Device Paradox: Why Security and Criticality Don’t Overlap in Embedded Systems – Ang Cui – PSW #758
Red Balloon Security CEO Ang Cui has spent over a decade looking into the most critical devices supporting our infrastructure. He explains why the insight that launched his company still holds true, and what it will take for security experts, manufacturers and end users to resolve our insecure stasis.
Dr. Ang Cui founded Red Balloon Security in 2011, when he was a doctoral student and part of Columbia University’s Intrusion Detection Systems Lab. His doctoral dissertation, “Embedded System Security: A Software-based Approach,” focused exclusively on scientific inquiries concerning the exploitation and defense of embedded systems. Ang is the creator of Firmware Reverse Analysis Konsole (FRAK) — the forerunner of OFRAK — and Symbiote technology, a novel, host-based defense that operates on embedded devices on the binary level. The RBS team’s success in developing embedded security solutions that harden and provide continuous runtime protection and monitoring of device firmware led to a significant multi-year engagement with HP, which installed Symbiote defense on its enterprise printers in 2015
Ang and the RBS team have uncovered numerous, critical vulnerabilities within ubiquitous embedded devices such as Cisco routers, HP printers, and Cisco IP phones. He also has led research efforts that uncovered vulnerabilities in aerospace infrastructure, building automation systems, electrical grid devices, telecommunications equipment, and ATMs. Ang has participated in many government-led and funded engagements, particularly with DARPA, that bring end users, device vendors, and security experts together to find vulnerabilities and devise new security solutions to protect embedded devices in mission-critical environments. He was named a DARPA Riser in 2015, and is a distinguished presenter of the annual Pwnie Awards (which he sometimes makes himself).