Firmware is all around us – from your car to airport kiosks and power grids, nearly all technology is powered by firmware, and that firmware is vulnerable to cyberattacks. Because of this, firmware attacks are on the rise and can be much more dangerous than Operating System (OS) attacks because the firmware is invisible to OS-based security solutions. Through firmware vulnerabilities, cybercriminals can take control of a device and use it as a gateway to navigate into the IT infrastructure and cause financial and reputational damages to organizations in both the public and private sectors.
Firmware security took a giant leap forward this week in a memo posted by the Foundation for Defense of Democracies (FDD), a non-partisan US-based research institute tasked with helping to direct policymakers to better protect our national security. Titled “The Missing Middle: Addressing the Absence of Firmware Security”, firmware is highlighted to be “code that lies at the foundation of billions of devices in the United States alone” and providing hackers, “more ‘bang for the buck’ than some software attacks.
This research memo begins with a reminder of how satellite internet router firmware was disabled throughout Ukraine, enabling the Russian invasion in 2022. It further goes on to describe the role firmware plays in different devices, the vulnerabilities firmware possesses, and how it is being overlooked in current government-sponsored and standards body cyber security initiatives. The paper concludes with several specific recommendations for government and standards bodies, with incentives to better secure firmware.
- Secure by Design Firmware – Secure system designs and ﬁrmware upgrade capabilities in data centers result in enhanced security from system inception to vulnerabilities.
- Deep Firmware Experience – Secure coding requires massive experience in ﬁrmware development and deployment through the compute supply chain.
- Active Industry Participation – Closely connected security threat ecosystem that includes collaborative research and vulnerability sharing.
- Continuous Vulnerability Testing – Need for a test infrastructure with automatic and continuous vulnerability testing.
- Ability to Secure Open Source – Open source requires close monitoring and accountability for repairing and disclosing security vulnerabilities.
- Proactive Industry Communication – Disciplined approach to communicating vulnerabilities and remediation.
The FDD memo is currently being covered in multiple publications and will be submitted as a Request for Information (RFI) for CISA’s “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” As initiatives like CSC 2.0 help to drive stronger standards and regulations for firmware security, AMI is poised to lead the efforts to comply.