Firmware Looms as the Next Frontier for Cybersecurity

  /     /     /  
Publicated : 23/11/2024   Category : security


Firmware Looms as the Next Frontier for Cybersecurity


Software bugs are ubiquitous, and were familiar with hardware threats. But what about the gap in the middle? Two researchers at Black Hat Asia will attempt to focus our attention there.



Last December, researchers discovered
a series of five vulnerabilities
affecting servers run by more than a dozen major vendors — brand names like Huawei, Qualcomm, Nvidia, AMD, Dell, and HP. The vulnerabilities were nothing to scoff at, either, with CVSS scores ranging from
5.3 (Medium severity)
to
9.8 (Critical).
The bugs live in firmware developed by American Megatrends International (AMI) for processors it manufactures known as baseboard management controllers (BMCs). BMCs are chips that sit on motherboards, allowing administrators to monitor and manipulate essentially anything on a machine — from applications and data all the way down to low-level hardware — even without an Internet connection or while the host is turned off (as long as its receiving power).
So this is obviously a really interesting place for attackers to be, says Nate Warfield, director of threat research and intelligence for Eclypsium, the firm behind the disclosure. If they can get into this mini-computer thats always running, they now have remote admin access over whatever they want.
But this discovery was merely a speck on the surface of a much greater problem. In a
May 11 presentation at Black Hat Asia
, Warfield and Vlad Babkin, security researcher at Eclypsium, are going to argue that AMIs BMC bugs were evidence of something bigger, and more structurally problematic, in firmware security.
The message is definitely not the vulnerabilities themselves, Babkin states, unequivocally. Its much, much deeper. Because even if we go ahead and fix these vulnerabilities, its not going to fix the root issue.
When organizations harden themselves to tried-and-true tactics, techniques, and procedures, attackers need new ways to get where they want to go.
All of these endpoint detection and response (EDR) products — theyre not perfect, but they do slow people down, Warfield says. And because of this and all of the other defenses that are being developed, attackers need to find a place where they can start to sort of evade this stuff.
Warfield and Babkin think firmware can be that new place they go to.
If we look back 10 or 15 years ago, Warfield continues, the only groups really capable of attacking at a firmware level were your nation states — your Russians, your NSA — you know, the really well-funded organizations. But now its becoming a lot easier. There is a proliferation of tools that help you get into firmware. And the power that a firmware breach affords is often far greater than what can be achieved by typical software-based means.
Lets just put it this way, Babkin muses. Firmware is A) a private, privileged component — its crucial, and you cant take it away because of what it is and what it does; B) its a gray area, because many security products and tools actually arent able to look into it; and C) its exploitable.
Exploitable
to say the least
. In the innards of a machine, firmware is one of the
most privileged places
a hacker can find themselves. If youre a ransomware group and you can get into something like a BMC, you can ransomware the whole network, Warfield says, as just one scenario among many. Even if they decide to not pay the ransom, pull the hard drives, reformat and reinstall everything — if youre in their BMC, you can just come back and do it again. Right? Theyre not going to get rid of you, because they dont really know where you are.
If firmware is the new frontier, enterprises will need to dedicate more time, energy, and resources to this untapped plane of security. But are we even ready to have that conversation?
Babkin hesitates to just list off easy tips and tricks for firmware security. Honestly, he says, theres advice I could give on a technical level, but really its more than that.
As he and Warfield see it, theres a core issue with visibility in firmware today, and its getting in the way of security. I mean, one of the biggest issues in our research was just trying to find what exactly was running, Babkin laments. Companies that might otherwise want to address their firmware security could have a difficult time simply figuring out what exact firmware theyre running, and where it all comes from.
To help explain, Warfield draws a parallel with
poisoned NPM packages
. Bad open source packages cause a supply chain nightmare, both because of how widely they spread and because companies often dont actually know about all the software they have installed.
AMI sells this BMC as a library, Warfield points out. So you may have a server from Dell, and you may not actually know that your BMC code is from AMI. That just makes everything take longer, because AMI has to sell the fixes to the OEMs, the OEMs have to package it, and then you have to install it.
And so, if more attackers start jumping on the firmware train, itll require more than good cyber hygiene to stop them. As Warfield says, Its not a quick Patch Tuesday type of thing.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Firmware Looms as the Next Frontier for Cybersecurity