The backdoor to your firmware 2

Intro

In the previous post, I have described supply chain vulnerabilities on the example of the SolarWinds attack and the case of Mebromi. If you didn’t read the first part of the post, I strongly recommend you to start with it. In this part, I will focus on ways of preventing organizations and individuals from cybercrime.

Reasons of supply chain attacks

One of the main causes of a Supply chain attack is installing the firmware and chips connected to it on the product ordered by customers or organizations. For the last few years, attackers have begun creating their vulnerabilities, deliberately compromising the open-source development and distribution process. Instead of attacking software companies, they rather make an order to install the malware in their products. For that reason, 3mdeb offers help with Firmware Validation services to improve the security of open-source firmware. From this perspective, just having the open-source firmware instead of closed - is not enough; 3mdeb can validate and perform the security audit.

The market produces low-quality code that has no place in embedded systems, which results in high demand for quality. Independent Firmware Vendors like 3mdeb and big companies are trying to provide this quality contributing and developing the open-source projects. To ensure their devices’ integrity, organizations need to prove that the systems they acquire are safe, arrive intact and without tampering and that all updates are valid and secure. Hence, the companies can ask their technology vendors to include full schematics for a “bill of materials” that lists all the used core components. This also informs if there are known vulnerabilities and that their hardware matches what is intended and nothing suspicious has been added.

cybersecurity against cybercrime

The necessary steps and good practice that may help you to protect your organization against cybercrime:

  • Raise cybersecurity awareness - every employee must be aware of how they play a part in keeping their organizations safe. If there are any changes to platforms, processes, or procedures, they must consider and communicate the impact on their digital and cyber exposure.

  • Backup your information - have your primary systems protected and backed up. Apply the same defenses to your secondary data sources. Consider your entire digital footprint and put protection around everything.

  • Secure your social media accounts - ensure that social media policies, procedures, and defenses are in place.

  • Educate staff on credential theft - employees must be fully aware of the processes preventing the danger of threats related to the use of work email addresses and similar passwords to set up accounts in other Internet applications.

  • Examine your supply chains - analyze how your supply chain partners manage their cyber risks and how the weaknesses could impact your operations.

  • Ask your technology vendors for a bill of materials. With a BOM, you can respond quickly to the security, license, and risks that come with the use of the product.

  • Give a try to Remote Testing Environment. RTE is a tool created for overall firmware validation effort. It allows for debugging, flashing firmware, controlling GPIOs, and Device Under Test’s power management.

  • Take care of your platform’s stability and security - use the products that help provide scalable, modular, easy to combine Open Source BIOS, UEFI, and Firmware solutions, ex. Dasharo.

  • Update your operating systems - statistics and facts show that outdated systems are a weakness that cybercriminals will exploit.

  • On the mission-critical servers, software should be limited to the minimum that allows for flexible work. Reducing the software set helps to reduce the attack surface.

  • Trusted team communication helps to avoid potential security problems associated with phishing and impersonation and make it possible to exchange sensitive information without relying on untrusted or insecure channels. Before you put down any code or bring up any servers, set secure communication guidelines as early as possible (trusting emails, IM sessions, git commits, etc.)

  • Try the benefits of coreboot - since it’s much smaller than a proprietary UEFI, coreboot has a smaller attack surface by default.

  • Base your cryptography on PGP. The best way to completely protect your keys is to move them to a specialized hardware device capable of smartcard operations. Encrypting the firmware in transit ensures your integrity.

Recent study found that 67% of companies reported that the organization’s security has decreased because of the inability to control risks created by the lack of physical security in workers’ devices and putting access to privileged company information and applications under threat. Today, most attacks exploit unintentional vulnerabilities in the source code, so we must continue to work to prevent these unintended vulnerabilities. Closed source binary blobs in our firmware make it impossible to trust what is going on in the early stages of system initialization and hamper efforts to detect attacks. Unless we know what is supposed to be running in the BMC or early host firmware and have a reproducible way to build it ourselves, we have no way to know what has been installed by the OEM or by an attacker.

Closed source code must be replaced with open firmware where the source code is more accessible and modified for customers. Granting the firmware users access to the source code helps increase that code’s security level and increases confidence in the firmware’s security status. Studies show that cyber-attacks are up month on month by 37% since the outbreak of Covid-19. As more employees choose to work from home, businesses will need to have robust cybersecurity and digital strategies that account for changing working practices and exposure to new threats.

Conclusions

Either the attacker can move from the traditional network or software layer down to firmware or move from the hardware up. Attackers can target the hardware directly via the supply chain, exposed ports, or even over the network via remote media or firmware update processes. Transparent validation, open-source firmware and licenses, coreboot, cryptographic signs, Supply Chain Assurance are good practices for organizations when it comes to hardware and firmware security. Additionally, however, educating yourself and the people around you is the key to your organization’s strong security system. The more we know, the more secure our firmware can be - this is the motto of a new series of blog-posts about firmware and hardware security, which we want you to present and spread the knowledge to you for your security.

Summary

If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to book a call with us or drop us email to contact<at>3mdeb<dot>com. If you are interested in similar content feel free to sign up to our newsletter


Anastazja Lapanova
Service and people oriented person. Second year student of criminology and a member of the Scientific Club of Forensics and Forensic Medicine - Dispecto. My goal is looking for solutions of security as much in cyberspace as in typical crime.