Computing giant Microsoft recently put out a report claiming that businesses globally are neglecting a key aspect of their cyber-security – the need to protect computers, servers and other devices from firmware attacks.
Its survey of 1,000 cyber-security decision makers at enterprises across multiple industries in the UK, US, Germany, Japan and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years.
Yet only 29% of security budgets have been allocated to protect firmware.
However, the new report comes on the back of a recent significant security vulnerability affecting Microsoft’s widely-used Exchange email system.
And the computing giant launched a range of extra-secure Windows 10 computers last year that it says will prevent firmware from being tampered with.
So is this just an attempt to divert attention and sell more PCs, or should businesses be more worried?
How a firmware attack works
Firmware is a type of permanent software code used to control each hardware component in a PC.
Increasingly, cyber-criminals are designing malware that quietly tampers with the firmware in motherboards, which tell the PC to start up, or with the firmware in hardware drivers.
This is a sneaky way to neatly bypass a computer’s operating system or any software designed to detect malware, because the firmware code is in the hardware, which is a layer below the operating system.
Security experts have told the BBC that even if IT departments are following cyber-security best practices like patching security vulnerabilities in software, or protecting corporate networks from malicious intrusions, many firms are still forgetting about the firmware.
“People don’t think about it in terms of their patching – it’s not often updated, and when it is, sometimes it breaks things,” explains Australian cyber-security researcher Robert Potter.
Mr Potter built the Washington Post’s cyber-security operations centre and has advised the Australian government on cyber-security.
“Firmware patching can sometimes be tricky, so for a lot of companies, it’s become a blind spot.”
There have been several major firmware attacks discovered in the last two years, such as RobbinHood, a ransomware that uses firmware to gain root access to a victim’s computer and then encrypts all files until a Bitcoin ransom has been paid. This malware held the data of several US city governments hostage in May 2019.
Another example is Thunderspy, an attack that utilises the direct memory access (DMA) function that PC hardware components use to talk to each other.
This attack is so stealthy that an attacker can read and copy all data on a computer without leaving a trace, and the attack is possible even if the hard drive is encrypted, the computer is locked, or set to sleep.
“If device firmware has no protection in place, or if the protection can be bypassed, then firmware compromise is both incredibly serious and potentially invisible,” explains Chris Boyd, a malware intelligence analyst at security firm Malwarebytes.
“Remote or physical compromise which permits rogue code to run can set the stage for data theft, system damage, spying, and more.”
Big organisations beware
The good news is that firmware attacks are less likely to target consumers, but big firms should beware, according to Gabriel Cirlig, a security researcher with US cyber-security firm Human (formerly White Ops).
“It is a big deal, but fortunately it only works against big organisations, because you need to target specific types of motherboards and firmware,” he tells the BBC.
Typically, cyber-criminals tend to attack operating systems and popular software, because they only make money if they can infect the biggest numbers of end users.
Firmware attacks are less common and more complicated to implement than other types of cyber-attacks, but unfortunately the coronavirus pandemic has accelerated the problem.
The National Institute of Standards and Technology (NIST), an agency within the US Department of Commerce, continually updates a National Vulnerability Database (NVD) with new security flaws.
The database has recorded a five-fold increase in attacks against firmware in the last four years.
Coronavirus lockdowns in multiple countries have led to multiple employees working from home and connecting remotely to work servers. Each one of those computers and mobile devices is an opportunity.
Carrying out a firmware attack might be complex, says Mr Cirlig, but if attackers could silently steal critical information from a c-suite executive’s laptop, like passwords, they could then use it to infiltrate a company’s networks and steal more data.
Nation-state hackers would be most likely to use such an attack, he adds.
“This is a big operation with big pay-offs – it’s not something that a small group of cyber-criminals has the manpower to do.”
Creeping soon into a network near you
Although firmware attacks are not as ubiquitous as phishing scams, malware or other cyber-attacks, the cyber-security experts the BBC spoke to say now is the time for businesses, and the technology industry as a whole, to pay attention to hardware security.
“Firmware attacks are not common on a day-to-day basis, but that’s because people don’t realise they’re being infected by such an attack,” says Mr Boyd.
“It’s like when ransomware first came onto the scene – people didn’t know of anyone who was infected by it, and if big organisations were, they wouldn’t tell anyone about it, as there was an element of shame, not wanting their clients to know they’d been infected.”
Mr Boyd adds that a new generation of “budding hardware enthusiasts” who have been learning their way around firmware by “modding video game consoles over the last decade” could well pose additional threats to enterprise cyber-security going forward – a point Mt Cirlig fervently agrees with, since he hacked the firmware in his own car when he was younger.
“Microsoft is right to raise this as a major issue, because we need to bring firmware designers and operational technologies along the journey of cyber-security, the way we have with software companies,” says Mr Potter.
“As we connect more things to the internet, we’re connecting a lot more devices that haven’t been designed with cyber-security in mind. And if the trend continues, bad guys will go after it.”