The firmware supply chain poses a serious security threat to modern enterprises. During development and transit, threat actors often replace some original firmware components with malicious ones or inject the firmware with harmful code to attack consumers.
With compromised firmware, attackers can control crucial systems and machines and exploit the vulnerabilities to bypass implemented security solutions and gain unauthorized access to sensitive information.
Today, firmware attacks in the supply chain should be a concern for businesses because hackers abuse them since they are hard to detect and are often successful.
Unfortunately, many businesses are oblivious to the security threats posed by firmware supply chain attacks. A Microsoft security report found that 80% of enterprises have suffered a firmware attack. Most business leaders in the study said difficulties in detecting firmware security threats are the number one reason contributing to the increase in firmware attacks.
Regrettably, the potential repercussions of successful firmware supply chain attacks are unpleasant. Attackers can wait for years to strike when the attack causes the most damage, take control of crucial systems, and leave IT infrastructure in an inoperable state. Also, the firmware supply chain attack surface is extensive and ever-expanding; hence businesses should consider it a top threat.
The cybersecurity blind spot
Supply chain compromises make firmware the cybersecurity blind spot for most organizations, causing attacks to be almost inevitable. Endpoint devices comprise 15 to 20 firmware components, and servers may contain at least thirty. As more and more endpoints connect to the corporate network, they represent possible entry points for threat actors who may have compromised any of the firmware components in the supply chain.
“Firmware’s privileged position in the computing stack gives stealthy attackers a major advantage,” notes a 2022 Department of Commerce and Homeland Security report.
Also, hackers pivot constantly to uncover new weaknesses to devise more creative, undetectable, and highly destructive attack methods. Since 2020, ransomware gangs have been targeting firmware and embedded systems in organizational network devices, such as routers and VPNs, because they are powerful attack vectors that lack sufficient security. Enterprises also place such devices in strategic locations in the network, and compromising them can cause prolonged network outages and disruptions.
The risks of such attacks are high because multiple contributors in a complex supply chain input the development of embedded systems and firmware, which increases cybersecurity risks. Besides, a sophisticated global supply chain implies endpoints and network devices may contain firmware components from different vendors, which adds to the complexity of securing an organization from firmware attacks.
Firmware vulnerabilities affect millions of devices
In 2022, a security company discovered multiple vulnerabilities that attackers could exploit to compromise millions of devices. Binarly, a firmware security firm, disclosed that exploiting the vulnerabilities can allow hackers to establish persistent access to the devices.
For instance, according to researchers, attackers can exploit security weaknesses in InsydeH2O UEFI firmware, used by major companies like Intel, HP, Siemens, Fujitsu, and Dell, leading to arbitrary code execution attacks and information disclosure.
Attackers can use similar vulnerabilities to deliver long-term persistence undetectable and invincible to most cybersecurity products.
“A firmware implant is the final goal for an attacker to maintain persistence. The attacker can install the malicious implant on different levels of the firmware, either as a modified legitimate module or a standalone driver. This kind of malicious code can bypass Secure Boot by design and influence further boot stages,” notes Binarly CEO Alex Matrosov.
For firmware compromised in the supply chain, it could take 6-9 months to deliver a working patch, further increasing data breach and malware attack risks to businesses.
Supply chain attack impact
Firmware supply chain attacks are a serious concern for businesses since they can compromise system and device security. These attacks can lead to data breaches, intellectual property theft, and financial losses. Experts estimate that the cost of a data breach could reach $5 million in 2023. In addition, attacks can damage a company’s reputation, decreasing customer trust and loyalty. Thus, businesses must be vigilant and take necessary steps to protect their firmware supply chains.
By default, firmware is responsible for the low-level functions of a device. As such, an attack on firmware can give an attacker complete control over the compromised system, causing serious consequences for businesses. Worryingly, firmware attacks can go undetected for long, giving attackers extended access to a business’s data and networks. Thus, implementing measures to detect and protect against firmware supply chain attacks is vital and urgent.
Business owners should also be concerned about firmware attacks in the supply chain because they can be challenging to detect and remediate. Since device or system firmware is often difficult to replace or update, exploitable vulnerabilities can allow hackers to remain undetected for long periods. Moreover, firmware is typically embedded in hardware, which increases challenges in updating or replacing compromised firmware components. Robust firmware management strategies, including regular updates and patching, should be a top consideration for all businesses.
Furthermore, a single firmware compromise in the supply chain can affect multiple systems, causing a widespread and severe impact. For instance, compromised firmware in a critical infrastructure system can cause physical damage and endanger human life. Due to this, firmware supply chain attacks are becoming increasingly common. Attackers exploit the vulnerabilities since they have far-reaching consequences, highlighting the need for businesses to be vigilant about their firmware supply chains.
Lack of control over suppliers' security practices
Businesses that rely on third-party suppliers for firmware are particularly vulnerable to supply chain attacks. Often, businesses may not have control over their suppliers’ security practices, making them more susceptible to attacks. Attackers frequently leverage firmware supply chain attacks to launch additional attacks, such as ransomware or distributed denial-of-service (DDoS) attacks. These attacks can result in significant financial losses, reputational damage, data and infrastructure unavailability, and service outage.
It is, therefore, vital for companies to vet their suppliers and other third parties to ensure they have implemented industry-standard cybersecurity programs to protect firmware components. It is also important to note that businesses often experience difficulties in defending against firmware supply chain attacks. The threat usually exploits supply chain vulnerabilities rather than security holes existing in endpoint devices and systems. Businesses have no control over the patch development and release process since multiple parties are involved in developing and transiting vulnerable firmware components. And as stated, some firmware patches may take up to several months to reach the end user, which gives attackers ample time to exploit them and launch attacks.
While regulatory bodies and industry standards organizations are increasingly mandating secure firmware and supply chain practices, it does little to counter daily firmware supply chain threats businesses face. The global supply chain is highly interconnected with multiple players worldwide, with most prioritizing profitability over security. As such, businesses will likely become victims of firmware supply chain attacks due to inadequate policies and regulations that fail to implement industry-wide standards and procedures that govern secure code reviews to detect and eradicate malicious firmware components.
About Pulsar Security
Pulsar Security is a team of highly trained and qualified ethical hackers whose job is to leverage cybersecurity experience and proprietary tools to help businesses defend against malicious attacks. Pulsar is a Veteran, privately owned business built on vision and trust, whose leadership has extensive military experience enabling it to think strategically and plan beyond the problems at hand. The team leverages offensive experience to offer solutions designed to help analyze and secure businesses of all sizes. Our industry experience and certifications reveal that our engineers have the industry's most esteemed and advanced on the ground experience and cybersecurity credentials.
