Firmware attacks are growing increasingly popular among software hackers. Despite efforts to issue patches for firmware, reported attacks are on the uptick.
For instance, Ruben Santamarta, a security researcher at IOActive, recently posted a blog in which he describes how he directed the firmware of a counterfeit money detector to force the system to literally accept any piece of paper as legitimate currency.
This follows Jeroen Domburg’s research article about tampering with firmware earlier this year. Domburg wrote a step-by-step article about reverse engineering enough of a Western Digital hard drive’s firmware to successfully inject a Trojan onto the hard drive. The Trojan allowed root access to a system where the drive was installed. The article reveals the process.
Furthermore, there are rumors of Trojans in BIOS and device firmware in Lenovo systems. While the claims may or may not be true, they are worrisome in principle for any part of the IT supply chain. For example, five years ago the U.S. government was worried about the possibility of counterfeit Cisco routers in the government supply chain.
I can’t think of anywhere I’ve worked, consulted or visited where they have a process in place that would catch any of these attack techniques. In terms of the bank note validation, a simple procedure to test the system with legitimate and illegitimate bills and paper would suffice to catch the first iteration of this type of attack. The drive firmware is much more worrying, especially in terms of things such as the forensics processes used to deal with evidence of a crime.
With off-the-shelf micro-controllers and the techniques and tools for reverse engineering becoming cheaper and more readily available, the old “obscurity cloak” is no longer effective against even a hobbyist sitting in Starbucks with their laptop and a handful of tools.
Because firmware as a vector is becoming increasingly popular, we need to look at both validating the firmware of deployed systems (SCADA and non-SCADA) as well as designing systems where that validation is easy and repeatable.