DHS, Department of Commerce get it right: Firmware security is “overlooked,” — and a genuine cybersecurity risk

A new report on ICT supply chains helps frame the ongoing threats to the essential code in embedded devices.

DHS, Department of Commerce get it right: Firmware security is “overlooked,” — and a genuine cybersecurity risk

A new report on ICT supply chains helps frame the ongoing threats to the essential code in embedded devices.

DHS, Department of Commerce get it right: Firmware security is “overlooked,” — and a genuine cybersecurity risk

A new report on ICT supply chains helps frame the ongoing threats to the essential code in embedded devices.

Sometimes you have to dig into the data to find the takeaway that matters most to you.

 

Information and communications technology (ICT) is the broad concern of a February 2022 report issued jointly by the Department of Homeland Security and the Department of Commerce. It is part of a response to a 2021 Executive Order that called for analysis of supply chain cybersecurity frameworks, and has relevant findings for just about every segment of the private or public sector that depends on the equipment that keeps our complex and interconnected systems working, not just in information technology but many industrial and OT systems as well.

 

But what RBS finds most welcome is a clear assessment, starting on page 40 of this 83-page report, about the ongoing vulnerability of firmware, and why this security weakness requires immediate attention:

 

“Firmware presents a large and ever-expanding attack surface, as the population of electronic devices grows. Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

 

That’s three declarative findings (we agree with each), and they’re all worth unpacking:

“An ever-expanding firmware attack surface”

In one sense, this is simple math. As anyone familiar with the term “Internet of Things” knows, we’ve connected billions of devices in recent years and can expect to connect billions more in the next couple of decades (consult your preferred industry analyst for hard numbers, but it’s reasonable to infer that the gross total is well into ten figures). Most of these devices will depend on firmware that is written specifically to enable a particular functionality, whether the device is relatively simple (such as a sensor with a single input) or complex (e.g., a SCADA system). More devices mean developers are writing more firmware, and creating a broader attack surface.

 

But there is another dimension to the problem. Writing firmware is challenging: It demands a broad and unusual skill set, a sophisticated approach to problem solving, and at least some knowledge of hardware and device functionality. It’s also harder for developers to depend on libraries and packages for writing support, since these tools are often older and of an unknown security posture (as shown with recent supply chain issues, such as the Apache log4j vulnerability).

 

Simply put, writing firmware requires a knack as much as rigorous training. So the talent pool is not as deep as it needs to be, even as the demand for well-designed firmware is high.

 

The means we’re at risk of creating a great deal of poorly designed firmware in the coming years; we could be creating attack surface and a potential botnet with every device that runs on firmware that contains an excessive number of exploitable vulnerabilities.

 

What’s more, those vulnerabilities may persist due to an irregular, sometimes confusing, and potentially unsafe firmware updating process. The report notes that when firmware is not cryptographically signed and secure, “firmware could be rewritten without needing any verification from the user.” This has been confirmed by many research projects RBS has undertaken for public and private sector interests. 

“A single point of failure in devices”

The report correctly notes that a firmware-level intrusion can be extremely difficult to spot, and once achieved, an attacker can use firmware’s position between device hardware and higher-level software to move laterally or upwards. “Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage. Firmware can also be a lucrative target with a relatively low cost of attack.”

 

Succinctly, attackers who compromise devices at the firmware level likely have eluded the perimeter and network defenses that are designed to respond to anomalous activity at higher levels of the technology stack. Communications between devices are typically not well-monitored, meaning an attacker could send malicious commands from one device to others in its network.

 

How could firmware attacks make money? A device could be rendered inoperable or resistant to reset commands, which could have severe consequences if it supports a system that delivers an essential service or preserves safety. Alternately, should an attacker manage to compromise more devices than an end user or OEM can replace in a timely fashion, the attack’s effects could persist until supply chains can be built up.

 

The upshot: A ransomware attack on device firmware could be just as plausible a money maker as an attack on an IT server holding essential company data.

“Attackers have increasingly targeted firmware”

A 2021 Microsoft study cited by the report states that 83% of responding enterprises reported at least one incident of firmware compromise in the two years. That study does not specify where in the enterprise these compromises occurred, but we can assume that most operated on the IT level, since attacks of this nature have not been detected (or reported) at the embedded device level. 

 

But it doesn’t require an indefensible jump in logic to perceive the firmware threat extends to embedded devices. Given the feasibility of a successful exploit, the complexity of  firmware development and updates, and the undeniable financial incentive, there is every reason to expect an increase in attacks on the embedded device level. Given that these devices sit in close proximity to or support physical processes, it’s also reasonable to anticipate that some of these attacks could indeed be “devastating.”

Red Balloon’s solution contribution: On-device detection and protection

Reports are just a start. The insecurity of firmware is a problem that requires action from OEMs, end users, regulators, industry leaders — and security providers.

