While the world outside the Silicon Valley bubble is familiar with software, which is mysteriously eating the world and powers everyday apps like Uber or DoorDash, the term “firmware” is esoteric.
What is Firmware?
For the uninitiated, firmware is a type of software that is typically stored in read-only memory (ROM), erasable programmable read-only memory (EPROM), or flash memory and provides low-level control for a device’s hardware. The difference between firmware and software is subtle, but profound – in human terms, firmware would be the automatic system that keeps our blood pumping and liver functioning, whereas software would represent more complex tasks like thinking, “Should I keep reading this post?”.
Although it seems strange, all of us have interacted with firmware in one way or another – virtually all devices, from smartphones to servers, contain firmware. In less sophisticated hardware such as traffic lights, firmware is what allows the lights to change at regular intervals. For more complex hardware, such as smartphones and tablets, the firmware is the middle layer bridging the hardware and operating system. Computers contain a lot of firmware, everything from USB keyboards to graphics and sound cards; even computer batteries have firmware. Considering how ubiquitous firmware is, one would expect firmware security to be top of mind – sadly, that couldn’t be further from the truth.
Unfortunately, firmware is an often-overlooked component of devices that are highly vulnerable and increasingly attractive entry points for hackers. In fact, data in the figure below, taken from ISACA’s Firmware Security Risks and Mitigation report, reveals that only 69% of enterprises that place a high priority in this area are partially compliant and only 17 percent of that same group received no feedback at all on firmware controls.
Furthermore, around half (52%) of the study’s participants who make security a priority within the hardware life cycle report at least one incident of malware-infected firmware being introduced into a company system, and 17% reveal the incident had a material impact.
Why is firmware so vulnerable? The short answer: it was never designed to be secure. As Kim Zetter from Wired reports, “most hardware makers don’t cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize signed firmware even if they did. Hardware manufacturers are racing to make the cheapest hardware possible to sell more devices, grow their installed base for collecting data and sell that data to software companies” – firmware is simply a means to an end. Often, only 30% of the device budget is set aside for firmware and approximately 1% is allocated to security according to United Ventures.
Historically, hackers have launched attacks at assets that contain sensitive, high-value information such as databases or authentication credentials. Traditionally, it was easier for hackers to launch an attack at software to obtain this information rather than penetrate an enterprise’s firmware assets.
However, the evolution of network, agent, and other security technologies combined with a greater emphasis on patching vulnerabilities in operating systems and software has caused bad actors to change their focus. In fact, according to Justine Bone, CEO of MedSec, firmware security is no longer a theoretical problem. She writes that “the evidence is showing us that attackers are targeting firmware—many breaches and vulnerability discoveries these days can be attributed to firmware problems. Solutions are emerging, but most enterprise environments remain unprepared.”
While there haven’t been many high-profile breaches due to firmware exploits, firmware vulnerabilities are pervasive. Research conducted by The American Consumer Institute demonstrates that 83% of wi-fi routers in US homes and offices leave users at risk for cyberattacks because their firmware is inadequately updated for security vulnerabilities.
Last year, mobile security firm Kryptowire announced that millions of Android devices contained broken firmware that could’ve been exploited if left undiscovered. Moreover, ESET Research published a paper in 2018 detailing the discovery of malware that used repurposed commercial software to create a backdoor in computers’ firmware – dubbed “LoJax”, the malware has been observed being used to target government organizations in the Balkans and Eastern Europe. ESET further noted at least one instance where LoJax was successful in writing a malicious module onto a target system’s flash memory. Just a few days ago, security vendor Eclypsium reported that the Cloudborne vulnerability could be used by attackers to change a rented bare-metal server’s firmware to allow them to attack whoever uses the machine next.
These issues will be magnified exponentially as more and more devices are rolled out and added to the network. Today, there are approximately 11 billion devices connected to the Internet, and that figure is expected to nearly triple to 30 billion by 2020. Some experts predict that by 2025, there will be as many as 75 billion connected IoT devices. In such a connected world, firmware issues pose a dangerous threat to public life and privacy since devices can be hacked and made to perform actions such as random shutdowns or credential harvesting.
Although the future of firmware security is uncertain, I’m confident that we’ll witness an increasing number of firmware attacks and vulnerabilities exposed in the coming years.