Getting Serious about the Firmware Threat

Working in cyber security makes you paranoid. It’s an occupational hazard. Paranoia is also healthy, to a certain degree, because cyber threats are omnipresent. They’re on the network. They’re in software. They’re in email attachments and websites. And, some of the most insidious and hard-to-detect threats are hiding in the silicon—the notorious firmware threat.

Firmware is software that tells hardware how to function. Without it, digital devices will not run. It resides on Read Only Memory (ROM). The BIOS on a PC is an example of firmware. However, every smart phone, computer, tablet and IoT device contains firmware.

If you ask cyber security professionals what scares them most, many will say firmware. Why? The trouble is that firmware-borne threats are notoriously difficult to detect. One of the biggest issues is a lack of visibility and trust in the hardware supply chain. For example, an American chip maker may write firmware code and send it to a fabricating plant in Asia. There, the fabricator may install the firmware exactly as it was received. Or, they don’t. Unfortunately, much of our digital equipment is manufactured in countries that have a strategic interest in spying on the US or conducting cyberwar operations against us.

There, the fabricator may install the firmware exactly as it was received. Or, they don’t. Unfortunately, much of our digital equipment is manufactured in countries that have a strategic interest in spying on the US or conducting cyberwar operations against us.

Another big challenge flows the fact that firmware arrives in compiled form. It runs at the machine level, out of reach of most standard security countermeasures. And, there’s just so much of it. A single mother board on an enterprise server could contain dozens of sets of firmware code from as many different manufacturers. With IoT devices, the problem is more horizontal. The devices may only have one piece of firmware, but there are hundreds of varieties of devices, often coming from unknown sub-contractors in an opaque, foreign supply chain.

Terry Dunlap, Co-Founder of Refirm Labs

Some cyber security vendors are starting to get serious about the firmware threat. This is welcome news. Refirm Labs, for example, has developed a number of techniques to review firmware and detect embedded threats. They can find known vulnerabilities as well as threats like embedded passwords and accounts and malicious backdoors.

The company emerged out of the national security apparatus in the US, with the founders having worked on comparable solutions for the government. Their success with automated firmware threat detection led private investors to back the founders in a commercial venture.

According to Co-Founder Terry Dunlap, the company has found success working with telecom clients. These customers have to contend with myriad devices of largely unknown provenance. They need automated processes to determine if their devices contain threats embedded in firmware. “We can take the process further than the one-off pen testing and black box testing that were the norm in the telecom industry,” Dunlap explained.

Working with compiled binaries, Refirm can handle any Linux- or QNX-based firmware. The Refirm solution can also extract encrypted SSL certificates and keys from firmware. For example, they found a private signing key back into the firmware of a popular automotive device. They have found high-risk executables and zero day attacks. They are able to run static analysis as well as an emulation engine to find out if an executable has a network-based connection in about thirty minutes.

“We can take the process further than the one-off pen testing and black box testing that were the norm in the telecom industry.”

Terry Dunlap, Co-Founder of Refirm Labs

They find back doors. One Refirm client, a Fortune 500 company, had suspicions about a surveillance camera they had acquired in quantity. Refirm assessed the camera’s firmware and found an intentional back door that was protected by several layers of obfuscation. To Refirm, this signaled that the backdoor was intentional. In contrast, backdoors and embedded passwords may be left accidentally in the code by engineers. In this case, though, they saw that the firmware was programmed to send traffic to IP addresses in China.

Continuous monitoring helps with firmware risk mitigation. For instance, Refirm monitored a set top box for a cable TV provider and noticed a new SSL vulnerability that appear six months after deployment. Indeed, one further challenge with firmware is the inevitable firmware updates that regularly occur. It’s essential to stay on top of what’s happening with refreshed firmware.

As defense contractors must now comply with the new Defense authorization bill that prohibits military bases from using devices from certain manufacturers, such as Hikvision and ZTE, there is a great deal of firmware remediation work to be done. Refirm is now engaging with this clientele.  The company is also working with a new class of customers in the insurance industry. Cyber security is now becoming a product liability issue. Awareness of firmware-borne threats is helpful in establishing possible insurance losses for product liability in the electronics industry.

Firmware is an important but under-served area of the cyber security market. Companies like Refirm are poised to grow as more people and organizations recognized the risk exposure they face from compromised firmware.

Photo Credit: nebarnix Flickr via Compfight cc