Black Hat: Hacking the firmware, the next frontier

Trick the firmware and you have access to the whole system. Here at Black Hat, there are a lot of people doing just that.

Trick the firmware and you have access to the whole system. Here at Black Hat, there are a lot of people doing just that.

With the onslaught of embedded devices hitting the streets, we see such devices with the operating system, hardware interfaces, and user-facing applications baked into a single blob called firmware. Trick the firmware and you have access to the whole system. Here at Black Hat, there are a lot of people doing just that.

Lately, these entire systems are being compromised for use in all kinds of attacks, like botnets, redirection or amplification attacks, and rogue beachheads from which to pivot to new attacks.

But with the fire-and-forget approach to hardware from many vendors, especially IoT vendors, the patch cycle is unpredictable at best, and possibly non-existent.

That gives rise to rogue actors packaging firmware “upgrades” for your device that may have nasty code wrapped in them, but otherwise perform as you would expect, so you’d be upgrading your way to getting hacked.

There are tools to verify the firmware you download is legitimate, but often this is the realm of the professional IT person, not the millions of people who just rely on search results to pick their download site, and get more than they bargained for in the process.

No? Ask your friends how they would validate firmware for a router using a checksum provided by a vendor. If you’re here at Black Hat, maybe, but the other 99% of the users would be in the dark.

But firmware is starting to run everything, as we relegate the myriad of daily duties like house security, alarms, security cameras and the like to these firmware-toting devices. So not only would we need to verify the legitimacy of firmware, but we’d also need to do it for each of the new gadgets we use. That just won’t happen in a practical way.

And your friends probably won’t, but if they do ask for advice, the best you can offer is to keep up with firmware updates in the first place, and help them figure out how to update their devices.

The next is to convince them to only download firmware from the manufacturer’s website. There are many fake download sites that bundle your download with junkware by optimizing search terms so they pop up high in the rankings above the manufacture’s website, bundling things like download management software along with the files you really need.

While your friends may never learn to code assembly or dig into the bits and bytes, they will need to start putting firmware security in the forefront as the new platforms that need to be maintained.

Meanwhile, here at Black Hat there are new tools released attempting to break firmware. As the tools become more widely available, and trained on new devices, they will become more effective.

Also, since many examples of firmware use a relatively stable operating system as the foundation, if any exploits are released against the underlying operating system itself, the whole firmware stack becomes unstable.

Luckily, there are hardware vendors who are busy baking in security checks to attest to the authenticity of any firmware to be loaded on the device, embedding a sort of “signature” for acceptable firmware releases that are authorized to run. It’s a positive step, and one that will continue to increase in popularity as firmware blankets the globe on new tiny devices. Meanwhile, you need to have a firmware plan.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center