The recent Intel firmware vulnerability reminded me of an article I ve been wanting to write for a few months. The essence is that firmware and chips can be hacked. They (or their related controller chips) contain software-like instructions that usually contain vulnerable security flaws. They are just harder to update. Repeat after me: Chips and firmware are just harder-to-patch software. Because of this, and other reasons, I fully expect more frequent hacks at the firmware and hardware-layer in the future.
1. More security will be driven at the chip level
Taking the lead of the Trustworthy Computing Group s initiatives, more and more computer security is being driven and secured at the chip-level. It started with efforts such as Trusted Platform Module (TPM) chips embedded on nearly every computer, OPAL self-encrypting hard drives, the Unified Extensible Firmware Interface (UEFI), hardware-based hypervisors such as Intel s Virtualization Technology (VT-x) and AMD s Virtualization (AMD-V), and myriad other chip- and firmware-led technologies by chip vendors and manufacturers. More and more, security is starting at the chip-level. For example, Microsoft doesn t just use hardware-based virtualization chips for its flagship Hyper-V virtual machine technology. Hardware-based security is the basis of many of its strongest and most recent technologies, including DeviceGuard, Credential Guard and AppGuard. Expect most operating system and chip vendors to offer more hardware-driven security in the future.
The main reason why hardware-based security is growing is because it puts security in charge sooner in the computing cycle. The closer security is to the electronic components, the harder it is for hackers and malware to get into the pathway to disable or take control of it. To defeat hardware-based security and gain access to the protected applications and data, hackers and their malware creations will increasingly need to attack the hardware.
2. Hardware hacks are often multi-platform
Although most computers come with a pre-installed operating system, most can run multiple platforms. For example, my Windows 10 laptop can run Linux, BSD and myriad nix variants. Apple computers often run Microsoft Windows using virtual machine software. A hardware-based vulnerability often puts the hacker or malware in control before the operating system is in charge of security, meaning that it can bypass any operating system s security controls. While writing malware that could take advantage of a hardware flaw across multiple operating systems is still a huge obstacle, simply having the ability to get around multiple operating system s protection is a giant advantage for any hacker.
3. Chip programmers are just as bad at secure programming as software programmers
Programmers, in general, are rarely trained appropriately in writing secure code. After decades of hard lessons won in how important secure programming is to the whole development cycle, most programmers get little to no training in it. At the hardware-layer, the types of programmers and teams that work there get even less training. Some of it has to do with the fact that hardware isn t as frequently attacked as software today, and so the overall risk is less. This lack of training means that hardware and firmware is full of bugs just waiting to be exploited. At the same time as chips are getting more transistors and logic gates, the number of instructions and lines of code put in firmware is increasing. As the number of lines of code increases, so does the number of bugs (all other things being equal). There is no doubt that today s chips are full of easy-to-exploit bugs just waiting to be found. Just look at the details of the Intel exploit. Any string of characters you put in as the authentication hash worked as well as the actual hash, allowing complete admin control. I don t think I ve ever read of such a horrible flaw in software, ever!
4. Chip monoculture
Only handful of firms make chips and firmware now, after an industry-wide consolidation of the last few years. Their chips are showing up in more and more devices. So we ve got more chips across more devices with less variation. Hackers love growing monocultures. It means they can write something once and have it work more successfully across a growing range of devices and operating systems. For example, the Unified Extensible Firmware Interface (UEFI) firmware has replaced the traditional BIOS in most computers and a growing number of devices. While partially created to make it harder to hack firmware (it does contain many anti-hacking features), UEFI was also given a micro, Linux-like kernel, which if you didn t know better, looks a lot like your average Linux-based Bash shell. You can do a lot in the UEFI kernel, and it s similar and shared across every UEFI implementation.
It sounds like a potential recipe for disaster. UEFI is supposed to save us from easy firmware hacking, and it s certainly more secure than what BIOS were, but the large, monoculture portions may end up being more problematic than the old vulnerabilities it closed.
5. Hardware hacking is becoming more common
The Internet of Things (IoT) is making more hackers interested in hacking chips and things that don t look like traditional computers. Today, hackers are realizing that IoT devices are just mini-computers running operating systems with a bunch of chips, which they learn about and hack. Parents and their kids routinely buy hardware kits to create and compute, like Raspberry Pi and Arduino. All of this is expanding people s, and hacker s, horizons of what can be hacked and now to do it. The hackers of the future are going to be far less intimidated about hacking hardware and firmware.
