How to Protect & Fight Back Against Firmware Attacks by Richard LeCount

In recent years, we have seen malicious attacks increasingly targeting the lower parts of the computing stack, below the operating systems.

These threats seek to modify or input malware into a systems BIOS/UEFI firmware with the goal of retrieving sensitive information, user identities and computer privileges. When someone boots up their laptop, a firmware hacker sees an opportunity to reap unlimited data for their own ends.

In this blog, we’re going to talk about what makes firmware so dangerous, why it is so appealing to attackers and what you can do to reduce the risk.

Traditional Defence is No Match

Over the past decade, the number of firmware liabilities has increased significantly as attackers target low-hanging fruit. Mobile users and remote workers utilising public networks are especially vulnerable. 

The most troublesome factor of this increase in vulnerabilities is that attacks can bypass antivirus programmes, security protocols and threat detector systems. 

In order to defend against such a risk, businesses and individuals with access to highly-sensitive information must make the protection of endpoint PC hardware and firmware a priority alongside network and software security.

An all-round holistic approach is absolutely vital, and it will mean that a business will need to coordinate multiple hardware, software and firmware products to stand a chance of protecting themselves.

In 2019, 71% of all breaches were financially motivated, and the time it took to discover a breach took, on average, 206 days. This means that the stakes couldn’t be higher in 2020. 

Understanding the Threat

Firmware hacks infect a PC or device before it boots up. It does so by injecting malicious software into the code that controls the hardware before a system boot and during the period in which the device is in use.

Once the code has been released into the system, it can alter and corrupt the firmware, target OS components, gain access to high-level software, and a whole lot more. 

Firmware hacks can get into a device in many different ways. Malware, bootkits, and rootkits are the most common delivery methods. Infected USBs and plug-in devices and corrupted drivers, are also vectors in which viruses can infect a device. 

A perpetrator does not need to make physical contact with the device to gain access; the code can be delivered through Wi-Fi, Bluetooth or an Ethernet connection – basically, any kind of network connectivity can be a potential access point. 

Because the delivered code works deep within the system stack, firmware breaches are difficult to find. Once in place, they’re able to infect, or replace legitimate firmware updates, and can even survive OS reinstallation and complete hard drive wipes.

For businesses, in particular, hacks of this nature can potentially devastate entire organisations due to their ability to steal, change, and destroy vast amounts of data, which continues to happen as long as the hack remains undetected. 

Hardware components are accessed by firmware, which itself is used by the OS to store sensitive data, such as your device password, fingerprint, device authentication, to name but a few examples. Essentially once someone gains access to this information, they are you. This means they can not only access the business resources that you use on the device, but also any personal data you have stored on there as well. 

Why Protection is More Crucial Than Ever Before

Several trends and increasingly sophisticated issues have highlighted the necessity for stepping up our protection against the threats posed to our firmware.

Increasingly Sophisticated Variants

Firmware attacks aren’t new; they just aren’t as high on the cybersecurity agenda as the likes of ransomware, worms and trojans. They’ve existed since the 80s, but their accessibility, complexity and diversity has stepped up a notch in recent years. 

For instance, in 2018, research uncovered that LoJack anti-vehicle threat software had been hacked by a Russian cyberespionage group. The weaponised software, renamed, LoJax, injected a trojan into the startup routine of the affected devices.

Once there, a module mirrored legitimate firmware, which allowed it to mine data, brick systems and grant unauthorised access, all while resisting hard drive replacement and OS reinstallation. 

This just goes to show how dangerous firmware can really be, and how much destruction it can cause before it is found. 

Extended Reach

Firmware hacks are an increasingly important instrument in the modern hacker’s toolkit, and are available to everyone, from organised crime groups to amateur hackers. 

As cyberattacks are growing more complex, techniques that were once out of reach are now more mainstream and available; increasing the chances of an attack. 

Increased Remote Workers

These days, more and more of us unplug from the office to work from home. In fact, the number of people who work from home has grown by 140% since 2005. 

These transitional trends mean that more and more employees are working outside the protection of company firewalls and other threat safeguards. The fact is: many IT departments are very limited when it comes to assessing and securing the networks of devices that aren’t owned by the company. 

It is absolutely crucial to equip devices with more advanced security measures to safeguard the user and business resources, whether the employee is inside the office or at home. 

Increasing Costs 

The average cost of a data breach for an organisation in 2019, was $3.92 million. This figure includes both direct and indirect expenses related to the time it took to find the breach and eradicate it, as well as any regulatory fines and customer churn associated with it. 

Lack of Awareness

As we’ve already mentioned, firmware attacks don’t get the same column inches as trojans, worms and ransomware, in fact, according to ISACA only 8% of businesses claim to be ready to protect against a firmware hack. 

Safety Protocols

Although leading names in the IT industry are taking note of the threats posed by firmware attacks, such as Intel through their Hardware Shield, or Dell with the Enhanced BIOS Verification, businesses and individuals must be able to protect themselves.

Keep Software Up to Date

Software is continually morphing and evolving, which is why technology companies must pinpoint new security flaws. 

All devices must be kept up-to-date with the latest security patches to ensure that they’re protected from the latest security risks. 

Best Practice Guidelines for Operations and Development

This includes utilising only well-maintained and reputable libraries, carefully selecting open source packages, and designing systems which separate sensitive and user data. 

By analysing risk while drafting your guidelines, you can understand potential exposure levels and how they might be advantageous for firmware attackers.

Getting to the Root of the Issue

In the same way that spraying leaves won’t protect the roots of a plant from disease, protecting the foundations of firmware and hardware requires root-level protection and understanding. Users need high-performing, responsive devices that can maintain the structure of the firmware, hardware and software.

While the latest computer systems will often represent a smaller investment, when compared to an entire back-end security infrastructure, they are both crucial to the security of an organisation and should not be overlooked. Features built-in to the hardware offers an essential layer of added protection for devices used within a business and helps to safeguard identities, data and applications used within the organisation. 

Forward-thinking is the only way to stay ahead of the dangers that lurk around the corner. 

Takeaways

As with just about anything in life, it pays to stay one step ahead of the game and cybersecurity is certainly worth your time and effort.

Firmware gets much less press than other large-scale cybersecurity threats, but it’s one of the most dangerous and has the ability to cause huge problems for an organisation and individuals alike. 

About the Author:

Richard LeCount is a cybersecurity expert and the managing director of usbmakers.com, a company specialising in USBs and power banks.