Every electronic device contains software code that resides on its circuitry. The device will not switch on or function without it. Known as firmware, it is written onto a device’s Read Only Memory (ROM) chip, a process performed by the manufacturer. In a PC, this code is known as the Basic Input/Output System (BIOS). Like a car battery that provides the initial surge of energy to start the motor, the firmware sets up the electronic circuitry to function and receive instructions from the operating system (OS), e.g. Windows or Android and application software like Microsoft Word or SnapChat.
To understand firmware’s potential as a cybersecurity risk, consider the following phone manufacturing scenario. An American electronics company designs a smart phone that runs on the Android operation system. It contracts with a foreign manufacturer to build the device. In the process, the company sends the manufacturer software code for the device’s firmware. The manufacturer then compiles that firmware code and writes it onto the device’s ROM chip. The electronics company then receives its order of smart phones, built to order and containing the firmware they supplied. Or, so they think.
The reality is that the electronics company probably has no idea what code is actually in the final firmware. It is easy for the manufacturer to modify the firmware code before writing it onto ROM. In case after case, foreign-made phones have been shown to contain electronic back doors and unauthorized data stealing schemes, all written into the firmware. The malware placed into the firmware might be there to harvest marketing data from users. It could also be there at the behest of the foreign manufacturing countries spy services.
Steven Sprague, CEO of hardware-based security firm Rivetz and a founding member of the Trusted Computing Group, cited supply chain difficulties as the root of the firmware threat. He said, “How do I actually know that the data file that was sent to the manufacturer, saying please make this chip, is actually the chip that I got back? It’s one of the really open and interesting science problems that’s out there right now, determining that somebody hasn’t tinkered with that product in some way, shape or form and introduced a weakness. And those weaknesses can be exploited and they can be exploited globally. It hasn’t really happened yet at scale in a way that has really done a lot of damage.”
Another variant of this threat involves the manufacturing of counterfeit electronics, as Jason McNew explained. “Look at Cisco. Cisco has a massive problem with China counterfeiting their gear. And in some cases, Cisco themselves have had difficulty differentiating between the fake gear and the real gear, it’s that good.” And, as McNew pointed out, this is the same type of gear that used in American classified networks.
With malware on board, our smartphones, smart thermostats, in-home shopping listening devices, cars and PCs could eavesdrop on us and transmit our private information without detection. This might seem paranoid to suspect, but remember that hackers exported thousands of emails out of Sony Pictures without anyone even noticing.
Malware in firmware is extremely difficult to detect. For most electronics manufacturers, if the device works, that’s good enough. Despite the availability of tools to check for security problems in firmware, the threat is mostly ignored. Some firms, like Hewlett Packard Enterprise, take the issue seriously and have decided to secure their processor chip supply chains to ensure hardware security.