We analyze device firmware to provide you with a matrix of results that can be found within the software embedded on each device, including an overall risk score, a robust Software Bill of Materials (SBOM), a list of hard coded credentials, and other risk factors.
Our risk reports include information on the presence of known vulnerabilities (CVEs), zero-day vulnerabilities, and known incidents, alerts, advisories, and threats.
We provide a detailed supply chain risk assessment, revealing information about vendor watch lists, manufacturing location, and FOCI (foreign ownership, control, and influence).
The Software Bill of Materials (SBOM) is a comprehensive list of the software components found within your device firmware. Firmware is assembled from a combination of open source and proprietary software components. Having a robust SBOM is the first step in understanding what’s inside your device.
Automated analysis capabilities locate, extract, and attempt to recover plaintext credentials for all accounts on the system. Having a full accounting of the credentials in a firmware often leads to the discovery of potential backdoors that increase the risk to the network.
The presence of materials such as private keys and authorized key files can indicate backdoors allowing unintended access to the device.
Finite State identifies all known vulnerabilities in device software automatically. Data from vulnerability data sources is automatically deduplicated and presented to users. Finite State also correlates information from the vulnerability database about the risk of the vulnerability with known exploit data, allowing users to understand how these vulnerabilities are being used by real-world malicious actors.
Most modern software compilers have safety features that are used to prevent common exploit methods. These features are turned on by default—so when we see that these are not enabled on binaries, we can assume that someone has actively turned these features off. That may have been done maliciously, or it may have been done to make the existing code work. We cannot determine intent; however, we can see if these compiler level protections are turned on consistently to protect against malicious attacks.
Code complexity can help analysts understand the risk profile and stability estimations of any unit of code. This particular metric effectively looks at the number of different decisions that can be made in a unit of code. When this score is higher, there are more logical paths to follow, which means there is a higher level of difficulty to adequately test the software. Software that is more difficult to test has been shown in many studies to have a higher risk of defects, which correlates with security vulnerabilities.
In programming languages like C, there are a series of legacy functions like strcpy that are considered unsafe and have secure variants like strncpy. Unsafe function calls expose the binary to risk of buffer overflow, format string, and other types of attacks.
A memory corruption is a type of vulnerability that may occur when memory is altered without an explicit assignment, meaning that the items stored at that memory location can be modified. Finite State has developed analysis tools to automatically find memory corruption vulnerabilities, allowing us to understand how well the software development team implemented memory management practices, as well as what unknown memory corruption vulnerabilities live within the software.
Finite State provides static analysis results of source code found in connected device firmware. Examples of security issues include invoking shell commands from scripts or potential command injections.
Finite State provides a platform for both asset owners and device manufacturers to gain deeper insight into product and supply chain risk. Our robust set of tools empowers security teams to take action, share information, and collaborate.
Finite State provides the most advanced vulnerability detection capabilities for connected device firmware, which can form the foundation of your proactive product security lifecycle. Detect and manage issues in your first- and third-party software before your products go to market, reduce your compliance and regulatory risk, automatically satisfy your customers’ requests for proof of robust security programs, and react with speed and precision when new vulnerabilities and threats are reported.
Finite State provides objective, data-driven measurement of the cybersecurity properties of devices, their embedded software, and their supply chains. These ratings enable device users to take a “risk-based and outcome driven approach” to securing their organization’s most critical assets.
Firmware risk is automatically calculated through a data science approach based on thousands of data points and 8 metric classes, with new metrics being added regularly.
Protecting your critical connected devices requires robust intelligence and coordination within multiple departments inside your organization and with vendors outside of your organization. Finite State provides a centralized platform for collaborative vulnerability management, which is built upon the most robust and timely intelligence to ensure you stay one step ahead of your adversaries.
Finite State helps security and risk leaders take a risk-based, outcome-driven approach to managing the performance of their organization’s product security program through broad measurement, continuous monitoring, detailed planning, and rapidly reduced incident reaction time in an effort to measurably reduce cyber risk.
Immediately expose cyber risk within the supply chain of all of your devices, helping focus resources and allowing device manufacturers and asset owners work collaboratively to achieve significant and measurable risk reduction.
Finite State provides remediation guidance and issue management tools to help both device manufacturers and and users understand the severity of each risk and empowers security teams to act accordingly. Additionally, we facilitate collaboration between asset device manufacturers and asset owners in order to quickly address major vulnerabilities.
Every day our team is working in ensuring that more operating systems are supported by our platform. Contact us for our most recent list of supported operating systems.
Please contact use for pricing information so that we can ensure that we can provide you with an accurate estimate based on your organizations needs.
Finite State’s main platform is cloud based. However, we do offer an on premise solution for those interested. Please contact us for more details.
Finite State customers have access to the world’s largest firmware library, with over 300,000 analyzed firmwares in our system. Additionally, each customer will have access to their own private firmware library, perfect for device manufacturers who want to ensure the security of their products before releasing them to the public.