Security Risks of Firmware
As software makers start to take security more seriously, hackers are becoming more creative.
When Apple and Microsoft started doing a better job of finding and patching bugs in their operating systems more quickly, hackers started looking at other applications installed on users’ computers.
As the makers of the other software installed on computers started taking security seriously, hackers again moved on.
What is the new target? FIRMWARE!
What is firmware you say?
Is it the layer that silently runs virtually everything today.
Your car? A typical modern car has 100 or more computers, each one running firmware and many of which have been used to attack your car. Unless you drive something like a Tesla, you probably have not patched your car lately.
What about your refrigerator?
Dishwasher?
Smart speaker?
Internet modem or router?
TV?
It is amazing what has firmware in it these days.
So what are the worries?
- Firmware updates
Device makers are constantly on the lookout for bugs and often patch their devices frequently.
Some vendors, who are not security focused, DO NOT offer patches. That doesn’t mean that their devices don’t have bugs or are not vulnerable to being attacked. It just means that the vendors don’t see the revenue stream in offering patches.
Sometimes vendors are very good about patching their devices. Apple is one example of a vendor that does a good job in patching, including Apple smart speakers.
But when was the last time you received a patch for your smart TV or refrigerator? My dishwasher had to be patched last year. Apparently, ones that were not patched, on occasion, caught on fire. That is where the virtual universe meets the physical universe.
Most devices that you own (a) contain firmware, (b) have bugs and (c) are never patched from when they leave the factory to when they reach the landfill.
Worse yet, some of these bugs are security problems, like the recent Intel secure enclave bug, and are NOT POSSIBLE to patch. Apple has a similar problem with their boot ROM that can’t be patched either.
#2 Configuring firmware
Most so-called smart devices are connected to the Internet, including most cars built in the last 5 years.
On the other hand, most purchasers are not trained well enough to securely configure these devices. They don’t understand the security implications of the configuration decisions they make. Lets face it – the most popular passwords are password and 123456. That ought to tell you something.
Vendors typically configure their security features to reduce use frustration and eliminate the need for customers to call their help lines which costs the manufacturers a lot of money. One or two calls eliminates the entire profit the vendor made from selling you that thing.
How many times have we heard about misconfigured web services like Amazon or Google which led to a breach. These are services that are usually managed by professionals. If they can’t do it right, imagine what consumers do.
#3 Firmware security awareness
The firmware on all of these devices control what is called the CIA triad —
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
We’ve got to figure out a way to make sure that people understand that this is a risk that they alone are responsible for, even though the company that they bought the device from never said so.
Oh yeah. THE MANUFACTURER DOES NOT HAVE ANY LIABILITY WHEN YOU DO IT WRONG. YOU ARE ON YOUR OWN.
This article is a start in that process. Credit: Help Net Security