Thursday, June 10, 2021

How do people know what’s in their firmware?

Here's a quick summary of where we stand wrt firmware security...

Nearly all computers built since 2007 contain UEFI (Unified Extensible Firmware Interface). UEFI contains between two hundred, and a thousand compiled C programs, in Windows format. This is a format well understood, by attackers, and defenders, alike. They are all cryptographically signed, but this signature is only checked at flash time. What this means is that if something can get write access to the firmware, it can change whatever it likes, including by virus-like infection, and probably nothing will detect it. UEFI is immensely powerful, and is an operating system in its own right. It has its own network stack, and can download over the public internet, via HTTP or FTP, and can write anything it likes to the disk. We have even found some that have email capability.

UEFI runs at ring-1, or ring-2, well below ring-0, and is like 64bit, real mode, DOS. (Think about the implications of that for a minute)

Firmware attacks have already happened, viz. LoJax, and ShadowHammer, that we know about, and we know that the TrickBot ransomware gang has been spotted looking for machines with Secure Boot turned off. There will be others, just waiting to be discovered.

If you think ransomware is a problem now, wait until some of them gain persistence in firmware.

Even if you are not concerned about ransomware, consider this. The SolarWinds attackers were obviously technically capable of firmware attacks. They were in networks well long enough, and were clearly cunning enough to cover their tracks.

Given the “high profile” nature of some of their victims, this could be like a hidden bomb, waiting to be detonated.

I think it was the Marines who came up with the expression Left Of Bang. The idea is that when the improvised explosive, or road-side bomb, goes off, that’s “Bang”. Getting Left Of Bang means that you realize that something is not right, and maybe an ambush is coming, and you do whatever you have to do to prevent, or avoid, the Bang.

So how do you get Left Of (this sort of) Bang?

Whether you are using our software, or someone else’s, you have to start dumping, and analyzing, your firmware.

Even if there is nothing overtly malicious in it, you simply have to know what capabilities are in it, or you cannot properly defend your organization.

And, the answer to the opening question of, "How do people know what's in their firmware?" is...

They don't. Nearly everyone is using the Hope Method.

The Hope Method is not a method.

Folks, it’s coming. Please try to get ahead of it.