Firmware attacks are not a new concept for IT security professionals. They first appeared in the late 90s, but have received increased press coverage since the recent USB firmware hack demonstrated at BlackHat 2014.
For those unfamiliar with it, firmware is simply the software used to control hardware devices. These programs are typically stored in non-volatile memory such as ROM, EEPROM and flash — nearly every electronic device today has at least one of these memory types. Hardware controller chips, routers, everything down to your keyboard and mouse are all controlled by firmware. Firmware attacks often write the malicious code to this non-volatile memory, pretending to be part of the small driver controlling a given device. Some of the attacks may even be pre-meditated, looking to insert corrupted code during a device's flashing process.
Despite the relatively light protections given to firmware, attacks on it are not seen as often as exploits targeting other sectors. First of all, it's not easy to infect firmware by modifying it; typical malicious activities like stealing PII are more easily and efficiently executed by targeting software. Firmware is often custom code running on a very small set of devices, so malware targeting operating systems like Windows, or commonly used software on Windows, is guaranteed to have a much wider hit rate than malware targeting firmware because of the much larger install base. Even when firmware is based on more popular operating systems like FreeBSD or Linux, it is often run on trimmed-down versions of the OS, thus reducing exploitable security holes considerably. This high level of difficulty and the limited potential hit rate means that the ROI on firmware attacks are much lower than those on software or OS.
That said, attackers do have a distinct advantage when they target firmware. Firmware attacks are harder to detect because firmware codes often run before antivirus programs, so it is extremely difficult for antivirus solutions to notice the presence of malign code. They are also ideal for "bricking" a device, i.e. rendering it completely inoperable. Therefore, firmware attacks may be the preferred method in cyber warfare where the purpose of the attack is to completely shut down a government or corporation's cyber infrastructure. Such attacks were seen on Albania a few years ago, leading to USAID's launch of the Albanian Cyber-Security program to help shore up their defenses.
Many of you have already seen the recent demonstration of a USB drive emulating keyboard firmware and making the host device accept commands. USB malware can actually emulate the firmware for any externally-connectable hardware device, as can any device connected over USB cable (think an Android phone or external hard disk). Once connected, these devices can manipulate their host, easily infecting the BIOS or stealing sensitive data. The preparation for this type of attack requires a large investment of time and resources, so high-value targets such as big corporations or government entities are at greatest risk.
Given the potentially disastrous consequences of firmware attacks, non-volatile memory manufacturers and electronic device manufacturers are beginning to take precautions. Besides a simple check of CRC, certificates or signatures to check the validity of the firmware, they are also investing in resources to find better mechanisms to recognize and stop the attacks.
How can you protect against this type of attack?
Due to the nature of firmware attacks, as detailed above, individual users and smaller organizations are rarely targeted. They are far more likely to fall prey to a software attack, therefore some simple precautions such as avoiding untrusted devices, including USBs, may be sufficient protection against firmware attacks for users. Furthermore, it is always a good idea to consider only device manufacturers that have protections (such as signatures, CRC checks) in place for their firmware.
IT administrators, especially of corporations that store sensitive data, should take further steps to reduce the likelihood of firmware attacks:
- Upgrade all devices to the latest firmware versions.
Firmware vendors often release updates with fixes to discovered security holes. Updating to the latest version can help ensure that as many security holes as possible are closed. - Keep an eye on different antivirus solutions and use ones that provide protection against corruption of BIOS as they are made available.
Some antivirus products already come with a keyboard guard that may help prevent external USB devices acting as a keyboard or other externally connected devices. - Do not allow the use of untrusted USB devices.
External media devices that are found in the parking lot or received from an unknown source can contain malware and should be considered untrustworthy. Some organizations have banned the use of USBs entirely. Alternatively, you could introduce the scanning of the contents of USB drives or devices to your network using an external media scanning solution. This will increase the chances of catching malware in USBs. - Be careful when charging smartphones through user's laptops or computers.
Connecting devices, especially Android and Windows devices, to a computer can create an easy opportunity for malware to be copied. Your users should only agree to do so for people they know.
