Firmware Attacks – A Blind Spot for Organizations?

In October 2020, researchers discovered the second-ever UEFI rootkit in the digital world while investigating attacks against several non-governmental organizations and diplomatic organizations in Africa, Asia, and Europe which occurred between 2017 and 2019. This UEFI rootkit called MosaicRegressor “is a modular and multi-stage malware framework used by Chinese-speaking hackers in data theft and espionage operations”. Threat actors modified the malicious UEFI firmware images by inserting a large number of malicious modules which were then used to target devices with malware.

Cybercriminals are digging lower and deeper into computing systems to launch malicious activities through firmware attacks. These attacks can threaten the very core of an organization’s systems. Here we will discuss what firmware attacks are, how they are executed, and how to protect your organization against them.

What is firmware?

Firmware is a kind of software that communicates with a device’s hardware to control its operation. Most of the modern devices we see today cannot operate without firmware. It is considered to be the link between the hardware and operating system (OS) of a device.

It is usually stored in memory devices such as ROM, EPROM, or flash. Some examples of firmware include BIOS in personal computers, UEFI – used in higher memory desktop computers, etc. Changing or updating firmware requires great care. Incorrect alterations can lead to the device malfunctioning or stopping working altogether. Common reasons for updates are bug fixes, smooth functioning of devices, and additional features.

What are firmware attacks?

Cybercriminals are always looking for new vulnerabilities to exploit. Recently, they have been targeting firmware as a new source to attack. In a 2021 report issued by Microsoft, it was revealed that 80% of organizations have been the target of firmware attacks at least once in the past 2 years but have only allocated 29% of their security budgets to firmware protection. The study also revealed that most of the investments are going towards “security updates, vulnerability scanning, and advanced threat protection solutions.” 

Firmware attacks are usually executed by inserting malicious software into the code, which then modifies the commands that the hardware is programmed to perform.  Boot kits, malware, and rootkits are the most common causes of firmware attacks. Physical vectors include compromised USBs, corrupted drives and CDs, etc. Living in the digital age means that an attacker can send a malicious code via Wi-Fi, Bluetooth, or even Ethernet, and, since our phones, televisions, and other devices are connected to each other, this can significantly increase the possibility of an attack.

Additionally, with the rise in smart vehicles, security and operational updates will be transferred over the air (OTA), which opens a new window of opportunity for criminals to launch firmware attacks.

Common firmware vulnerabilities include Thunderstrike, ROCA, Key Reinstallation Attacks (KRACK), BadUSB, and others. As technology advances, these vulnerabilities can be developed into even more sophisticated variants. Once an attacker is able to compromise the firmware of a device, they have the power to establish control, manipulate and compromise other parts of the firmware, spy on user activity, extract data, or even disable the device completely. Option ROM attacks and Direct Memory Access (DMA) attacks are the methods through which they can pursue their malicious activity.

Unfortunately, these attacks are very hard to detect or even trace as most devices do not have the visibility to the level that would allow one to ensure that it hasn’t been compromised prior to its initiation or running.

Hence, it is recommended that organizations enforce effective firmware security. According to Gartner, “By 2022, 70% of organizations that do not have a firmware upgrade plan in place will be breached due to a firmware vulnerability.”

How to defend against firmware attacks

Cybercriminals target organizations with firmware attacks the most. Here are some steps to keep your organization protected from these attacks:

1. Regularly update firmware to the newest available version, thereby ensuring security as well as patching any firmware vulnerabilities.
2. Regularly update the hardware, including automated updates of the OS and applications to the newest version.
3. Keep a lookout for any hardware vulnerabilities that could provide hackers access to your firmware. Use strong cryptographic keys to diffuse these situations. Additionally, make sure to purchase hardware that has built-in protection against any malicious software.
4. Make sure that physical devices like USBs, hard drives, CDs, etc. are all trustworthy and don’t contain any malware or viruses that could potentially infect your organization’s systems. Educate your employees on the dangers of inserting unknown/unverified devices into the system.
5. Monitor user activity and annually produce a security report, breaking down the blind spots that have been exploited, what vulnerabilities to patch up, and where to allocate resources for better cybersecurity.
6. Purchase your computing requirements from a high-performance computer manufacturer, with a strict revision control process, meticulous with supplier quality surveys, and has an established Counterfeit Protection Program (CPP) for counterfeit electronic parts. This provides your organization with firmware and hardware protection. Finally, ask your manufacturer to customize your BIOS as this leads to increased security and also prevents any unauthorized access.