Wednesday, July 29, 2020

A couple of firmware stats to think about.

So, anyway, just for fun, I grabbed about 1,500 firmware blobs, randomly, from our collection, and ran a few Yara scans over them... just to see... this is what I found.

Total firmware blobs under test: 1520
Number containing overt update capabilities: 581
Number containing overt email capabilities: 117
Number containing some password reset capabilities:1287
Number containing the word 'backdoor': 260

I am still not seeing why firmware should send email, and some even use EHLO, but, oh well...I'm sure there is a good reason.

And, on one hand it's good that firmware has update capabilities, but I still feel nervous about firmware updating over the Internet, using HTTP or FTP. What could go wrong? Oh, that's right ... ShadowHammer already showed what could go wrong.

These updaters, by the way, are the obvious ones... firmware has its own network stack, so there could be other updaters that are a bit obfuscated. No one knows.

And, it's understandable that firmware would need some password reset capabilities, but it's a bit awkward that some contain the word "backdoor".

Now, I have no reason to think any of these are actually malicious, but ... without looking closely, we have no way to be sure. Some could be, and we just don't know, without looking really closely, and I believe that most organizations _are not_ looking at firmware at all, let alone closely. This stuff is immensely powerful, and always remember, functionality and security tend to exist in an inverse relationship.

We may be confident that nation-states are looking hard at firmware attacks, and we may be equally confident that the ransomware players are also trying.

Everyone is using the Hope Method, and this has to change.

If they can get into the firmware of computers, tablets, phones, or IoT, they can persist indefintely, and can either move sideways from there, or simply surveil the network. This would be a Bad Thing(tm).

To keep our critical infrastructure, financial institutions, and medical institutions, safe, everyone in those industries needs to start capturing their firmware, and monitoring it, and if they don't, they're going to regret it.

Stay tuned, folks.

No comments: