If Firm Implies Secure, Does That Imply My Firmware Is Secure? | Cyber Security
Has there ever been a time in your life when you asked, “How does that work”?
In the early days of computing, we learned that BIOS stood for “Basic Input Output (instruction) Set.” It is a set of nonvolatile instructions that dictates how a hardware system should function at startup.
I remember my first experiences interacting with BIOS. I specifically recall configuring my first IBM 8088 computer. There were DIP switches on the motherboard which we could set to dictate a limited range of BIOS functionality at boot such as memory size and the number of floppy disk drives. Then we went to disk-based BIOS utilities on the early IBM/AT (80286) class of computers. When we were introduced to hard drives, we used jumpers to determine the master drive. From there, we went to allowing user access to the BIOS by pressing a key or key-combination at startup.
BIOS has been around for a while now. Only rarely were these instructions referred to as “firmware” in the early days. For sure, nobody ever thought of security on firmware back then, but today, it is a common thought amongst most security engineers.
Origins of Firmware
The term firmware was first coined back in 1967 and was meant to designate microprograms resident in the computer’s control memory but not the physical control memory itself. Originally, it referred to the contents of a writable control store containing microcode that defined and implemented the computer’s instruction set and that could be reloaded to specialize or modify the instructions that the central processing unit (CPU) could execute at startup.
How is it defined today? According to the Tech Terms dictionary, firmware is a software program or set of instructions programmed on a hardware device. It provides the necessary instructions (at startup) for how the device communicates with the other computer hardware.
But how can software be programmed onto hardware? Good question.
Firmware is typically stored in the flash ROM of a hardware device or its nonvolatile memory. Nonvolatile memory is a form of static random-access memory in which the contents are not lost when the device is rebooted or loses power.
While ROM is “read-only memory,” flash ROM can be erased and rewritten because it is actually a type of flash memory.
Firmware can be found in many places such as startup and timing devices in home appliances, light bulbs, home thermostats, our automobiles, our computers and embedded or installed components such as storage systems. What about the networks routers, switches, firewalls and intrusion detection systems at the office, not to mention the Internet of Things? Yes and yes. Our phones, mp3 players, tablets and a host of other devices also contain firmware.
Device manufacturers embed firmware into their products right at the factory. While the firmware in a smart light bulb may not need frequent updates, a smart thermostat may need to be updated periodically to remain compatible with its companion smartphone application. Updates are often issued to fix bugs, roll out new features and improve security. Some internet-capable devices regularly check for new firmware and automatically download and install it, while other device manufacturers require the user to visit the manufacturer’s website to download firmware updates and install them manually.
For firmware to be vulnerable to malicious activity, it must have the means to be modified and to communicate with other devices and components. Many older devices use proprietary protocols or hard-coding as a means to communicate. Today, many of these devices are IP addressable, meaning they can be accessible by anyone with a device that can communicate on or over a network. These IP addressable devices can be accessed using the same protocols that have been standards for decades such as TCP, UDP, SSH, FTP, SCP, SFTP, TFTP, Telnet etc. Most support Internet Protocol Version 4 (IPv4), but many can also support the newer IPv6.
While firmware is required for systems to start up and run properly, we must consider if our devices are IP addressable (i.e. they connect to a network) if they are susceptible to an attack. What if my phone or other devices start up and appear to run normally but are secretly collecting my keystrokes, running port scans or embedding viruses in my applications and web documents? What if they have been compromised and now could collect and forward data to the dark side of the internet? Should I be monitoring my firmware for malicious activity? Should the security software I choose to download include the ability to monitor firmware components?
There are also some questions you may want to ask if you work in the security industry. Are there any commercial or federal standards the require system firmware to be monitored? Is my company or agency compliant to these standards? Am I personally taking responsibility to ensure my personal systems and devices are protected?
Security Introduced into the Mix
With our computers, there is some out-of-the-box help today. Out with the old “BIOS” or “Basic Input Output (Instruction) Set” and in with the new “UEFI” or “Unified Extensible Firmware Interface.” UEFI supports “secure boot” and is a specification for a new generation of system firmware that provides the first instructions used by the CPU to startup hardware and passes the control to the bootloader. It helps ensure that your PC boots using only software that is trusted by the manufacturer.
Microsoft Secure Boot is a component of Microsoft’s Operating Systems that relies on the UEFI specification’s secure boot functionality to help prevent malicious software applications and “unauthorized” operating systems from loading during the system start-up process.
Regulatory or Security Compliance Standards
Most standards are getting tough on the requirement to monitor firmware. Many such as NERC and PCI include a policy that states software and hardware components must be regularly updated, this would include firmware as a component that must be updated.
NIST 800-53 is one of the best at spelling this out. SP800-53 SI-7() requires that companies or agencies bound to this standard include a tool that can monitor the integrity of systems. The SP800-53 SI-7() Control Description states: The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].
Meanwhile, its Supplemental Guidance states the following:
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.
There are 16 sub-sets of policy under NIST 800-53 SI-7(). These include:
- SI-7(1): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS.
- SI-7(2): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS
- SI-7(3): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CENTRALLY-MANAGED INTEGRITY TOOLS
- SI-7(7): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE
The full list is available at: https://nvd.nist.gov/800-53/Rev4/control/SI-7
A discussion with your co-workers and management team may prove fruitful in an effort to assess whether your company or agency is being held to a specific security or regulatory standard around firmware and whether you are compliant.
Furthermore, your organization should hold a planning discussion around firmware in your environment. Is firmware being monitored today? How? Does our current security solution support firmware monitoring? Can we add this as a feature? Do we need a new tool to support this? What’s the effort to implement a monitoring solution?
There are system integrity tools available today that can monitor your firmware’s integrity. These tools can generally work well in on-premise, cloud based or hybrid infrastructures. They are easy to install and help to ensure your company is taking the proper steps to keep your systems protected while meeting security or regulatory compliance standards associated with firmware.