Anatomy of a Firmware Breach: How to Defend Your Organization

It has become increasingly difficult to identify cyber threats because the landscape keeps growing broader. The leading trend in breaches, according to Verizon’s latest Data Breach Investigations Report, is the use of stolen credentials, but adversaries may already be onto the next variety of attack. The Conti ransomware gang is reportedly targeting Intel Management Engine for firmware attacks.

Vulnerabilities within the firmware of Internet of Things (IoT) devices represent the next massive growth area of exploit surfaces, and organizations need to know how to identify this threat and respond accordingly. 

The devices that make life easier—common office and home staples like printers, door locks, cable boxes, or smart lights—are also juicy targets for attackers that act as conduits for lateral movement and can lead to larger scale attacks. The devices are usually stale, don’t update on their own, and are often forgotten—no one remembers to patch them or even that they’re connected to the network. Asset owners often don’t have visibility into what these devices are doing in the background, but they typically have enough activity to attract adversaries to the noise.

Let’s take a look at the anatomy of a breach, the ensuing business impact, and what organizations can do to defend the firmware of their assets. 

How cyber attackers exploit attack vectors

A common thread among attack vectors is unpatched known vulnerabilities, or N-day vulnerabilities. According to research from Kaspersky, nearly 30% of the critical vulnerabilities in routers published in 2021 remain unpatched by vendors, highlighting a potential issue for those working remotely. But N-days have an even larger scope, including software updates that may exist for the device in question but haven’t been applied or actively sought out. Adversaries will look for an N-day first because most of the information they need to gain access to a device, and ultimately a network, is free and open source. 

There are also zero-day vulnerabilities, which are unknown even to the vendor, but the attacker discovers based on available firmware and some reconnaissance. These are harder to defend against and a secret weapon for the attacker. 

Adversaries may also gain access by finding a tangential vulnerability that is related to an N-day, but wasn’t patched correctly. They’ll download the software from the vendor’s website and reverse engineer as much as they can to find an exploit. Then, they’ll try it in a test environment and, eventually, the real world. Adversaries don’t always attack right away. They sometimes maintain access and monitor network activity to gain even more insight before they strike.

Vedere Labs recently released a report on next-generation ransomware, demonstrating a proof of concept for how it can originate with an IoT breach. The report found that IoT, Internet of Medical Things (IoMT), and operational technology (OT) devices account for 44% of the total devices in enterprise networks, meaning that if adversaries are only focused on IT targets they’re missing a big piece of the pie. 

The downstream effect of exploited vulnerabilities

If a manufacturer knowingly has a vulnerability that they didn't patch, they may be liable for a customer’s loss after a successful attack. Ransomware events have already brought such lawsuits, like the Tesla and PepsiCo class action lawsuit against Kronos. 

Manufacturers need to consider brand risk, because the last thing they want is to see their name in a headline due to an attack. According to research from the Ponemon Institute, 59% of device manufacturers report lost sales due to product security concerns, so there is a clear business incentive to better protect firmware.

Customers of device manufacturers are becoming more demanding, asking for a software bill of materials (SBOMs) to better understand what is inside and what potential risk they may be facing by connecting a device to their network. SBOMs were included in last year’s executive order as a requirement for software vendors working with the federal government.

The Cybersecurity and Infrastructure Security Agency (CISA) planned listening sessions in July “to advance the software and security communities’ understanding of SBOM creation, use, and implementation across the broader technology ecosystem.”

SBOMs can offer quality Common Vulnerabilities and Exposures (CVE) information, which can lead to good patching and remediation. Increased use of SBOMs should raise the bar for firmware security and get more people to pay attention to what’s inside their devices. 

How to defend firmware

Many organizations are focused on network and endpoint security, and the rising threat should elevate firmware security among those concerns, too. Asking for SBOMs from any vendor you’re working with is table stakes for device security. If a vendor can’t produce one, it hasn't put the time into understanding what's in its software, and you probably don’t want to blindly accept that risk. 

Manufacturers that are more mature with firmware security can produce SBOMs in multiple formats, configuration analysis to detect components that may be vulnerable, and integrate Vulnerability Exploitability eXchange (VEX) to prove mitigation efforts. Other analyses may be precursors to finding zero-day vulnerabilities and any additional security measures may prevent an attacker from exploiting a CVE.

Across the board, manufacturers are getting smarter, particularly in the automotive and network device industries, but firmware attacks are gaining popularity, too. Device manufacturers, asset owners, and ultimately end users should all be aware of the risks associated with these connected devices and just how serious those risks are.