How to identify and prevent firmware vulnerabilities
As creators of computer software begin to take security vulnerabilities more seriously, hackers are increasingly targeting the lower ends of the computer stack in hopes of stealing identities, privileges, and systems. One easy target? Firmware.
Companies are not taking firmware security as seriously as they should, especially when it comes to the UEFI or Unified Extensible Firmware Interface (often still referred to as “BIOS”) on computers. As such, cybercriminals are finding it easy to capitalize on firmware vulnerabilities in PCs, including those from big brands like HP and Dell.
The oversight is becoming a critical liability both in terms of realized threats and potential risks. According to a report by Eclypsium, 2019 set a new record for firmware vulnerabilities, accounting for a 43% increase over 2018. The total vulnerabilities were 7.5 times more than what was reported in 2016. Vulnerabilities can also be present in virtually any component of a device that requires a firmware update such as a memory card, network adapter and so on.
Fortunately, there are ways to identify and prevent firmware vulnerabilities, and they all start with gaining an understanding of what exactly firmware is.
What is firmware?
Firmware is the basic software that’s embedded in a piece of hardware and controls its basic functionality. You can consider it to be software for hardware.
However, firmware isn’t an interchangeable term for standard computer software. Virtually any hardware that uses software to operate, from smart sensors and routers to medical devices and industrial machines, has firmware that controls its functions and intelligence.
There are several types of firmware in existence, with BIOS (Basic Input/Output System) being the most popular. In the past few years, however, the UEFI standards have become commonplace. Hardware manufacturers who’ve transitioned to UEFI are driving the growth of open-source frameworks for firmware developers and IoT manufacturers.
Why is securing your firmware important?
Securing your firmware is important because most types of computer exploits targeting this aspect of a device can cause widespread damage. Once malicious actors are successful in injecting their code in the firmware’s code, they can infect legitimate updates, wipe hard drive storage and even remotely control the hardware of the device. A popular example of this is the hacking module designed by the spying network Equation, which was built to reflash or reprogram the firmware of a computer’s hard drive with malicious code.
Kaspersky researchers who discovered the module believed that subverting the firmware allows hackers to control systems in a way that they can get through software updates undetected. It also provides them with the ability to create hidden storage space on the hard disk to hide stolen information so the attackers can access it later. This means that the presence of firmware vulnerabilities enables adversaries like The Equation Group to bypass disk encryption by keeping files they want to steal in unencrypted spaces.
Detecting and preventing firmware vulnerabilities
Improving your firmware security starts with developing an understanding of an attacker’s capabilities and the potential attack vectors. The following are some ways your firmware could be hacked and how to prevent that from happening.
1. Remote attacks
Using man-in-the-middle tactics, adversaries look for ways to remotely infect a device’s hardware. A popular example of this was shared by researchers from Eclypsium at the Black Hat Conference in 2018.
Researchers revealed they discovered a buffer overflow vulnerability in the update mechanisms present in the UEFI of ASRock and ASUS systems. Specifically, when the update mechanism used in these UEFIs would configure the network with dynamic host configuration protocol and then make a plain HTTP request to a remote update server without any verification or SSL. So, if hackers were able to redirect or intercept this request to their own server using DNS or route poisoning, they could tweak the response sent to the user and exploit the vulnerability. As such, they can remotely inject malicious code, install an SMM rootkit and conduct other illicit activities on the system.
To help prevent remote attacks on your firmware, keep tabs on any newly reported vulnerabilities, adopt solutions or patches released by the vendor and raise user awareness to ensure no one requests an over-the-air update for systems that are prone to remote UEFI hacks.
2. Physical tampering
Some firmware vulnerabilities can only be exploited through physical tampering. For example, there are weaknesses in the firmware of Thunderbolt controllers which require attackers to have physical access to Thunderbolt-equipped laptops.
A security researcher at Eindhoven University of Technology revealed that with just a few minutes of physical access and some affordable hacking equipment, a hacker could bypass a laptop’s security mechanism, even if it was locked.
The attack involves opening the backplate of a Thunderbolt-equipped laptop, interfacing the controller with a temporary device, reprogramming its firmware and deactivating security features. The researcher was able to implement this process to bypass the password lock screen and gain access to the laptop.
The best way to prevent physical tampering is to prevent laptop theft by never leaving your laptop unattended. Use tools like Spycheck to check whether your device’s firmware is vulnerable. If it is, deactivating Thunderbolt ports completely is the only viable solution for mitigating the flaw.
3. Indirect modification
Malicious actors can also devise an Option ROM attack to make changes to the boot process without modifying the UEFI firmware of a computer. Because Option ROM interfaces between peripherals and UEFI functions, attacking it allows hackers to indirectly exploit a computer’s firmware. Such exploits can be used to make the OS capture and leak sensitive data, install malware on connected devices, reinstall executable code on reset if it was identified and deleted and more.
Adversaries may also infect Option ROM in a bid to cast a wider net. For example, a hacker could infect a peripheral with an Option ROM and then connect it to an uninfected computer to conduct their attack. Compromising an Option ROM, therefore, could serve as an initial tactic that creates a pathway for frequent boot process modifications.
When it comes to prevention, the best approach is to be mindful of any peripherals that come with an option ROM, like an Apple Thunderbolt Ethernet adapter.
Conclusion: improving resilience against firmware vulnerabilities
Besides enhancing your knowledge of firmware attacks, consider building resiliency by taking these steps:
- Regulate firmware updates by deploying user access controls and network isolation, and follow third-party news connected to those updates
- Watch out for hardware vulnerabilities that could enable hackers to gain access to your firmware and take measures like using strong cryptographic keys to mitigate them
- Collaborate with ethical hackers to develop pentesting tools and integrate them in the quality assurance process
- Document a list of past exploits and share them with your team to increase awareness and mitigate common firmware vulnerabilities
- Assessing Enterprise Firmware Security Risk in 2020, Eclypsium
- Indestructible malware by Equation cyberspies is out there – but don’t panic (yet), Kaspersky Daily
- BlackHat 2018 Remotely Attacking System Firmware Michael, Shkatov, & Bazhaniuk, Peerlyst
- Eindhoven security researchers find fatal vulnerabilities in Thunderbolt, Eindhoven University of Technology