Firmware Security Comes of Age


Many of us at Eclypsium have been focused on firmware security for the majority of our careers, so it is exciting to see this area of security start to come into its own. Firmware has been one of the longest-standing blind spots for many organizations, but that is changing rapidly.

This change is being driven by real-world problems. Malware campaigns such as LoJax are targeting firmware as a way to maintain persistence on victim machines even after a system is wiped and re-imaged. State-based attackers have launched large-scale attacks against networking infrastructure. Meanwhile, government agencies are prioritizing firmware and supply chain risk management (SCRM), and the recent ShadowHammer attack on ASUS demonstrated how vendors can be compromised.

As the problem has begun to capture the attention of enterprises, we are glad to see the security industry taking notice. Cloud vendors are investing in custom hardware capabilities aimed at delivering better firmware protections for their servers. Hardware manufacturers have started introducing capabilities to ensure firmware secure boot and recovery. Likewise, the security industry has also started focusing on the firmware security gap, with some cybersecurity vendors adding capabilities targeting UEFI firmware on endpoint devices.

All of these are encouraging and very welcome developments. Firmware security impacts the entire lifecycle of the device. To cover this much ground requires both depth and breadth. This is larger than any single technology, vendor, or solution, and will be a journey—one that ultimately must be about solving real problems together. With that in mind, I would like to share some of our insights about the firmware security landscape, and how we see it evolving.

Firmware Security Extends to All Components

The firmware attack surface itself is incredibly broad. The first place where it makes sense to look is the all-important UEFI or BIOS system firmware. This is a complex area with many chips, protections, and processes that can potentially be vulnerable or a source of attack. However, as we learned from the Spectre and Meltdown vulnerabilities, we need visibility into the CPUs and chipsets themselves.

Any given device can contain dozens of components with persistent configuration and millions of lines of firmware code on a motherboard, inside chipset, integrated and peripheral devices. We are used to hearing about CPU, GPU, network cards, and hard drives or SSDs, but there are many more components which are less known but just as critical for device operation. Management subsystems including embedded controllers, baseboard management controllers and Intel Active Management Technology, BIOS and UEFI firmware, Wi-Fi and Bluetooth, storage controllers, add-on PCIe and USB devices, power management controllers, sensor hubs, battery subsystems, security chips, and the list goes on.

Any and all of these components are in scope for an attacker and must be protected. For example, an attacker with malicious firmware on a drive can read or destroy sensitive data and hide malware that is invisible to the operating system. Similarly, malware on the firmware of a network adapter can read data on the wire or redirect man-in-the-middle traffic. For each critical component of a system, an attacker could abuse that component for their gain.

Firmware Security Extends to Many Devices

Additionally, if we look outside the device itself, we see a broad landscape of device types that must be secured at the firmware level. Traditional laptops are certainly in play, but we must also protect mission-critical servers and networking devices. And, as we’ve seen, the baseboard management controllers used to manage them have been a key area for vulnerabilities over the past few years. The same issues extend to cloud infrastructure. Nation-states have targeted network devices for implants and backdoors, as controlling these devices at the firmware level provides an attacker with near-omnipotent influence over the network. But the problem also concerns other types of devices in critical infrastructure, IoT ecosystem and OT networks. Again, this is not a problem that will be solved by one solution. It will require multiple sources of expertise to ensure firmware security for all.

Firmware security is much more than a feature. Real security demands that a variety of disciplines work together. Even as hardware vendors redouble their efforts, we can’t just hope all products will be built securely and let that be our only line of defense.

Firmware Security Is Challenging

When dealing with threats at the firmware level, we are dealing with some of the most dedicated and sophisticated attackers on the planet. The firmware layer is where we confront the apex predators of the security world. And as such we must likewise be prepared for and expect our adversaries to constantly adapt. New types of threats can be delivered and hidden at any point in the supply chain or while the device is in use.

This requires constant vigilance and research in order to keep pace, including research into vulnerabilities as well as threats. These are very important and very rare skills. In order to face the best attackers security vendors will need deep expertise of their own on the firmware side. This is one of the reasons that we at Eclypsium have heavily focused on sharing our research openly as well as providing training on firmware security to the industry at large.

Firmware Security Requires an Ecosystem

In many ways firmware is very different from traditional software running at the operating system level and above. And yet, there are lessons that correlate quite well. In the same way we scan devices for signs of malware, we also need to scan for signs of threats that can be embedded in the firmware of a device. All types of devices, from endpoint laptops to powerful servers and network appliances, are susceptible to firmware threats.

We therefore have to think about how we control the firmware code running on the device: how we detect vulnerabilities, investigate problems, and deliver patches. The software industry has had decades to refine these capabilities, and we as an ecosystem need to quickly extend the same functionality to the firmware layer.

In Conclusion

While all of this might look like hard work, we must never lose sight of the needs of our customers. Along with the rest of the industry, we must deliver solutions that allow our customers to operationalize firmware security quickly, effectively, and at scale. The many considerations we have described here must become more than a collection of features or even a collection of products, and instead provide a true industry solution that works collaboratively to protect an organization’s assets. This is our role, one that I believe is key for enterprise security as the industry moves forward.

Yuriy Bulygin
CEO and Co-Founder

*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Yuriy Bulygin. Read the original post at: