As a leading provider of IoT cybersecurity software that empowers device manufacturers to embed protection against unknown threats, one of our critical focuses at Dellfer is protecting the state of firmware. Firmware is an important element to our work because as Help Net Security describes, “IoT embedded systems combine hardware, firmware, and internet connectivity to carry out particular functions,” including the tracking, monitoring and analysis of data. Therefore, securing firmware is a part of securing the overall process and potentially sensitive information in the meantime. Considering, we think it is helpful to understand the risk surrounding firmware. In this post, we will break down some of the issues and focus to come firmware’s way.
The Rise of Firmware Attacks
In 2021, a study commissioned by Microsoft revealed that over 80% of the enterprises reviewed had experienced at least one attack against their firmware within the previous two years. As quoted by Cybersecurity Dive, one spokesperson explained that “The reason attackers are targeting these layers of computing is because they live below the operating system and go unmonitored, meaning attackers can lay in wait to encrypt the device and secure the biggest ransomware payout.” Because such activity can be hard to detect, though, many organizations weren’t seeing firmware security as the investment it is. The study found that only 29% of them had firmware incorporated into their budget.
This can lead to major issues because new vulnerabilities are being discovered often. A set of six “high-severity firmware vulnerabilities impacting a broad range of HP devices” used within enterprises are still awaiting patches even though some were originally uncovered in 2021, according to Bleeping Computer. Leaving such flaws unattended can be dangerous because they can then leave openings for malware and other compromises. Included in the list of vulnerabilities, researchers found SMM (System Management Module) issues, which is part of the UEFI firmware that assists hardware control and power management.
This incident of unaddressed firmware vulnerabilities has put code utilized by several companies at risk. Vendors include HP, Dell, Intel, Microsoft, Fujitsu, Framework and Siemens. “In terms of supply chain impact, it will take 6-9 months based on our data for the vulnerabilities to be patched by device manufacturers at least on all the enterprise devices,” Alex Matrosov, the CEO of Binarly, told Security Week.
Shoring Up Firmware Cybersecurity
As firmware threats grow alongside other threats such as OT and ICS cybersecurity, taking measures to protect it will continue to rise in significance. In fact, in a recent advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) regarding the need to defend OT and ICS from malicious actors, one of the mitigation steps featured is “avoid disclosing information about system hardware, firmware and software in any public forum,” based on reporting by MSSP Alert. This shows that securing firmware and the details attached to it plays a role in the larger cybersecurity picture.
We hope that this all illuminates the need to shore up firmware cybersecurity, but we also understand that it can be challenging to do so. That’s why we are innovating ways to offer cybersecurity for IoT firmware, specifically. We are very proud to have recently announced a new program that the Dellfer team designed to bring breakthrough zero-trust security into partners’ OEM channels. Learn more about this program at https://dellfer.com/new-dellfer-program-helps-monetize-firmware-security-in-oem-channel/.
- “Embedded IoT security threats and challenges” – Help Net Security
- “Enterprises lag on firmware security spending in face of rising threat” – David Jones, Cybersecurity Dive
- “Firmware bugs in many HP computer models left unfixed for over a year” – Bill Toulas, Bleeping Computer
- “New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access” – Eduard Kovacs, Security Week
- “CISA, NSA: Nation-State Cyber Attackers Home in on Critical OT/IC Systems” – D. Howard Kass, MSSP Alert