What you need to know about firmware attacks

A security researcher’s recent proof of a BIOS firmware attack has many readers concerned about the future of firmware attacks. Here’s the reality.

First of all, I’m assuming you know what firmware is: software written to a rewriteable chip, such as the BIOS chip, a hard drive controller chip, and so on. Almost every electronic device today has a rewritable firmware chip.

Firmware attacks are nothing new. They’ve recurred on a regular basis, albeit infrequently, since the 1998 CIH computer virus emerged. But it’s obvious that the experts are getting worried about future attacks. BIOS manufacturers are rushing to create more defensible firmware versions, for example, and NIST’s (National Institute of Standards and Technology) recent publication of two firmware protection guidance documents: Special Publication 800-147 (PDF) and Special Publication 800-155 (PDF). When NIST recommendations are being published to the public domain, serious concern is afoot.

How likely are real, public, widespread firmware attacks? This is the big unknown. But if you think about it, infecting firmware is tens of thousands of times harder than infecting regular software, because of all the different versions and API interfaces. Most malicious tasks — stealing money, passwords, or identities — can more easily be accomplished using normal software-only malware.

One exception: It’s easier to “brick” (make unusable or unbootable) a computer device with a firmware attack because the attacker just needs to corrupt the firmware code, not modify it. Corruption is pretty easy for a malware programmer. If your firmware gets bricked, recovery could require a chip or motherboard replacement. My best guess is that firmware attacks will focus more on disabling devices than modifying them to do something more sophisticated.

Hardening firmware To protect yourself, buy hardware with built-in protections against malicious firmware modification. Many BIOS vendors have been building in more and better defenses over the last few years. Some have added CRC-style checking routines that will either halt the BIOS if unapproved modifications are made (not much better than BIOS corruption) or, much better, deny or rollback any unapproved changes. Forget BIOS passwords alone because they don’t help all that much.

The gold standard of firmware protection is defined in the NIST documents above and has culminated in the new open BIOS spec called UEFI (Universal Extensible Firmware Interface) 2.3.1, considered the first strongly secure boot firmware standard. It requires trusted roots, digital certificates, and digital signatures. If you want to worry less about firmware attacks, make sure your future purchases include devices that have UEFI 2.3.1 enabled.

Unfortunately, UEFI 2.3.1 or later requires different chip sets than pre-UEFI motherboards; if you don’t already have a UEFI 2.3.1 motherboard (most people don’t), it will probably take a new purchase to get one. All Microsoft Windows 8- and 2012-certified computers will have UEFI 2.3.1 and the related Windows Secure Boot technology, which takes advantage of all this, built-in and enabled.

Already, today, Microsoft’s BitLocker with the TPM (Trusted Platform Module) chip enabled, and other drive encryption programs that check the integrity of firmware, can prevent or alert the user to unexpected BIOS modifications. But these protections aren’t as good as UEFI 2.3.1 defenses.

The latest versions of most popular open source operating systems also have UEFI 2.3.1 support, but you’ll have to make sure your open source OS supports it and that it is enabled on both the hardware and software — not an easy task. I haven’t been able to find information on Apple’s plans to support UEFI 2.3.1, but if anyone knows, please post that information in the comments to this story.

Stopgap measures The bigger question is what should you do about current, pre-UEFI 2.3.1, hardware?

Upgrade all firmware versions to the latest versions possible, even if that upgrade isn’t NIST-compliant or UEFI 2.3.1. Like all software upgrades, the most recent firmware versions contain bug fixes and often contain protections against unwarranted modification. Check with your firmware vendors to see what protections are offered. If few or none, remember: Sometimes pressuring your firmware vendor to get with the program actually works.

All this also means you should update your regular patching cycles to cover firmware updates. That’s always been a best practice worth following, but I’ve only seen a few enterprises make that commitment.

Lastly, remember, it’s not just the BIOS. Anything with firmware is subject to increased risk over time. For example, HP announced a while back that remote printer control characters could be used to control or corrupt many common HP printers’ firmware. I don’t think there’s a computer or device with firmware (including routers, switches, firewalls, and so on) that’s invulnerable to firmware attack, so best to start thinking about and protecting every device that contains firmware.

What’s the likelihood your devices will be attacked by firmware malware? Who knows? But if it happens, at least you can tell your boss you knew about the threat and had preparations in place.

 Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.