Why firmware attacks are a top security threat

Article By : Zachary Bobroff

Most users are oblivious to the threat of firmware attacks. When hackers successfully attack firmware, the entire system is under attack.

When a computer or embedded device is powered on at the start of a day, what boots first? The device’s firmware. Firmware is the foundation for system security in embedded devices, from common household items like a smart refrigerator to industrial control systems powering major infrastructure.

With firmware being critical to device operations, it means a successful attack on firmware is no run-of-the-mill security threat. When someone hacks firmware, they have gained access at a point where no virus scanner or OS tool can detect or remediate the damage. When hackers successfully attack firmware, they gain a strong foothold on the entire system.

Most users – whether individuals or enterprises – are oblivious to the threat. Microsoft’s March 2021 Security Signals report found a staggering 80% of enterprises suffered at least one firmware attack in the previous two years. In the report, business leaders noted they find it difficult to detect threats, and firmware vulnerabilities are exacerbated by a lack of awareness. Data from the National Vulnerability Database (NVD) also shows an explosion of firmware vulnerabilities over the past 20 years.

While an increased focus on firmware research and development has helped uncover this spike in threats, they aren’t just minimal risks. These security threats are as serious as they are numerous, with NVD data indicating most issues uncovered are at critical or high severity.

The potential ramifications of a firmware attack are as unpleasant as you can imagine – threat actors can lie in wait for years, waiting until it makes most sense to launch an attack; they also can collect information and take control of the entire system, leaving infrastructure inoperable.

The bottom line: firmware attacks must be considered a top security threat to a system. Earlier this year, the U.S. Department of Commerce warned firmware represents “a large and ever-expanding attack surface” that is subject to hacks that could cripple the supply chain.

Impact of industry behavior

Industry behavior is at the root of some of the increase in firmware attacks. Over the past 10 years, there have been calls for increased standardization in systems and software, including the development of open source. While the industry complied, increased standardization broadened the attack surface.

Another significant contribution to the prevalence of firmware attacks is the lack of upgrades to embedded system firmware. Embedded system firmware typically has a much longer lifespan than its counterparts, being deployed for roughly 10 years or more. With these systems in deployment for a significant length of time, it means firmware should be monitored more closely.

But is that usually the case?

Unfortunately, the answer is no. Many embedded systems go without a firmware upgrade over the course of their lifespan, despite recommendations from firmware providers. Why? Some say they’re concerned their systems may not survive the upgrade, while others don’t think they can afford the downtime that might result.

In reality, downtime can be scheduled to coincide with other routine maintenance – and the cost of an attack is far greater than a few hours of a system being offline. According to IBM Security’s Cost of a Data Breach Report 2022, the average cost of a critical infrastructure attack is $4.82 million. Not implementing recommended patches and system upgrades leaves systems open to these attack – in which critical industrial control systems could fall into the wrong hands. It is crucial system integrators be mindful of their firmware and not leave it unattended until they notice an issue – because, at that point, it is probably too late for remediation.

AMI firmware image - istockphoto
(Image: AMI)

A helpful analogy is to think of firmware as a five-story building, basement included. Until there is an issue with the water, electrical system or HVAC, the basement is usually left unattended.

It’s the same way with systems. People think about protecting their OS and application software and pay less attention to firmware, which is the foundational level of the system. Until the system isn’t booting properly or a hard drive isn’t working, it’s easy to assume everything is okay. Complacency regarding firmware security must be viewed as a danger to an organization.

Knowing that firmware attacks are on the rise, there are steps that most companies can take to protect their systems:

  1. Understand the purpose of firmware and what firmware is on the systems used.
  2. Look for products that provide platform root of trust, which is the foundation on which secure operations of a computing system depend.
  3. Make sure firmware has been validated.
  4. Understand what mechanism protects the system if firmware is corrupted.
  5. Understand how the firmware can be restored and recovered.
  6. Have enhanced IT policies in place such as the practice of regularly updating firmware

Next steps for the industry

It’s important for enterprises to take control of their firmware security but better enforcement from a governmental level is also key in improving security across the supply chain. The EU is taking proactive steps to enact strengthened regulations on cybersecurity requirements, called the Cyber Resilience Act, which calls for better security throughout the lifecycle of a product and requires a cybersecurity framework for hardware and software producers.

While enterprises should take note of the increase in firmware attacks, it is not a source of major concern for organizations that take reasonable precautions to protect their systems and follow the recommended steps. With the EU taking action to implement better regulations, we can hope other countries will follow suit to reduce the number of firmware attacks.

 

This article was originally published on Embedded.

Zachary Bobroff is senior director of product management and a primary champion of opensource initiatives at AMI. He owns overall AMI product strategy and delivery of products and services with the objective of enhancing customer experiences. Zachary’s deep technical expertise comes from multiple hands-on roles in development, technical training and technical marketing, along with a decade of experience building strong relationships with AMI’s customers, vendors and partners. Zachary has worked in diverse roles at AMI for over 15 years, is a frequent speaker at industry conferences and has authored several articles on opensource topics.

 

Virtual Event - PowerUP Asia 2024 is coming (May 21-23, 2024)

Power Semiconductor Innovations Toward Green Goals, Decarbonization and Sustainability

Day 1: GaN and SiC Semiconductors

Day 2: Power Semiconductors in Low- and High-Power Applications

Day 3: Power Semiconductor Packaging Technologies and Renewable Energy

Register to watch 30+ conference speeches and visit booths, download technical whitepapers.

Leave a comment