U.S. Gov Issues Stark Warning, Calling Firmware Security a ‘Single Point of Failure’
U.S. government warns that firmware presents “a large and ever-expanding attack surface.”
The U.S. government, at the very highest levels, is calling attention to major weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacker attacks.
A new joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” for malicious hackers to subvert the core of modern computing.
“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”
“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.
“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”
The 96-page report (PDF), published to support the Biden Executive Order on securing America’s supply chains, warned that firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.
Despite its essential role in electronic devices, the agencies insisted that firmware security “has not traditionally been a high priority for manufacturers or users and is not always well protected.”
During the assessment, the agencies found that firmware on items such as network cards, Wi-Fi adapters, and USB hubs are often not properly signed with public or private keys.
“These devices have no way to verify that the operating firmware is authentic and can be trusted.”
Even worse, the agencies called special attention to the fact that OEMs and computer makers outsource firmware development to third party suppliers. “[This] introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”
The government’s warning comes as threat hunters spot signs that nation-state APT actors are using UEFI firmware implants to maintain stealthy infections and survive reboots and OS reinstallations. The notorious FinSpy surveillance spyware toolkit was also fitted with a bootkit to conduct stealthy infections.
In the report, the agencies also warned of “complex supply chains” that compound the problems securing firmware deployments.
“In PC production, for example, the OEMs are typically responsible for firmware and the rest of the PC platform elements. However, many OEMs outsource firmware development to third-party suppliers where OEMs may not have visibility into their cybersecurity hygiene. Even if OEMs establish security standards, they may not be able to enforce supplier security protocols across a wide range of components and sub-suppliers,” the government agencies warned.
The report also noted that individual OEM vendors may modify the firmware based on device needs once the firmware has been delivered to the OEM. “This can lead to confusion about what party is ultimately responsible for firmware integrity and who is to supply customer updates.”
“In addition, as devices and firmware change, OEMs often contract with different firmware developers, which can lead to delays or a lack of any update when older devices require updating and the original developer is not available. All of these factors can leave firmware open to malicious attacks,” the report said.
The agencies also called attention to the pain-point of applying firmware updates. “A firmware’s update process and capability vary by device. Some devices receive regular firmware updates. Some may only receive one update over their lifetimes, while others may never receive an update.”
Even worse, the process to install firmware updates is not simple, leading to skipped patches for critical-level vulnerabilities.
“Firmware updates present a major logistical challenge for many enterprises,” the agences said. “In many instances, device firmware is never updated or may only be updated in an emergency. In addition, vendors may only supply firmware updates if driven by an incident or identified vulnerability.”