Rise in attacks exposes neglected firmware security
Everyone knows you need to apply software updates promptly. It's just as true of firmware, the software written into hardware devices, but the need is less appreciated. Now, a rise in attacks targeting firmware has tech leaders focusing on that neglect, as the massive shift to work from home has exposed businesses to the especially weak security in many home routers and other consumer-level gear.
Left unmanaged, most experts agree that vulnerabilities in even newer firmware could present huge security risks for organizations. And unfortunately, little firmware is adequately managed. Software update systems are usually much more mature and automated, whereas firmware updates, at least at enterprise scale, still often require complex command-line tools to execute.
"IT leaders have been in this 'if it ain't broke, don't fix it mode' where, if it's working, they just leave it alone because there's just too much time and energy involved in updating firmware on all their devices," says Nate Warfield, chief technology officer at Prevailion and a former Microsoft security researcher.
IT leaders also perceive more risk in updating firmware as opposed to software because firmware updates can "brick" your hardware. You also need to be concerned about whether an update might change system settings back to default (which it shouldn't do).
But vulnerable firmware is a risk that outweighs those concerns. CJ Coppersmith, director of product cybersecurity and compliance at Hewlett Packard Enterprise, says, "Firmware works at the intimate interface between hardware and operating systems. If you don't do your firmware updates right, it's possible to have destructive malware running in a privileged execution domain."
Firmware under attack
That mindset has served organizations well for years, and they likely saved millions of dollars in downtime and equipment replacement costs by adhering to it. But as more machines in enterprise organizations have become connected, that's been steadily changing.
Hackers, who typically target paths of least resistance into corporate networks, have figured out that organizations are neglecting firmware security, according to a global Microsoft survey. As such, the study found firmware attacks are skyrocketing with more than 80 percent of firms experiencing such incidents in the past two years. This trend is now in full force, with Gartner warning that 70 percent of organizations that lack firmware upgrade plans will be breached due to a firmware vulnerability by 2022.
Alex Bazhaniuk, co-founder and CTO at Eclypsium, a firmware security company that discovered BIOSConnect flaws affecting 30 million Dell devices earlier this year, says many of those breaches are likely to involve firmware on networking equipment, especially home routers and VPN appliances, which have experienced a "firestorm" of recent hacker activity.
Please read: What makes 'critical software' critical?
While experts are pessimistic that IT leaders will do much to actively combat old or aging firmware, they say there are steps organizations can take to minimize the threat it poses.
Like so much security, it begins with an inventory. The first step is to assess what equipment might contain embedded firmware and be open to the Internet. Management tools from companies like ServiceNow, Tanium, Eclypsium and Dragos can help, but there isn't yet a single solution dedicated to consistently mapping firmware installations. So experts say IT staff will have to cobble solutions together and do their own research.
This auditing step may seem ridiculously obvious, even rudimentary. But in larger organizations, tens of thousands of pieces of firmware can exist. Just one laptop could have 10 or more kinds of firmware. Some of this will be updatable and some will not because it resides in government-regulated machines, like medical and casino gaming equipment, which are typically locked down and controlled by vendors.
Auditing the firmware landscape allows organizations to understand the truth and see where future problems might lie so they can prioritize ways of heading them off. Tim Lewis, CTO at Insyde Software, a firmware and engineering service provider, says his company assigns severity rankings to issues it finds. Systems that are easier to hack or can compromise confidentiality, integrity, and availability are scored higher.
"Everything is ranked from 0 to 10," he says. "If it's 7 or above, I tell customers they better find a way to get on top of that firmware problem because it means someone could potentially walk up to their machine and do some real damage."
Successfully auditing and mapping the firmware landscape can be tricky, though. Few organizations have a grip on the growing number of connected devices or workloads accessing their networks, let alone which of them have vulnerable firmware. Complicating matters, if a company is in acquisition mode, it usually inherits its target's technical debt.
"They're usually given this pile of stuff that may or may not be very well documented," says Warfield. "Some of it may have firmware that's 10, 15, or 20 years old. And they're often at the mercy of vendors who may have discontinued the equipment or aren't even offering patches for it anymore. That's why the more you understand what you have and your exposure, the better off you'll be for addressing it."
John Pescatore, director of emerging security trends at SANS Institute, agrees. "If you can patch it, you patch it," he says. "If you can't, then you want to segment or shield it. This makes it harder for the bad guys to get to your equipment. And if they do get to it, it makes it harder for them to get to everything else."
One approach for segmenting machinery that's gaining steam is to embrace a zero trust model. This framework ensures that no person or object can access a network without one-time identity and access approval. The idea is to ensure that anyone or anything trying to get in is who they say they are. If they do successfully penetrate a network, they still have limited rights to poke around in it.
Vendors and standards are part of the solution
A complementary approach is to begin investing in equipment built to protect firmware directly. Hewlett Packard Enterprise, for example, is building infrastructure trust services into its servers. A silicon root of trust measures and authenticates the firmware of millions of lines of executed code before a server boots an operating system. Included in several server models, it can be set to check firmware validity every 24 hours. As well, HPE's Integrated Lights Out (iLO) functionality works with the silicon root of trust to continuously ensure these files remain in good working order while tracking any changes that could suggest an attack is underway. If that is the case, iLO immediately isolates the malware and restores the infrastructure to its last known good state.
There are also two relevant industry standards. The first is NIST SP 800-147B, which describes secure BIOS and firmware update procedures and policies and specifies the use of a hardware root of trust. The second is NIST SP 800-193, which defines a protect, detect, and recover scheme for critical firmware. Coppersmith says that "by understanding and implementing these standards, through the use of products that support them, you can protect against modifications to the firmware but detect any changes that happen in spite of the protections—and recover from them by replacing the suspect image with a known good image."
Pescatore recommends that organizations put more pressure on vendors to innovate along these lines. "Organizations need to consider firmware security as part of their procurement processes," he says. "They need to start having firmware security requirements in their evaluation processes for choosing vendors, or they need to start saying, 'We will not buy your product unless it has some way to support updating firmware.' Even better, they could say, 'We will only buy products that have been security tested by the vendor.'"
Experts acknowledge that none of these steps to securing firmware will come naturally. Organizations have ignored the problem for so long they are ill-equipped to address the problem as quickly as they might like. And that ever-present fear of bricking critical equipment continues to haunt them. But with firmware attacks on the rise, they say time is running out and approaches have to change.
"There is no choice at this point," says Warfield. "It's not pleasant. It's not fun. But organizations must understand the need to do this. The downtime and damage that could ensue from someone maliciously turning off your network far outweighs the labor and downtime involved in patching firmware."
He adds, "Look at it this way: You can take the risk of bricking your devices with updates or you can wait for someone to come along and brick it for you."
"The downtime and damage that could ensue from someone maliciously turning off your network far outweigh the labor and downtime involved in patching firmware."
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.