 

For more than 10 years, Red Balloon’s research and development team has been working on attack surface reduction, runtime protection and event monitoring solutions for embedded devices. We are the industry leader at building firmware protections into devices and turning the reactive patching game into a proactive, always-on defense.

 

We encourage you to reach out to one of our experts about a solution that defends your most critical devices from within.

Sometimes you have to dig into the data to find the takeaway that matters most to you.

 

Information and communications technology (ICT) is the broad concern of a February 2022 report issued jointly by the Department of Homeland Security and the Department of Commerce. It is part of a response to a 2021 Executive Order that called for analysis of supply chain cybersecurity frameworks, and has relevant findings for just about every segment of the private or public sector that depends on the equipment that keeps our complex and interconnected systems working, not just in information technology but many industrial and OT systems as well.

 

But what RBS finds most welcome is a clear assessment, starting on page 40 of this 83-page report, about the ongoing vulnerability of firmware, and why this security weakness requires immediate attention:

 

“Firmware presents a large and ever-expanding attack surface, as the population of electronic devices grows. Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

 

That’s three declarative findings (we agree with each), and they’re all worth unpacking:

“An ever-expanding firmware attack surface”

In one sense, this is simple math. As anyone familiar with the term “Internet of Things” knows, we’ve connected billions of devices in recent years and can expect to connect billions more in the next couple of decades (consult your preferred industry analyst for hard numbers, but it’s reasonable to infer that the gross total is well into ten figures). Most of these devices will depend on firmware that is written specifically to enable a particular functionality, whether the device is relatively simple (such as a sensor with a single input) or complex (e.g., a SCADA system). More devices mean developers are writing more firmware, and creating a broader attack surface.

 

But there is another dimension to the problem. Writing firmware is challenging: It demands a broad and unusual skill set, a sophisticated approach to problem solving, and at least some knowledge of hardware and device functionality. It’s also harder for developers to depend on libraries and packages for writing support, since these tools are often older and of an unknown security posture (as shown with recent supply chain issues, such as the Apache log4j vulnerability).

 

Simply put, writing firmware requires a knack as much as rigorous training. So the talent pool is not as deep as it needs to be, even as the demand for well-designed firmware is high.

 

The means we’re at risk of creating a great deal of poorly designed firmware in the coming years; we could be creating attack surface and a potential botnet with every device that runs on firmware that contains an excessive number of exploitable vulnerabilities.

 

What’s more, those vulnerabilities may persist due to an irregular, sometimes confusing, and potentially unsafe firmware updating process. The report notes that when firmware is not cryptographically signed and secure, “firmware could be rewritten without needing any verification from the user.” This has been confirmed by many research projects RBS has undertaken for public and private sector interests. 

“A single point of failure in devices”

The report correctly notes that a firmware-level intrusion can be extremely difficult to spot, and once achieved, an attacker can use firmware’s position between device hardware and higher-level software to move laterally or upwards. “Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage. Firmware can also be a lucrative target with a relatively low cost of attack.”

 

Succinctly, attackers who compromise devices at the firmware level likely have eluded the perimeter and network defenses that are designed to respond to anomalous activity at higher levels of the technology stack. Communications between devices are typically not well-monitored, meaning an attacker could send malicious commands from one device to others in its network.

 

How could firmware attacks make money? A device could be rendered inoperable or resistant to reset commands, which could have severe consequences if it supports a system that delivers an essential service or preserves safety. Alternately, should an attacker manage to compromise more devices than an end user or OEM can replace in a timely fashion, the attack’s effects could persist until supply chains can be built up.

 

The upshot: A ransomware attack on device firmware could be just as plausible a money maker as an attack on an IT server holding essential company data.

“Attackers have increasingly targeted firmware”

A 2021 Microsoft study cited by the report states that 83% of responding enterprises reported at least one incident of firmware compromise in the two years. That study does not specify where in the enterprise these compromises occurred, but we can assume that most operated on the IT level, since attacks of this nature have not been detected (or reported) at the embedded device level. 

 

But it doesn’t require an indefensible jump in logic to perceive the firmware threat extends to embedded devices. Given the feasibility of a successful exploit, the complexity of  firmware development and updates, and the undeniable financial incentive, there is every reason to expect an increase in attacks on the embedded device level. Given that these devices sit in close proximity to or support physical processes, it’s also reasonable to anticipate that some of these attacks could indeed be “devastating.”

Red Balloon’s solution contribution: On-device detection and protection

Reports are just a start. The insecurity of firmware is a problem that requires action from OEMs, end users, regulators, industry leaders — and security providers.

 

For more than 10 years, Red Balloon’s research and development team has been working on attack surface reduction, runtime protection and event monitoring solutions for embedded devices. We are the industry leader at building firmware protections into devices and turning the reactive patching game into a proactive, always-on defense.

 

We encourage you to reach out to one of our experts about a solution that defends your most critical devices from within.

Sometimes you have to dig into the data to find the takeaway that matters most to you.

 

Information and communications technology (ICT) is the broad concern of a February 2022 report issued jointly by the Department of Homeland Security and the Department of Commerce. It is part of a response to a 2021 Executive Order that called for analysis of supply chain cybersecurity frameworks, and has relevant findings for just about every segment of the private or public sector that depends on the equipment that keeps our complex and interconnected systems working, not just in information technology but many industrial and OT systems as well.

 

But what RBS finds most welcome is a clear assessment, starting on page 40 of this 83-page report, about the ongoing vulnerability of firmware, and why this security weakness requires immediate attention:

 

“Firmware presents a large and ever-expanding attack surface, as the population of electronic devices grows. Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

 

That’s three declarative findings (we agree with each), and they’re all worth unpacking:

“An ever-expanding firmware attack surface”

In one sense, this is simple math. As anyone familiar with the term “Internet of Things” knows, we’ve connected billions of devices in recent years and can expect to connect billions more in the next couple of decades (consult your preferred industry analyst for hard numbers, but it’s reasonable to infer that the gross total is well into ten figures). Most of these devices will depend on firmware that is written specifically to enable a particular functionality, whether the device is relatively simple (such as a sensor with a single input) or complex (e.g., a SCADA system). More devices mean developers are writing more firmware, and creating a broader attack surface.

 

But there is another dimension to the problem. Writing firmware is challenging: It demands a broad and unusual skill set, a sophisticated approach to problem solving, and at least some knowledge of hardware and device functionality. It’s also harder for developers to depend on libraries and packages for writing support, since these tools are often older and of an unknown security posture (as shown with recent supply chain issues, such as the Apache log4j vulnerability).

 

Simply put, writing firmware requires a knack as much as rigorous training. So the talent pool is not as deep as it needs to be, even as the demand for well-designed firmware is high.

 

The means we’re at risk of creating a great deal of poorly designed firmware in the coming years; we could be creating attack surface and a potential botnet with every device that runs on firmware that contains an excessive number of exploitable vulnerabilities.

 

What’s more, those vulnerabilities may persist due to an irregular, sometimes confusing, and potentially unsafe firmware updating process. The report notes that when firmware is not cryptographically signed and secure, “firmware could be rewritten without needing any verification from the user.” This has been confirmed by many research projects RBS has undertaken for public and private sector interests. 

“A single point of failure in devices”

The report correctly notes that a firmware-level intrusion can be extremely difficult to spot, and once achieved, an attacker can use firmware’s position between device hardware and higher-level software to move laterally or upwards. “Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage. Firmware can also be a lucrative target with a relatively low cost of attack.”

 

Succinctly, attackers who compromise devices at the firmware level likely have eluded the perimeter and network defenses that are designed to respond to anomalous activity at higher levels of the technology stack. Communications between devices are typically not well-monitored, meaning an attacker could send malicious commands from one device to others in its network.

 

How could firmware attacks make money? A device could be rendered inoperable or resistant to reset commands, which could have severe consequences if it supports a system that delivers an essential service or preserves safety. Alternately, should an attacker manage to compromise more devices than an end user or OEM can replace in a timely fashion, the attack’s effects could persist until supply chains can be built up.

 

The upshot: A ransomware attack on device firmware could be just as plausible a money maker as an attack on an IT server holding essential company data.

“Attackers have increasingly targeted firmware”

A 2021 Microsoft study cited by the report states that 83% of responding enterprises reported at least one incident of firmware compromise in the two years. That study does not specify where in the enterprise these compromises occurred, but we can assume that most operated on the IT level, since attacks of this nature have not been detected (or reported) at the embedded device level. 

 

But it doesn’t require an indefensible jump in logic to perceive the firmware threat extends to embedded devices. Given the feasibility of a successful exploit, the complexity of  firmware development and updates, and the undeniable financial incentive, there is every reason to expect an increase in attacks on the embedded device level. Given that these devices sit in close proximity to or support physical processes, it’s also reasonable to anticipate that some of these attacks could indeed be “devastating.”

Red Balloon’s solution contribution: On-device detection and protection

Reports are just a start. The insecurity of firmware is a problem that requires action from OEMs, end users, regulators, industry leaders — and security providers.

 

For more than 10 years, Red Balloon’s research and development team has been working on attack surface reduction, runtime protection and event monitoring solutions for embedded devices. We are the industry leader at building firmware protections into devices and turning the reactive patching game into a proactive, always-on defense.

 

We encourage you to reach out to one of our experts about a solution that defends your most critical devices from within.

LEVERAGE OUR EXPERTISE FOR YOUR EMBEDDED SECURITY NEEDS

Contact us now to discover more about Red Balloon Security’s range of solutions and services or to arrange a demonstration.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.