December 14, 2021
Firmware has historically been one of the most overlooked aspects of device security, making it particularly vulnerable to bad actors.
In a March 2021 Microsoft report, 83% of 1,000 businesses surveyed experienced at least one firmware attack in the past two years. By 2022, Gartner estimates that 70% of organizations without a firmware upgrade plan will suffer a breach due to firmware vulnerability. And, the National Vulnerability Database maintained by the National Institute of Standards and Technology (NIST) shows more than a fivefold hike in firmware attacks in the last four years.
Firmware enables a device to perform its intended functions and makes a variety of hardware components work properly. Such components may include the device kernel, the file system where individual files required for device performance are stored, and the bootloader responsible for initializing critical hardware components and allocating the necessary resources. Firmware also stores sensitive information, such as encryption keys, in memory.
Updating firmware on connected devices presents a greater challenge than updating software on desktop computers and laptops. Connected devices comprise products manufactured by different vendors, many of which use vendor-specific hardware and firmware. While firmware updates can be done manually, the process is time-consuming and impractical — which has led to firmware becoming a largely unguarded attack vector. Hackers exploit firmware to infiltrate networks, gain access to other systems, compromise data or even take control of a device. Bad actors can bypass antivirus scans by embedding malware into a device’s firmware.
Device manufacturers, suppliers and system integrators simply cannot afford to overlook firmware security.
Automated firmware checking and field monitoring
The most rigorous and comprehensive cybersecurity system should start at firmware conception and continue through development, market launch and into the field. Product security teams and developers need the ability to detect, remediate and monitor vulnerabilities throughout the entire firmware life cycle. They need to be fully aware of the firmware’s composition and able to detect vulnerabilities in all the third-party components and software that make up the firmware.
Some companies test their firmware implementations manually using open-source software to analyze the firmware’s source code. Automated code scanning significantly accelerates firmware analysis.
Detecting vulnerabilities quickly should constitute only one-half of a company’s firmware security effort. The other half should involve building up capabilities for quick remediation of vulnerabilities. Reducing the total time to fix cybersecurity issues helps bring products to market faster. Insight into the causes of vulnerabilities and recommended fixes makes remediation easier.
When implementing third-party technologies to support firmware security, companies may want to consider software that can generate reports covering mitigation or remediation guidance for detected firmware vulnerabilities, as well as remediation support for common vulnerabilities and exposures (CVE). Known and unknown vulnerabilities can be detected as firmware is indevelopment, speeding up remediation. In addition, companies should consider field monitoring capabilities that support continuous firmware security analysis and detection once connected devices are used in the field; such tools help companies better prepare for firmware upgrades and mitigation plans as vulnerabilities emerge.
The role of standards and regulations
Manufacturers, suppliers and system integrators of connected devices in automotive, healthcare, manufacturing and consumer industries should also base their firmware implementation analysis on relevant standards and regulations for their devices. Manufacturers and developers should assess their compliance readiness as firmware is in development as well as when it’s in the field.
Comprehensive firmware implementation analysis and monitoring can help companies assess compliance readiness to standards and regulations across industries, such as:
- ISO 21434 for cybersecurity engineering of road vehicles
- IEC 62443-4-1 and 62443-2-4 for industrial automation and control systems security
- ETSI 303 645 and UL IoT Security Rating for IoT consumer products
Protecting firmware is a crucial step toward securing connected devices. During the development phase, firmware analysis and vulnerability detection can help connected device stakeholders prevent attacks, quickly remediate problems and speed up security and compliance checks for faster time to market.