Supply chain attacks resulting from malicious or compromised components in the supply chain increased by a shocking 633% in 2022! The networked interdependencies in the firmware supply chain have largely contributed to the attacks rising to unprecedented levels. Also, a lack of awareness of firmware-level security has caused most companies to overlook the threats from a long and complex supply chain involved in firmware development and transit.
In a 2022 report, 76% of organizations participating in a study admitted that they are largely unaware of their firmware footprint, and 100% said that the firmware blind spots create visibility challenges in detecting and preventing firmware supply chain attacks. Despite lacking the required visibility, most cybersecurity professionals know that complex digital warfare is rapidly shifting. The practitioners perceive that dealing with firmware-based attacks effectively requires enhanced threat- modeling and mitigation procedures. 92% of cybersecurity experts fear that attackers have better attack methods for launching firmware attacks that exceed their preventative measures, and 61% are unconfident that they can detect and stop a firmware exploit.
By and large, firmware supply chain attacks are causing sleepless nights for cybersecurity teams across all industries, and the following reasons explain why.
Unsecured Supply Chain Channel
Many supply chain channels, such as third-party vendors, distributors, and contractors, cause increased firmware supply chain attacks. The firmware supply chain involves numerous parties while developing and transiting firmware components. As a result, this makes it difficult to ensure security across the entire supply chain. It only requires one of the parties to lack appropriate security controls or fail to adhere to security practices to compromise the entire supply chain channel. Attackers are too happy to exploit such security deficiencies to inject malicious firmware components and code. For instance, if a vendor’s network or infrastructure is vulnerable, attackers can compromise it to inject malicious firmware into the supply chain, affecting businesses and end-user consumers.
Insufficient & Ineffective Security Controls
Some parties in the firmware supply chain may fail to implement sufficient security controls when writing code or creating new components. Thus, if firmware supply chain channels lack robust security controls, such as authentication, encryption, and authorization, attackers can manipulate the existing weak controls to inject malicious firmware components or tamper with legitimate firmware.
Also, firmware components require verifiable physical security during transportation to prevent threat actors from injecting harmful components that can enable attacks targeting companies or critical infrastructure.
In this regard, suppliers and vendors should utilize authentication mechanisms, such as digital signatures or cryptographic hashes, to verify the integrity of firmware components and their sources, preventing unauthorized modifications. Similarly, encryption mechanisms can protect firmware components from unauthorized access or tampering.
Lack of Transparency & Visibility into the Supply Chain
The global firmware supply chain is highly interconnected, interdependent, and complex. Subsequently, the resulting lack of visibility and transparency of the supply chain makes it a breeding ground for firmware supply chain attacks.
The numerous parties, such as manufacturers and open-source developers, involved in developing firmware components are spread across different locations, making it difficult to maintain visibility into their cybersecurity practices.
This lack of transparency can result in attackers hiding their malicious activity in the supply chain. For example, hackers may create counterfeit firmware components that resemble legitimate components. Unaware vendors may integrate these components in the final firmware versions and distribute them to thousands of organizations, exposing them to numerous threats and attacks.
Inadequate Testing & Quality Assurance Procedures
Insufficient quality assurance and testing procedures during the assembly and manufacturing of firmware components contribute to increased firmware attacks in the supply chain. Frequently, in a rush to produce the most components to sustain high profitability, some suppliers and third parties may overlook the security testing processes required to identify and mitigate possible security threats.
Hence, this can result in unidentified vulnerabilities and weaknesses in the firmware embedded in crucial operating systems and endpoint devices, providing hackers an opportunity to launch attacks. Attackers can exploit these weaknesses to compromise the firmware and inject malicious components, leading to increased firmware supply chain attacks.
Use of Counterfeit or Substandard Firmware Components
Vendors in the supply chain may use substandard and counterfeit components during firmware development and deployment. The components pose a significant risk to firmware security. In particular, attackers can use counterfeit components to inject malicious firmware into the supply chain or tamper with legitimate firmware.
Unfortunately, insufficient validation and verification of firmware components and their sources in the supply chain process leads to malicious components’ intentional or accidental inclusion, contributing to firmware supply chain attacks. Therefore, firmware components should undergo rigorous validation and verification procedures during the supply chain process to ensure that vendors only use legitimate and secure components in developing secure firmware.
Insider Threats or Malicious Actors
Insider threats like disgruntled employees or contractors in the supply chain pose a significant risk to firmware security. These threats within the supply chain may have access to critical firmware components or sensitive information like code used in the components. They can abuse the privileged access permissions to inject malicious firmware or compromise legitimate firmware.
Once the compromised firmware components reach the market, attackers can manipulate the injected malicious code to grant themselves access permissions that they can abuse to launch malware or data exfiltration attacks on the affected devices. Manufacturers and developers must implement appropriate access control mechanisms and monitor the activities of everyone with access to critical components to counter insider threats.
Lack of Security Focused Design & Development Practices
DevSecOps is a crucial development practice that all parties in the supply chain must observe. Nevertheless, some vendors, suppliers, and coders may fail to adhere to the recommended security-focused design and development practices when creating firmware components. Security should be a fundamental aspect of firmware development and manufacturing since insecure development practices can result in vulnerabilities in firmware. Unmitigated weaknesses make it easier for attackers to exploit and compromise firmware, increasing firmware supply chain attacks.
In addition, dependence on outdated or unsupported firmware components contributes to the rise of firmware supply chain attacks: Outdated and unsupported firmware versions can pose a significant risk to an organization’s firmware security. Specifically, attackers are likely to target known vulnerabilities and weaknesses in outdated firmware versions to exploit them and launch severe attacks. Therefore, using up-to-date and supported firmware components to create secure versions effectively reduces the attacks reported in the firmware supply chain.
About Pulsar Security
Pulsar Security is a team of highly trained and qualified ethical hackers whose job is to leverage cybersecurity experience and proprietary tools to help businesses defend against malicious attacks. Pulsar is a Veteran, privately owned business built on vision and trust, whose leadership has extensive military experience enabling it to think strategically and plan beyond the problems at hand. The team leverages offensive experience to offer solutions designed to help analyze and secure businesses of all sizes. Our industry experience and certifications reveal that our engineers have the industry's most esteemed and advanced on the ground experience and cybersecurity credentials.