If you're reading this, you're probably already aware of the importance of keeping your devices' software up to date and securely configured. But do you treat your firmware in the same way?
Have you ever asked yourself what would happen if the firmware on any of your devices was compromised? Would you even know if your smartphone or tablet’s firmware had been hacked?
We are planning a thorough investigation of how best to securely manage and configure firmware. This blog post outlines the thinking behind the project.
BIG OR SMALL
Whether we're talking to individuals, small companies or large enterprises, it's not uncommon to hear that firmware has never been updated. This may vary depending on the types of devices owned or managed, but the fact remains: firmware is often overlooked. It shouldn’t be.
Firmware is the link between the physical components which make up your device and the software which it runs. The first line of code your device runs when it’s powered-up is firmware.
This low level program is primarily responsible for platform initialisation, including the configuration of peripheral devices, setting up memory, initialising processors and ultimately, handing off to the boot manager, which launches the operating system.
There are many types of firmware, some better known that others. You may have heard of BIOS (Basic Input/output System) - the firmware which traditionally ran on PCs. It was generally proprietary, non-standard and rarely, if ever, updated.
In recent years, however, the Unified Extensible Firmware Interface (UEFI) standards have become, well... the standard. These have led to a common set of open source specifications and frameworks for firmware developers and equipment manufacturers.
So, while there are plenty of devices still using legacy BIOS today, most equipment manufacturers have transitioned to UEFI. To keep things interesting though, people tend to refer to both as just ‘BIOS’.
In either case, a poorly configured and/or poorly protected BIOS could give attackers a ‘game over’ level of access to your devices. Even just a tiny modification of the BIOS by an attacker could render a device useless. The CIH or Chernobyl virus in the late 1990s implemented such an attack, overwriting critical boot code. Some put the cost of that virus alone in excess of $1billion.
Beyond CIH-style denial-of-service attacks, successful modification of the BIOS could enable an attacker to establish a long term presence on your system, operating with almost unrestricted access. To make matters worse, malware running at the BIOS level would probably be very difficult to detect.
In reality, to work at the firmware level, malware needs to be highly targeted - often it’ll need to be aimed at a specific device or component type. This may be why we’ve seen so few BIOS rootkits at large on the Internet. One of the earliest, Mebromi, was initially reported in 2011.
However, as security protections on higher-level system components - like the operating system - get better, firmware attacks become more attractive. This is particularly true for high-value targets, where the investment of resources required would be more than matched by the payout from a successful attack.
There are numerous proof-of-concept samples doing the rounds online. These have demonstrated the bypassing of signed firmware updates and secure boot, not to mention the use of malicious code running on a peripheral interfaces to infect a BIOS.
PUTTING IT MILDLY
It’s ironic that the device I use to analyse my golf swing automatically updates its firmware, while my much more advanced laptop requires me to manually discover, download and install any updates. This is not ideal!
Managing firmware is still, in many cases, far too manual. Add to this the fear that many firmware updates are unreliable, and you have a situation where firmware is frequently years out of date.
All this and we haven’t even mentioned the need to ensure the integrity of the firmware itself and to verify that it implements the necessary security protections. These are all key to trusting that a platform is secure.
UPCOMING RESEARCH AND GUIDANCE
The NCSC is very interested in helping improve firmware security. Over the next few months, we'll be researching various ways of configuring and managing firmware, publishing our findings as guidance.
We'll be blogging about our findings along the way too. In the meantime, it's probably worth having a think about firmware security in your own organisation, in your living room and home office too. Maybe it's about time to apply those updates.
If there are some aspects of managing firmware security you'd like us to cover, mention them in the comments below.