Attacks against the firmware and hardware of devices are on the rise. They constitute some of the biggest threats enterprises face today. As the shift to remote work has increased the use of endpoint devices—e.g., laptops, PCs, tablets, and printers—the attack surface has only grown.
Witness this week’s disclosure that millions of Lenovo laptops contain firmware-level vulnerabilities. A trio of flaws have provided cybercriminals a convenient way to install malware that can evade cybersecurity tools and persist even after a hard-drive replacement or operating system re-install.
Because firmware essentially runs an endpoint’s hardware, and plays traffic cop between that hardware and the operating system, it gives attackers incredible access to a business’s treasures while providing them with the cover they need to remain hidden from the watchful eyes of IT.
“Everyone is watching the cloud, which is important, but somebody needs to capture and study their organization’s firmware,” Roger Thompson, founder and CEO of security research firm Thompson Cyber Security Labs, which specializes in system boot process security and firmware vulnerabilities, told Endpoint. “We’re in a constant race to get lower in the stack,” he adds. “While firmware attacks are not new, I believe they are going to be one of the biggest next fronts in malware.”
Firmware attackers are getting busy. (Some 83% of enterprises say they have experienced at least one firmware attack in the previous two years, according to a recent Microsoft survey.) And there are plenty of targets for them to choose. The government’s National Vulnerability Database (NVD), which tracks standards-based vulnerability management data, is peppered with firmware-related vulnerabilities—162 last year alone—just waiting for hacker exploitation.
Despite the severity and pace of the threat, spending has not yet increased to manage the risks. The Microsoft survey found that only 29% of security budgets are allocated to protect firmware.
With the rising incidents of firmware attacks, it is important for IT and security teams to know how firmware hackers do what they do, what to look for to stop them, and how to fight back once they’ve gained access.
Why firmware is a viable target
In addition to a lack of budget devoted to protecting firmware, there are a number of other factors that make firmware a fertile hacking ground, according to the Microsoft survey:
- 21% of security decision-makers admit their firmware data goes unmonitored.
- Reactive cycles and manual processes bog down security efforts. Some 82% of decision-makers say too much time and resources are spent on low-yield tasks like manual software patching and hardware upgrades.
How firmware attacks work
Attackers target firmware in much the same way they target other software. They use rootkits, malware, and the like as delivery vectors. They tamper with firmware configurations and take advantage of poor encryption-key management. And once embedded, hackers often enjoy a stealth mode that most software-based exploits don’t provide. Here’s how it works. Attackers:
- Target code below a device’s operating system and exploit vulnerabilities.
- Drop malicious code into the system.
- Make changes to the operating system.
- Shift aim to the system’s software, where they wreak havoc and often go undetected.
The Unified Extensible Firmware Interface (UEFI) Forum is an industry standards body that seeks to improve firmware security. Its interface standard defines communication between the firmware provided by the device manufacturer and the operating system of the device.
“There’s always the potential of a successful attack,” UEFI Forum board member Dick Wilkins, told Endpoint. “We’ve been working diligently to try to make sure that we don’t leave any back doors and to make sure that UEFI is as secure as possible.”
How to defend against firmware attacks
Attackers targeting firmware have been working overtime to gain access into this system area, which is too often an afterthought to security teams. Organizations can fight back by practicing good cyber hygiene and taking a few key steps:
- Increase visibility into systems and amp up detection capabilities internally and across the supply chain.
- Update endpoint firmware.
- Train security teams to recognize signs of firmware attacks.
- Automate manual processes like patching so that security teams have time to evaluate firmware for potential high-yield vulnerabilities.
- Incorporate firmware security assessments as part of the product acquisition process.
In addition to monitoring known firmware vulnerabilities, security and IT teams can save time and resources by automating their patch management. “Making sure each device is included in normal patching and update cycles helps minimize the chance of a breach if an attacker does get access,” John Bock, a senior research scientist at Optiv Security, told Endpoint.
And even then, says Bock, it may be wise to just brick the endpoint and replace it: “A general rule of thumb is if the cost of response is more than the cost of replacement, just replace it.”