Does Putin have the better hackers? Part 4 U.S. government warns of significant weaknesses in firmware supply chain10. March 2022
Does Putin have the better hackers? Part 4
U.S. government warns of significant weaknesses in firmware supply chain
The U.S. government is drawing high-level attention to significant weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacking attacks.
A new joint draft report issued by the leadership of the U.S. Department of Homeland Security (DHS) and the Department of Commerce says firmware provides “a large and ever-expanding attack surface” for malicious hackers to undermine the heart of modern computing. “Securing the firmware layer is often overlooked, but it is a single vulnerability in devices and one of the stealthiest ways an attacker can compromise devices on a large scale.”
It continues, “Attackers can undermine the visibility of operating systems and hypervisors and bypass most security systems, hiding and remaining on networks and devices for extended periods of time while conducting attack operations and causing irrevocable damage,” according to the two agencies, following a year-long assessment of critical IT infrastructure supply chains deployed in the United States.
“Firmware can also be a lucrative target with a relatively low cost of attack. In recent years, hackers have increasingly targeted firmware to launch devastating attacks.”
The 96-page report (PDF), released in support of the Biden executive order to secure U.S. supply chains, warns that firmware’s privileged position in the computer stack gives stealthy attackers a major advantage.
Despite the important role firmware plays in electronic devices, the agencies stressed that firmware security “has not traditionally been a high priority for manufacturers or users and is not always well protected.” In their assessment, they noted that firmware in devices such as network cards, Wi-Fi adapters and USB hubs is often not properly signed with public or private keys. “These devices have no way to verify that the firmware is authentic and can be trusted.
Even worse, he said, OEMs and computer manufacturers outsource firmware development to third-party vendors. “This poses risks because the vendors’ programming and cybersecurity standards are not transparent.”
The government’s warning comes at a time when threat hunters are discovering signs that sovereign APT actors are using UEFI firmware implants to maintain stealthy infections and survive operating system reboots and reinstalls. The infamous FinSpy surveillance spy toolkit has also been outfitted with a bootkit to carry out clandestine infections.
In the report, authorities also warn of “complex supply chains” that exacerbate problems in securing firmware installations.
“In PC manufacturing, for example, OEMs are typically responsible for the firmware and other elements of the PC platform. However, many OEMs outsource firmware development to third-party vendors where OEMs may not have visibility into their cybersecurity hygiene. Even if OEMs establish security standards, they may not be able to enforce supplier security protocols across a wide range of components and subcontractors,” the government agencies warned.
Supply chain security summit
The report also noted that individual OEM suppliers can change firmware depending on the requirements of the device once the firmware is delivered to the OEM. “This can lead to confusion about which party is ultimately responsible for the integrity of the firmware and who provides updates to the customer.”
“As devices and firmware change, OEMs often contract with different firmware developers, which can lead to delays or lack of updates when older devices need to be updated and the original developer is unavailable. All of these factors can leave firmware vulnerable to malicious attacks,” the report said.
The agencies also pointed to the difficulty of performing firmware updates. “The update process and capability of a firmware varies from device to device. Some devices receive regular firmware updates. Others may receive only a single update during their lifetime, while still others never receive an update.”
Even worse, the process for installing firmware updates is not straightforward, resulting in patches for critical security vulnerabilities being skipped.
“Firmware updates present a major logistical challenge for many organizations,” the agencies said. “In many cases, device firmware is never updated, or only updated in an emergency. In addition, manufacturers only provide firmware updates when prompted by an incident or identified vulnerability.”