Firmware: Beyond Securing the Software Stack

Picture a house equipped with state-of-the-art alarm systems, sensors, locks and cameras. From the outside, the house might seem reasonably protected against potential intruders. However, if a savvy thief managed to infiltrate the residence through its crawl space, the very foundation of the house might be putting the overall security of the home at risk.

Firmware can be seen as the crawl space of a metaphorical software “house.” Over the past few decades, the security industry has gotten pretty good at securing software with features such as stack canaries, ASLR and DEP. Firmware, however, is an important security vector that is often overlooked by otherwise well-intentioned IT professionals. While they’re focused on setting up the gadgets and gizmos to defend against potential intruders, they might be neglecting to protect the foundation.

As firmware attacks continue to escalate, security administrators must think beyond securing the stack when it comes to strengthening their company’s cybersecurity posture. To do so, organizations have to assess their environments, be vigilant about updating their increasingly complex devices and commit to working together. Firmware may be an ideal entry point for threat actors—but the good news is that there are accessible, intuitive ways to improve firmware security defenses.

Know What You’re up Against

The first step toward achieving better firmware security is awareness; gaining a practical and specific understanding of your organization’s overall security infrastructure. Building thorough threat models is an important step to specify a company’s assets, attacker model, attack vectors and mitigations. This creates a systematic map that can reveal underlying vulnerabilities at the firmware level that may have otherwise fallen through the cracks, creating opportunities for attackers to gain access to your organization’s assets.

Knowing what firmware is running on your devices is important, but it’s not always straightforward or possible for all embedded platform subcomponents. Checking that your platform’s configuration doesn’t lead to known security issues is also very important. To do this, IT professionals can use open source tools such as CHIPSEC that automatically detect known platform security misconfigurations that may widen the attack surface for attackers. There are known real-world examples of unified extensible firmware interface (UEFI) ransomware that scans the system for serial peripheral interface (SPI) vulnerabilities in order to gain persistence, such as TrickBot, increasing the need for awareness and visibility into platform misconfigurations.

Knowing just how important your firmware foundation is in safeguarding your assets is a fundamental step to shore up your firmware defenses.

Update, Update, Update

Though it may be tempting to delay installing updates, which can understandably be time-consuming and fear-inducing, failing to do so can mean the difference between avoiding a cyberattack and becoming the victim of one.

The need to keep our devices updated has increased both as attackers have become more skilled in the lower levels of the stack and with the increase in quantity and diversity of smart devices that now exist, especially as remote work has broadened the attack surface for companies whose employees now share sensitive data across different networks. It’s not just servers, desktops, laptops and phones that need updating, but also IoT devices connected to the same networks that range from smart coffee makers to personal printers, smart fridges, crockpots and smart vacuums. For companies that store their intellectual property (IP) on a diverse range of devices, regular updates help ensure that your assets have the most up-to-date security available against attackers whose control over intangible assets could be catastrophic.

By paying due diligence to firmware updates, security teams can reduce security risk and ultimately avoid paying the more serious—and far more costly—price of suffering a data breach.

Collaborate with the Competition

In all matters of security, industry-wide collaboration is key to preventing attacks—and firmware security is no exception. Strengthening overall firmware security takes teamwork.

Vendors, original equipment manufacturers (OEMs), researchers and consumers have a shared responsibility when it comes to improving and maintaining security at the firmware level. If everyone does their part, manufacturers will be better able to develop and distribute firmware security patches to help protect products throughout their life cycle, and ultimately safeguard companies’ assets from potential compromise. Similarly, vendors should proactively work with researchers, both through bug bounty programs and in-house research teams, to disclose and patch firmware security vulnerabilities that could create ripple effects throughout their supply chain.

In today’s increasingly interconnected world, one company’s firmware breach is another organization’s firmware risk. By working together and encouraging security transparency around breaches, security teams can strengthen the industry’s cybersecurity posture from the firmware level up.

Defending Your Security “House”

Ultimately, taking measures to strengthen firmware security is part of a holistic approach to cybersecurity that addresses the software, firmware and hardware components of a device to better defend all levels of the stack. By taking proactive steps to firm up your firmware security, IT professionals can better protect the foundation of the security system “houses” that we all trust with our privacy and sensitive information.

Avatar photo

Maggie Jauregui

Maggie Jauregui is a firmware and hardware FPGA security researcher with the programmable solutions group at Intel. Throughout her career, she has presented and delivered training presentations on firmware security topics at conferences such as DEFCON, CanSecWest, DerbyCon, NULLCON, hardwear.io, OSFC and BSidesTLV.

maggie-jauregui has 1 posts and counting.See all posts by maggie-jauregui