Five Common Excuses for Lack of Firmware Security

Written by

Firmware – software designed specifically for hardware such as hard drives, USB or UEFI – is critical for every business. Every computer and smart device is built from dozens of such components, and hardware security vulnerabilities are real and increasing.

Forrester Research revealed 63% of organizations experienced one or more data breaches due to firmware or hardware vulnerabilities in the past year. Security professionals’ most senior bosses may not know about firmware security in-depth, but it is their responsibility to know how important it is.

Business leaders are recognizing they have a vital responsibility to ask their security team smart questions about security, and this includes firmware; but all too often responses from security professionals fall into one of five common excuses.

Excuse one – “Bad actors need physical access to infiltrate the network”

It is a myth that bad actors need physical access to infiltrate networks. Physical tampering is arguably the most widely known firmware security attack but isn’t the only method.

There are other ways, such as supply chain attacks, whereby manufacturers or those in charge of system delivery could manipulate firmware; unknown implants could be left undetected in a data center for decades.

Hackers can also attack applications or systems remotely to exploit firmware for sabotage or persistent surveillance, while malicious actors can also access some firmware components on the internet in the same way as applications.

Excuse two – “The supply chain process has inherent security checks”

Security checks for accurate data, software vulnerability management, incident response and more are available in many organizations’ supply chain processes. However, it is rare for security teams to check and verify firmware and hardware integrity during supply chain processes. This means attackers have a chance to not only access hidden backdoors but maintain them while going under the cybersecurity team’s radar.

Insider threats are real – recently a black hat hacker attempted to recruit a Tesla employee to install malware for $1 million. Any organization, especially one with valuable secrets, needs to take this seriously.

Excuse three – “The firmware is already secure”

No one should assume their firmware is already secure – it is an ongoing process. Cybersecurity teams need to document exact steps taken to identify and mitigate against threats, and then assume there are more they have missed and keep searching.

Firmware vulnerabilities can be located in almost any device or system component; they often show up in security features such as privileges and access control, and often are discovered too late. Organizations must put in place regular patching practices to increase security, or face leaving hidden and persistent backdoors, lowering the bar for hackers.

Excuse four – “There are other things to prioritize”

This response is easy to understand – COVID-19 put a lot of pressure on security teams and budgets, and it may have been tempting to see firmware security as less of a priority than issues such as cloud migration of patching programs.

In recent years, most exploitations have been application or operating system-related, and the number of cyber-criminals with in-depth knowledge and experience with firmware was relatively small. However, more research is being published that is revealing attackers stepping up their efforts to exploit vulnerabilities in firmware.

If organizations continue to underestimate the importance of firmware security, they are either ignoring or accepting the constantly increasing risks. Security leaders must update their risk and threat management programs to ensure firmware and supply chain security is included.

Excuse five – “firmware attacks are not real”

Firmware attacks are real, there is no doubt. Since the Shadow Brokers activity in 2013, documented and dangerous firmware attacks have been on the rise from a range of bad actors, including commercial hackers whose main method of breach is firmware backdoors.

Lack of security monitoring at this level, however, means there is likely far more going on behind the scenes than is discovered and reported.

What security teams should say and do

When communicating with business leaders about firmware security, I often use a metaphor we all know and understand - home security. If all the doors and windows are open in our homes and valuable possessions are on display, we might as well be saying ‘thieves welcome here’.

Firmware security is no different. Security professionals need to ask, “Did I patch that vulnerability?” as much as “Did I lock the front door?” Security teams should use a Zero Trust policy around firmware, implement continuous patching and configuration management, monitor critical servers, and scan devices that have been in insecure environments. Also make sure to practice essential security hygiene.

If organizations don’t lock down firmware, attackers could sneak in the back door and grab IP and customer data. There is no good excuse for lack of firmware security.

What’s hot on Infosecurity Magazine?