6. Hardware is patched less frequently
Even though firmware and hardware often contain vulnerabilities, even publicly known vulnerabilities, they are patched far less frequently by the vendor. Even when a patch is created by the vendor and available, most owners don t apply them. Most of the time they aren t even aware there are such things such as vulnerabilities in firmware and hardware, and even if they are aware, most aren t given them the appropriate consideration. For example, how many of you knew about the Intel firmware flaw that began this article? How many have downloaded the discovery tool and applied the fix? See what I mean.
All of this makes chips and firmware the next feature-rich environment for hackers to hack. Luckily, at least for the firmware components, we can patch them much the same way as we patch regular software. You run the vendor s software update, which updates the firmware or other supporting instructions.
One of the best things you can do to be prepared is to realize that firmware and hardware can be hacked, and likely will be more hacked in the future. Fortunately, we ve got a nice, unintentional resting period, where malicious hackers aren t really concentrating on firmware and hardware hacking because their software hacking is working quite well. But as hardware security chips begin to make software-based vulnerabilities harder to pull off, the only way for hackers to be as successful will be in attacking the hardware and firmware more often. It s coming. Enjoy the break and get prepared. The easiest way to get prepared is to update your patching guides and policies to including patching hardware and firmware. Oh, you ve already got that in your patching guides (I hear this all the time). Well, did you get right on that massive Intel vulnerability announcement? Have you patched everything that needed patching? Most people didn t.
This is your wake-up call.
- ^ Vulnerability hits Intel enterprise PCs going back 10 years (www.csoonline.com)
- ^ Trustworthy Computing Group s (trustedcomputinggroup.org)
- ^ DeviceGuard (docs.microsoft.com)
- ^ Credential Guard (blogs.technet.microsoft.com)
- ^ AppGuard (blogs.windows.com)
- ^ After CIA leak, Intel Security releases detection tool for EFI rootkits (www.csoonline.com)
- ^ Raspberry Pi (www.raspberrypi.org)
- ^ Arduino (www.arduino.cc)
- ^ 12 hardware and software vulnerabilities you should address now (www.csoonline.com)
- ^ CSO (www.csoonline.com)
Deputy Ric Lindley
A Jefferson County sheriff’s deputy is in the hospital after he was attacked by dogs while on duty. The attack happened Wednesday in the 100 block of 16th Terrace N.E., said Chief Deputy Randy Christian. The deputy, identified by multiple Facebook posts asking for prayers as Deputy Ric Lindley, was sent to a home there to check on the welfare of a teen who had skipped school. The mother told deputies she had dropped her son off at school, but had seen him return home on a security camera. Lindley knocked on the front door, but there was no answer. He went to the back of the home where he encountered two large dogs who attacked him, Christian said Sunday. He suffered bites to his legs and arms. He was taken to the hospital where he was treated and released. The dogs were taken to be tested for rabies.
On Saturday, Lindley was admitted to the hospital again after developing an infection with a fever as high as 103. According to Facebook posts by family, he is expected to remain hospitalized for four to five days and an infectious disease specialist has been called in to evaluate the deputy. Just two years ago, Lindley captured hearts across the U.S. when he was photographed holding a baby girl following a traffic crash on Interstate 20 near Leeds. Within hours, the photo was shared thousands of times on social media, and made its way all the way to Hawaii. The photo reached more than 561,000 people on the Jefferson County Sheriff’s Office Facebook page alone, not counting Twitter.
The former U.S. Army Green Beret said at the time he didn’t understand the fuss. “I’m just a man. I’m not better or worse than anyone else,” he told AL.com. “I’m just a Dad and a grandfather. That’s about it.”
PROVIDENCE, R.I. (AP) – Gov. Gina Raimondo has established a board to advise her on homeland security and cybersecurity issues. The Democratic governor signed an executive order creating Rhode Island s first Homeland Security Advisory Board Thursday. The seven-member board will work with the state s cybersecurity officer, law enforcement and other stakeholders to monitor the state s progress on implementing recommendations from the Cybersecurity Commission.
The order dissolves that commission, which last met in December 2015. Raimondo established the commission in 2015 to figure out how to better protect the state from cyber threats while growing its industry and economy. It recommended strategically integrating cybersecurity into the state s homeland security mission. The advisory board is charged with issuing a report evaluating the status of Rhode Island s cybersecurity plan by December.
Its membership hasn t been finalized.