Whether or not you are in the tech industry, most people don’t think about firmware. This foundational layer is at the heart of every compute platform in today’s computers and IoT devices. Without firmware, technology wouldn’t function the way any consumer or industry needs.
Firmware is the key to powering up these devices, meaning it needs to be trusted and validated at boot time. But when firmware is ignored or overlooked, it becomes more vulnerable to security issues. According to the March 2021 Security Signals report from Microsoft, more than 80 percent of enterprises experienced a firmware attack within the past two years. How do we prioritize security and resolve the issue of forgotten firmware?
A Bevy of Embedded Devices + Data Centers
The vast amount of embedded, connected devices used today is one reason firmware security is more important than ever. For instance, when you use a credit card for a transaction, the card and information are processed not just through a chip reader. That device and the information and data it receives are typically being processed through hundreds of other devices to finalize the payment. All this to say that it’s not just one device, but multiple devices that need trusted firmware.
It doesn’t end with credit card transactions, either. Firmware powers every industry and device on the market today – from retail to medical and military technology, energy, transportation and aviation, and many more. Phones, tablets, computers and all the smart home tech we have today (Alexa, anyone?) include firmware.
Connecting all these devices – whether it’s the chip reader, a cell phone, a military satellite or even a voting machine – is the firmware within the data centers that are responsible for keeping them operational. In order for devices to be secure, the data centers also must be functional and secure. The multitude of devices we now have at our fingertips highlights the pervasiveness of firmware in modern society, and this has only broadened the attack surface for threat actors. Firmware exploits are a more common threat today.
Expanding Attack Surface
In just the last few months, the U.S. Department of Homeland Security and Department of Commerce called attention to the “large and ever-expanding attack surface” available to modern hackers to gain access to the core of compute systems. This comes after both organizations conducted an assessment of supply chains within the country’s infrastructure systems. This should ring alarm bells for any organization – if attackers can easily target core infrastructure of the United States, they can gain access nearly anywhere.
The lack of a plan or preparedness among organizations in regard to their firmware is the root cause of many firmware security issues. According to the Unified Extensible Firmware Interface Forum (UEFI):
- Less than one in four enterprises include firmware in processes and procedures for implementing new equipment
- More than one in three do not monitor firmware data or are not sure if this is happening within their organization
- More than one in three organizations did not receive feedback regarding firmware controls in their compliance audits
Overall, just 13 percent of enterprises and their security professionals implemented comprehensive security controls for their firmware. These numbers are concerning both for organizations running the systems and devices and end-users.
While the widespread lack of firmware security is cause for alarm, more awareness around the topic is one way to begin the conversation and set organizations on the right path.