Hardware and Firmware Security Assessment
Service overview
Have confidence in the safety of the components and devices underpinning a new development
Prevent possible hardware failures
Protect intellectual property and secure your products from piracy and counterfeiting
Improve your competitive edge by raising the level of security of the devices you develop
Capabilities
We provide an independent hardware security assessment
We support the device development process at all stages
We help to get your devices certified
We develop safeguards and recommendations to improve the security of your hardware
Project stages
-
We select the research approach that best addresses your tasks
-
Gather data about the hardware being assessed
-
Analyze the security of the entire system or its components
-
Verify that the identified vulnerabilities can be exploited
-
Develop recommendations to address vulnerabilities and improve hardware security
Our projects
Device manufacturers have a number of monetization models to profit from their products. One of them is the sale of devices with different features: the high-end ones will be more capable than their budget series. The other way is to issue licenses, which determine the number of available features.
Bypassing the protection mechanisms in the firmware makes it possible to unlock even unpaid device capabilities. However, this is a direct copyright violation (i.e., piracy), which causes the manufacturer to incur profit losses.
The J-Link microcontroller debugger, which SEGGER has been producing since 2004, combines the abovementioned monetization models. According to the manufacturer, J-Link became the de-facto standard debug probe for ARM based development.
We conducted an analysis of the J-Link EDU debugger, a lower-end model with a scaled-down license package intended for non-commercial use. Its hardware is the same as J-Link BASE and J-Link PLUS. The only difference between them is the license package, the availability of technical support, and the cost: the PLUS version is 10 times more expensive than the EDU.
While doing our research, we found two bugs in the firmware. The first one allowed us to bypass the licensing system and upgrade the device from EDU to PLUS. The second bug could be exploited by hackers to execute arbitrary code on the device. We informed SEGGER about the discovered security gaps, and two weeks later the bugs were partially fixed. “Partially” because the devices had already been distributed to many users, and releasing a patch would cause them backward compatibility problems.
“BI.ZONE Research Lab has been very fair and ethical in their research and in their discussions with us. We are impressed with what they have done and their level of analysis,” noted SEGGER representatives.
Assess the security of information systems servicing the network’s customers:
- Android and iOS-based mobile app (2.7 million users)
- Self-service apps and software (330,000 orders per day)
- We performed a security analysis by simulating the actions of a potential attacker
- We identified vulnerabilities, developed recommendations to address the gaps and improve the level of security
In just a month of working with a network that serves millions of customers, we identified over a dozen weaknesses in its system services and helped improve overall security
“BI.ZONE identified the most likely attack vectors and provided recommendations to address vulnerabilities not only in the infrastructure itself, but also at the level of business processes”
Malte Wolters
IT Director at YUM! Restaurants International Russia, CIS & CEE
Clients about us
Our team
Ask our experts
You might also need
Service description
- We identify vulnerabilities and weaknesses in the devices and their components
- Uncover vulnerabilities in the hardware-backed system architecture
- Explore opportunities to gain access to confidential and personal user data
- Predict the consequences of exploitation of uncovered vulnerabilities
- Demonstrate the exploitation of the most critical vulnerabilities
- Develop recommendations to mitigate the identified vulnerabilities and improve product security
Objects of assessment
- ATMs
- Self-service terminals
- POS systems
- Payment terminals
- Biometric systems and voice technologies
- NFC contactless payment technology
- VR/AR solutions
- IoT devices
- Management systems (automated process control)
- Industrial firewalls
- Industrial robotics
- Wearable electronics
- Additive technologies
- Biometric systems and speech technologies
- Medical robotics
- Endoscopic devices
- IoT solutions for medical diagnostics
- Remote patient monitoring devices
- Speech technology
- Wearable devices (pacemakers, insulin pumps, etc.)
- IoT solutions for freight transportation
- Smart locks, headlights, etc.
- Vehicle control devices
- Biometric systems and voice technologies
- VR/AR solutions
- Vehicle multimedia systems
- Automotive security systems
- IoT solutions to improve customer experience
- Self-service terminals
- Payment terminals
- NFC contactless payment technology
- Biometric systems and voice technologies
- VR/AR solutions