Don’t Let the Fox Watch the Henhouse: Securing Firmware

Recent attacks have caused the security industry to direct significant attention to supply chain security. As organizations look to address those challenges, it’s critical to start with what is arguably the most integral piece of the supply chain: the firmware layer.

Firmware is, essentially, the foundational code within a device. Independent of the operating system, firmware is the first code to run and can modify or subvert the OS and applications running at higher levels. This makes firmware a single point of failure that, when compromised, can allow attackers to evade security controls at those higher layers and silently persist on a device.

The Challenge of Verifying Firmware in the Supply Chain

Out of necessity, most organizations implicitly trust vendor firmware. However, recent attacks have demonstrated that this is insufficient. This presents a number of challenges, beginning with the sheer scope of the effort.

The number of devices alone can be overwhelming when you begin to consider every server, switch, laptop, smartphone, etc., that connects to the network. But the scope grows exponentially; the vast majority of devices also rely on an array of components and subcomponents, each of which also has its own firmware and supply chain. The result: a very broad and deep attack surface into which organizations have very little—if any—visibility.

The issue is further complicated by the heterogeneous nature of IT organizations. For any one device category, organizations tend to rely on more than one vendor and multiple models from those vendors. Vendors may offer tools to validate the supply chain, but those tools differ from vendor to vendor – and some vendors’ tools even differ between their own models. The variety and scope of tools makes it difficult to implement a consistent and efficient approach to verifying firmware.

There’s another problem with relying on vendor tools to verify the integrity of the supply chain, and it goes back to the issue of implicit trust. How can you rely on a vendor to verify its own integrity when the vendor itself may be compromised? Moreover, the idea of independent audit or evaluation has long-established merit to avoid the biases that come with great cost and effort associated with developing and maintaining a complex system. To address these challenges, organizations need an independent and consistent way to verify the integrity and posture of the firmware in their devices, at scale and in continuous operations.

How Independent Visibility Can Help

An independent solution for verifying firmware offers a number of benefits. The scope of the vendor and device landscape is abstracted away by an independent solution that provides a consistent, automated approach across many devices and vendors. This consistent approach is more efficient than using multiple vendor solutions or developing custom processes, and thereby gives organizations a fighting chance at verifying the firmware of the vast majority of devices in the environment.

By its very nature, an independent solution is also more effective at verifying firmware than a vendor solution. The independent view into the device enables a third-party solution to verify the information self-reported by a device, and to perform both static and behavioral analysis to identify signs of compromise. When manufacturers enable visibility, all of this builds on security technology that was already built into the device, constantly updating and improving it as new security research continues over the (often longer than expected) lifetime of the device.

Finally, an independent solution can provide the fine-grained visibility organizations need to extend risk management and incident response down to device and component firmware. Organizations can establish device baselines and identify vulnerable firmware or misconfigured devices that make them vulnerable. With this visibility, organizations have a fighting chance against the latent device-level issues, whether accidental or malicious.

The prospect of securing the supply chain is a daunting one, but it doesn’t have to be done alone. Organizations can address a significant source of risk by validating the firmware supply chain with an independent solution, and augmenting current processes to consistently act on risk information from these deeper levels of every device, even across manufacturers. For example, the NCCoE Supply Chain Assurance Project aims to provide direction on how organizations can verify that the computing devices and their components have not been modified. Given the criticality of supply chain risk and ongoing focus by adversaries, the adoption and use of such a solution should be an immediate priority.

Avatar photo

John Loucaides

John Loucaides is Vice President Federal at firmware security company Eclypsium. John has extensive history in hardware and firmware threats from experience at Intel and the United States government. At Intel he served as the Director of Advanced Threat Research, Platform Armoring and Resiliency, PSIRT, and was a CHIPSEC maintainer. Prior to this, he was Technical Team Lead for Specialized Platforms for the federal government.

john-loucaides has 3 posts and counting.See all posts by john-loucaides