Android and Docker® systems.
FirmwareIQ only analyzes the software binary in order to generate a comprehensive security report. No source code is ever required.
After a binary is uploaded, analyzed, and the security report is produced, FirmwareIQ deletes the binary in its entirety. Uploaded client binaries are never stored in any form after being analyzed.
FirmwareIQ offers annual subscriptions, as well as short-term and month-to-month plans. Subscription plans are flexible and designed to meet the varied requirements of enterprises, teams and individuals.
FirmwareIQ reports are available for the duration of a subscription period, and are archived for at least one year after the expiration of a subscription. Users with inactive subscriptions can still access past reports through their dashboard, but will be unable to run the FirmwareIQ analytic engine until renewal.
Authorized users can save their reports in their entirety to a local device for offline review. Users may also select and save subsets of their reports in CSV format.
Processing times will vary based on the target image’s size, complexity, composition and the resources of the platform on which FirmwareIQ is running (SaaS, local server, e.g.). However, extensive FirmwareIQ benchmarking indicates an analytic processing rate of approximately 2.6 MiB of binary data per second. A binary image of 625 Mib, for example, would take approximately four minutes of analytic processing time.
The Harbor Labs consulting staff provides a portfolio of security services to provide remediation to the issues discovered in a FirmwareIQ analytic report. Services include the design and development of secure topologies, cryptographic solutions, key management systems, patch management design, and cloud integration, among many other security consulting services. Consulting is available both as a set of stand-alone services, and is included in certain FirmwareIQ subscription plans.
Schedule a demo, request information on subscription plans, or contact our FirmwareIQ technical support staff.