What are firmware attacks? And why are they growing?
Firmware attacks are on the rise, a new Microsoft report suggests — but businesses aren’t paying enough attention to combat them effectively. “80% of enterprises have experienced at least one firmware attack in the past two years” the Microsoft Security Team states in a blog post, “but only 29% of security budgets are allocated to protect firmware.”
This feels like more bad news for the cybersecurity world. With constant news of new strains of ransomware, and geopolitical cyberthreats capable of disrupting entire chinks of the economy and sowing a culture of distrust, the fact that there’s now one more thing we need to pay attention to will only add to the feeling of persistent pressure.
However, we shouldn’t be despondent: this could well mark an important shift in perspectives, encouraging us all to focus on a critical but often overlooked part of our technology infrastructure. And, in turn, this could provide a more robust foundation for many other aspects of cybersecurity.
But there are undoubtedly a few questions here: the first, for many, will be exactly what firmware is. The fact that the word isn’t immediately understood perhaps explains why it’s an area that has been under-addressed from a security perspective.
But beyond that, why are firmware attacks growing? And what can we do about it?
What is firmware?
Let’s start with the basics: many readers may already know this, but for those that don’t, firmware is a kind of program that gives you access to a devices hardware. In other words, it typically sits somewhere in between the operating system and the hardware itself — something that effectively bridges those two critical parts of just about every modern technology to work.
In very simple devices the firmware actually is the operating system. If all that a user needs is a way to interact with the specifics of the hardware, then firmware is sufficient.
The most banal examples of firmware are the most obvious. And they’re typically best demonstrated by some relatively old fashioned items and action, such as setting your washing machine or dishwasher and changing the volume or input source on your television.
However, you’ll find firmware in just about every piece of technology you use — it’s just not something you’ll think about or notice. Indeed, it’s worth pointing out that this isn’t just the fault of users: technology is specifically designed that way, often to tightly control the way a given product can be used protect IP. “Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime below the kernel. And attackers have noticed.”
Why are these attacks happening now?
The fact that we rarely pay attention to firmware is arguably one of the main reasons that firmware attacks are on the rise. This isn’t anecdotal, it’s evidenced in Microsoft’s report: “even with this onslaught of firmware attacks, the study shows that SDMs [senior decision makers] believe software is three times as likely to pose a security threat versus firmware.”
Microsoft’s argument is that this attitude is perilous. Firmware contains sensitive information that lies at the core of security, such as encryption, making it a particularly valuable target for attackers.
Moreover, one trend not mentioned in the blog post is the growth of embedded systems and IoT. We can see this in the rise of a certain type of consumer product (think FitBits and Apple Watches) but the real boom is happening in industrial settings. As machinery becomes increasingly more connected and network enabled, accessing firmware could grow even further in value, as it could potentially give cybercriminals — or cyberterrorists — access to vital infrastructure.
How are attacks happening?
There are a number of ways firmware attacks are occurring. Primarily it is done either by attacking the kernel (the core part of the operating system, that as part of its role, communicates with hardware/firmware via extensions or drivers), or by carrying out a physical attack on the hardware itself. Examples of this are the T2 vulnerability in MacOS machines and the ThunderSpy attack.
What can be done about it?
Unsurprisingly, Microsoft’s findings are tied to its own products. The company writes that has developed “a new class of devices specifically designed to eliminate threats aimed at firmware called Secured-core PCs.” These have, Microsoft claims, “Zero Trust built in from the ground up.” Clearly, Microsoft is pitching itself as the solution.
However, while we should be sceptical about this sort of product placement, this doesn’t mean Microsoft’s thinking and suggestions are bad or, indeed, wrong. The fact that so many cybersecurity teams are doing things manually that could be automated (82%) does require serious thinking.
“Security teams are too focused on outdated “protect and detect” models of security and are not spending enough time on strategic work — only 39% of security teams’ time is spent on prevention and they don’t see that changing in the next two years. The lack of proactive defense investment in kernel attack vectors is an example of this outdated model.”
Tackling this issue would remove the barriers to deeper level work on strategic work that can have a more sustained impact on security in preventing attacks.
Moreover, while there are certainly things that can be done inside security teams — like greater automation — it’s nevertheless important to recognise that we’re living in a world where the challenges are so complex — and global in nature — that they will need to be driven by organizations like Microsoft working with hardware manufacturers.
We need to invest time and effort to make real change
This intervention by Microsoft is to be welcomed. Anything that sharpens the industry’s attention and encourages practitioners to adopt a more proactive approach to the way they work is invaluable. It’s important, however, that we don’t fall back into the comfort of seeing a couple of new products as a solution to this intriguing challenge. Let’s take it seriously, and let’s give it the time and investment it deserves.
