Attacks on your network come in many forms. From common denial of service attacks to more complex man-in-middle hijacks, malicious actors are constantly trying to find vulnerabilities in your network security to exploit. One of the less talked about, but no less important, vectors that has become a more serious concern in recent years are firmware attacks.
What is a firmware attack?
To understand why a firmware attack is a bad thing, we need to look at what firmware is, and that it’s place in the computing hierarchy is why it’s become a critical weakness. Firmware is one of the most fundamental set of instructions on a computer or electronic device. It’s the basic set of instructions that tells the individual hardware pieces that make up a computer (your motherboard, processor, video card, network adaptor, keyboard, ect.) both what to do when activated, and how to work with the software on your system.
Think of the BIOS on your computer: the moment your computer is powered on, it looks to the basic input/output system (BIOS) for instructions on where to start. It manages the data flow between hardware components and the operating system. For more basic electronics (like your television remote control), firmware can be the entirety of it’s operating system. Even your car has firmware powering the modern computer systems that keeps it running.
Most electronic devices are supplied with firmware that can be updated over time, to patch issues or upgrade performance. This is one of the main vectors for firmware hacks. If you can get at a device’s firmware, you can issue your own instructions from the moment it powers on. You can alter its basic routines, communications, and control and monitoring functions.
What’s worse, once a firmware attack is successfully deployed, it’s very hard to remove. A recent Microsoft report says 80% of enterprises in the UK, US, Germany, Japan and China have suffered at least one attempted firmware attack in the last two years. The National Institute of Standards and Technology (NIST) has also found a five-fold increase in firmware attacks over the past four years.
Considered by cyber security experts as a more “advanced” form of attack, they are nonetheless on the rise—along with a rising concern that companies aren’t paying enough attention.
How does a firmware attack work?
The majority of firmware attacks take the form of malware: a broad term for malicious software designed to exploit anything that can be programmed.
Researchers disclosed nearly six years ago that almost all computer BIOS share code in common. That means that just one piece of malware can potentially affect tens of millions of different systems. By exploiting some incursion vulnerabilities (sorry, we’re not going to detail what those are!), they were able to write a simple script to “reflash” the BIOS of a vulnerable computer and inject their own instructions.
Hackers have also been able to gain access to a device’s Unified Extensible Firmware Interface (UEFI), as demonstrated in 2018.
While many of those vulnerabilities were patched after being disclosed to hardware vendors, the genie isn’t going back in the bottle. Bad actors continue to use similar methods to find weaknesses in firmware code.
What makes firmware attacks such a concern?
One of the main reasons firmware attacks are so daunting is the level at which they operate. Because firmware is “below” your operating system, common tools to detect and quarantine malware, like antivirus software, don’t see them.
Malicious firmware hacking can take a lot of forms, but we can generally see them seek to accomplish a few common tasks:
- Change basic functions. Alter privileges for users, change boot procedures, cripple security patches, and disable startup software (like antivirus). This can set your computer up to allow any manner of other instructions to be executed.
- Exfiltrate data. Using your firmware, users can access the direct memory functions of hardware components to siphon off data with almost zero trace. It’s been demonstrated that this type of attack is effective, no matter if the data on the computer (or the network files it accesses) are encrypted, or if the computer itself is in low-power or sleep mode.
- Remote control of your computer. A favorite vector for ransomware attacks, hackers can lock up or “brick” your system remotely through root access, and hold your system, your network, or more, hostage until you pay them to relinquish control.
What do firmware attacks mean for your network?
It’s important to note the effect this can have on your network security. Firmware attacks are most commonly seen on enterprise networks because of their ability to skirt most of a network’s security checks. Virtually all network-based security software is going to miss a device with compromised firmware. That’s because all the network firewall security, protocols and software used to verify your infected device can still be uncompromised. Your computer is allowed full access to its normal areas of the network, unknowingly doing all manner of bad things: infecting other devices, or sending data that would never leave your company off to parts unknown. In a situation where a user with high levels of access was compromised in this way, the results could be devastating.
Wiping your operating system won’t do the trick either. It’s not your OS or an app you’re using that’s the source of the problem, it’s part of the hardware itself. The malware will still be there even after a clean install.
Not a concern?
Despite all the potential IT risk a firmware attack can pose on an enterprise’s network and IT systems, it’s continually seen as less-than a priority for many teams. That same Microsoft report that identified 80% of enterprises being targeted also found that less than 29% of them actually allocated any staff time or budget to a firmware security threat.
Maintaining up-to-date firmware is one of the most effective ways to deny a malicious actor a vulnerability. Yet we see IT teams that consistently do not place a priority on routine updates.
It can be a daunting manual task—just remembering all the components with firmware, not just your computers, but your servers, your switches, your routers, webcams, and other IoT devices—can be a huge challenge in itself. Firmware updates are often not surfaced by operating systems like their software counterparts. In short, the burden continues to be on administrators to make sure every device is using a safe and updated firmware set.
What can you do to prevent firmware attacks?
While there are a lot of potential ways firmware attacks can be launched against network devices, there’s also many basic housekeeping and security steps you can take to eliminate a number of potential vulnerabilities.
Inventory devices and update firmware regularly
Network management software that’s worth investing in will typically have this covered. You should have the ability, through the software’s discovery features, to quickly identify any device’s firmware version. Advanced software will let you update that device’s firmware right from a dashboard, no need to go device by device.
Keeping all your devices’ firmware on their latest versions, and checking in regularly to make sure, is one of the best defenses you can muster.
Don’t trust unknowns
Firmware attacks don’t have to come through a LAN cable. Your employees can sometimes be the bearers of bad code without knowing any better. USBs are a common cause of infection, where a worm within a thumb drive’s own firmware can make its way onto your system! Untrusted networks can be a potential hot spot for infections too. An open Wi-Fi at a coffee shop or even a Bluetooth connection you don’t know could have malware written into the handshake protocols. Consider zero trust security models.
Upgrade to hardware with firmware protection
Hardware vendors are constantly monitoring and updating their products to account for these sorts of security weak points. Several manufacturers now offer some form of firmware security, such as Windows Secure Core computers, or HP Wolf Security.
Back up firmware and configurations automatically
Obviously, prevention is the best medicine. But what you do and how you recover after an emergency is important too. By running routine, centralized backups of your critical systems’ configuration files and documentation (which includes what firmware is needed), you won’t waste precious hours of downtime just trying to figure out what you lost, and how to get back to zero should the worst happen.