GRC Viewpoint

Why Firmware Attacks Are a Top Security Threat

When someone starts up their computer at the beginning of the day, what boots first? Firmware. What that means is firmware is the foundation for system security. 

It also means a successful attack on firmware is no run-of-the-mill security threat. When someone hacks firmware, they have gained access at a point when no virus scanner or OS tool can detect or remediate what’s happening. When hackers successfully attack firmware, they gain a strong foothold on the computer’s entire system. 

Most users – whether individuals or enterprises – are oblivious to the threat. Microsoft’s March 2021 Security Signals report found a staggering 80% of enterprises had suffered at least one firmware attack in the previous two years. In the report, business leaders noted they find it difficult to detect threats, and firmware vulnerabilities are exacerbated by a lack of awareness. 

But these security threats are as serious as they are numerous. Crashing the system is the most obvious possibility. But a threat actor also could destroy hardware, rendering infrastructure inoperable or perform a delayed attack to collect information about the system. 

The bottom line: firmware attacks must be considered a top security threat to a system. Earlier this year, the U.S. Department of Commerce warned firmware represents “a large and ever-expanding attack surface” that is subject to attacks that could cripple the supply chain. 

Impact of Industry Behavior 

Part of the reason firmware attacks have become such a threat is the firmware industry’s behavior over the past 10 years. Customers said they wanted standardization, and the industry happily complied. But the more standardization progressed, the easier it became to hack firmware. Attacks that were once highly targeted events morphed into attacks that could hit a wide range of systems. 

Another significant contributor to the threat of firmware attacks is a failure or unwillingness of customers to update their firmware as recommended by their providers. Many customers only update firmware once in its lifetime. Why? Some say they’re concerned their systems might not survive the firmware update. They can’t afford the downtime that might result. 

Most of the time, IT departments don’t think about firmware at all unless there is a problem.  Thus, firmware security is even less of a priority Think of it as a five-story building with a basement. Until there’s an issue with the water, electrical, or HVAC system, no one ever travels down to the basement.

It’s the same way with systems. People think about protecting their OS and application software and pay less attention to firmware, which is the foundational level of the system. Until the system isn’t booting properly or a hard drive isn’t working, it’s easy to assume everything is okay. Complacency regarding firmware security must be viewed as a danger to an organization.  

During any known attack during the past five to six years, hackers have cleverly hidden their tracks. Hackers are able to get into a vulnerable system unnoticed and with the intention of coordinating a wider attack. Often, the highest value attack is going after the customers of another organization using the hacked system as a starting point. 

Knowing that firmware attacks are on the rise, there are steps that most companies can take to protect their systems: 

  1. Understand the purpose of firmware and what firmware is on the systems used. 
  2. Look for products that provide platform root of trust, which is the foundation on which secure operations of a computing system depend.  
  3. Make sure firmware has been validated. 
  4. Understand what mechanism protects the system if firmware is corrupted. 
  5. Understand how the firmware can be restored and recovered. 
  6. Have enhanced IT policies in place such as the practice of regularly updating firmware 

An increase in firmware attacks is not cause for concern among organizations that take reasonable precautions to protect their systems. Resources are available through your technology vendors to ensure systems are kept up to date. 

By Brian Mullen, Senior Manager, Global Security Software Group, AMI

Related Articles

Latest Articles