Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

U.S. Gov Issues Stark Warning, Calling Firmware Security a ‘Single Point of Failure’

Computer firmware cyber risk

Computer firmware cyber risk

U.S. government warns that firmware presents “a large and ever-expanding attack surface.”

The U.S. government, at the very highest levels, is calling attention to major weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacker attacks.

A new joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” for malicious hackers to subvert the core of modern computing.

“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.

“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

The 96-page report (PDF), published to support the Biden Executive Order on securing America’s supply chains, warned that firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.

[ READ: Microsoft: Firmware Attacks Outpacing Security Investments ]

Advertisement. Scroll to continue reading.

Despite its essential role in electronic devices, the agencies insisted that firmware security “has not traditionally been a high priority for manufacturers or users and is not always well protected.” 

During the assessment, the agencies found that firmware on items such as network cards, Wi-Fi adapters, and USB hubs are often not properly signed with public or private keys. 

“These devices have no way to verify that the operating firmware is authentic and can be trusted.”

Even worse, the agencies called special attention to the fact that OEMs and computer makers outsource firmware development to third party suppliers.  “[This] introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”

[ READ: Prolific Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware ]

The government’s warning comes as threat hunters spot signs that nation-state APT actors are using UEFI firmware implants to maintain stealthy infections and survive reboots and OS reinstallations.  The notorious FinSpy surveillance spyware toolkit was also fitted with a bootkit to conduct stealthy infections.

In the report, the agencies also warned of “complex supply chains” that compound the problems securing firmware deployments.

“In PC production, for example, the OEMs are typically responsible for firmware and the rest of the PC platform elements. However, many OEMs outsource firmware development to third-party suppliers where OEMs may not have visibility into their cybersecurity hygiene. Even if OEMs establish security standards, they may not be able to enforce supplier security protocols across a wide range of components and sub-suppliers,” the government agencies warned.

Supply Chain Security Summit

The report also noted that individual OEM vendors may modify the firmware based on device needs once the firmware has been delivered to the OEM. “This can lead to confusion about what party is ultimately responsible for firmware integrity and who is to supply customer updates.” 

[ READ: Dozens of UEFI Vulnerabilities Impact Millions of Devices From Major Vendors ]

“In addition, as devices and firmware change, OEMs often contract with different firmware developers, which can lead to delays or a lack of any update when older devices require updating and the original developer is not available. All of these factors can leave firmware open to malicious attacks,” the report said.

The agencies also called attention to the pain-point of applying firmware updates. “A firmware’s update process and capability vary by device. Some devices receive regular firmware updates. Some may only receive one update over their lifetimes, while others may never receive an update.”

Even worse, the process to install firmware updates is not simple, leading to skipped patches for critical-level vulnerabilities. 

“Firmware updates present a major logistical challenge for many enterprises,” the agences said. “In many instances, device firmware is never updated or may only be updated in an emergency. In addition, vendors may only supply firmware updates if driven by an incident or identified vulnerability.”

Related: Microsoft: Firmware Attacks Outpacing Security Investments

Related: Microsoft Buys ReFirm Labs to Expand IoT Firmware Security Push

Related: FinSpy Surveillance Spyware Fitted With UEFI Bootkit

Related: Critical, Exploitable Flaws in NETGEAR Router Firmware

Related: Prolific Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware

Related: Two Dozen UEFI Vulnerabilities Impact Millions of Devices From Major Vendors

Related: ESET Discovers UEFI Bootkit in Cyber Espionage Campaign

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Checkmarx has appointed Scott Gainey as Chief Marketing Officer.

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.