Firmware Hacking: Exploring Potential Security Gaps and Vulnerabilities
Firmware is in every computing device. Therefore, every device is exposed to firmware threats and is vulnerable to firmware hacking. This risk goes well beyond the realm of smartphones and laptops. Edge compute solutions, including connected cars and medical devices, are also vulnerable to serious attacks at the firmware layer. What’s worse, the risk of firmware hacking keeps growing.
Interested in learning more about real-world firmware hacking and firmware security?
Download our eBook: Firmware Is Foundational: Security in the Age of Edge Computing
Types of Firmware Hacking
Firmware hacking tends to concentrate on a few areas of vulnerability. While the threats vary widely, they generally exploit areas where the firmware handles the device’s flash memory or its boot process. Attackers may also target runtime features like the system management mode (SMM). Or, they might attack at the supply chain level when the firmware is under development. Once the firmware is hacked, at runtime, the OS is calling on malicious code.
Compromised Flash Memory
Serial peripheral interface (SPI) flash can be used as an attack vector to compromise a device. This type of memory is nonvolatile storage that can be erased or rewritten. When a device is powered on, the chipset reads the data in SPI flash. If an attacker can gain write access to SPI flash, they can inject malware into the firmware.
There are many ways this infiltration can cause harm. One case might involve changing the pre-EFI initialization modules (PEIMs) built using the Extensible Firmware Interface (EFI) Specification. The PEIM can be reprogrammed to prevent flash updates or cause significant harm by “bricking” an entire system. Or a hacker could insert malicious drivers or disable security settings, enabling the attacker to install malicious code directly into the OS.
Modified Boot Routines
The firmware boot process may contain a related set of vulnerabilities. At boot, the security phase (SEC) gets the UEFI environment going, enough to find, validate, install and run the pre-EFI initialization (PEI) core. The SEC start-up code then passes control to the PEI core. This, in turn, allows for the PEI dispatcher to conduct early initialization of device hardware and memory. The process includes running the driver execution environment (DXE). This is a complicated processing flow, but it’s important to see how many separate elements are vulnerable to manipulation by an attacker, with just some firmware hacking. A malicious actor can potentially compromise any of these elements — disabling or taking over the device in the process.
Heightened Privilege Advantage
Firmware does not stop operating after the device has commenced running. At runtime, firmware is active, often responding to calls from the OS. For example, if an attacker can take over SMM, they have the highest level of privileged access to virtually all parts of the device and its OS. With this level of access, the attacker can do almost anything, including:
- Read all of a device’s memory or modify memory contents to expose encryption keys and other security-critical data.
- Overwrite critical system files and data held in storage, affecting the machine’s operation at runtime.
- Inject malware that can then infect or even brick machines across an entire network.
Supply Chain Vulnerabilities
Firmware hacking attacks can also occur at the supply chain level. By exploiting gaps in security attestation processes, hackers can inject malware into firmware updates that appear to be legitimate. Attacks can be mounted physically, if they have access to the machine, or remotely, over networks or over-the-air.
The complex, multifaceted and interdependent nature of firmware’s many elements makes the attack surface inviting to hackers.
However, this also makes finding ways to mitigate these risks an even bigger challenge.
Implications of Firmware Hacking
A firmware attack on a business’s or public sector organization’s platform can have severe consequences, including:
- Financial loss
- Injury or death
- Brand and reputational damage
- Regulatory penalties or fines
For instance, with the California Consumer Privacy Act (CCPA) now in effect, a firmware-based breach of personally identifiable information can be quite costly — about $2.5 billion in fines for every million records breached.
How Can You Prevent Firmware Hacking?
The best way to prevent firmware hacking is to get ahead of it by establishing a firmware risk mitigation plan. While many industry groups can support organizations with best practices and other resources, unfortunately, many teams don’t have the necessary in-house expertise or resources to establish and maintain an ongoing process. That’s why we recommend finding an outsourced partner, like Phoenix, who can manage ongoing vulnerability monitoring as well as patch development and delivery.
Interested in learning more about how you can prevent firmware hacking?
Download our eBook: Firmware Is Foundational: Security in the Age of Edge Computing