MY TAKE: Why locking down ‘firmware’ has now become the next big cybersecurity challenge

By Byron V. Acohido

Locking down firmware. This is fast becoming a profound new security challenge for all companies – one that can’t be pushed to a side burner.

Related: The rise of ‘memory attacks’

I’m making this assertion as federal authorities have just commenced steps to remove and replace switching gear supplied, on the cheap, to smaller U.S. telecoms by Chinese tech giant  Huawei. These are the carriers that provide Internet access to rural areas all across America.


Federal Communications Commission member Geoffrey Starks recently alluded to the possibility that China may have secretly coded the firmware in Huawei’s equipment to support cyber espionage and cyber infrastructure attacks.

This isn’t an outlier exposure, by any means. Firmware is the coding that’s embedded below the software layer on all computing devices, ranging from printers to hard drives and motherboards to routers and switches. Firmware carries out the low-level input/output tasks, without which the hardware would be inoperable.

However, the security of firmware has been largely overlooked over the past two decades. It has only been in the past four years or so that white hat researchers and black hat hackers have gravitated over to this unguarded terrain – and begun making hay.

I recently had the chance to discuss this with John Loucaides, vice-president of engineering at Eclypsium, a Beaverton, OR-based security startup that is introducing technology to scan for firmware vulnerabilities. Here are the big takeaways:

Bypassing protection

Firmware exposures are in the early phases of an all too familiar cycle. Remember when, over the course of the 2000s and 2010s, the cybersecurity industry innovated like crazy to address software flaws in operating systems and business applications? Vulnerability research took on a life of its own.

As threat actors wreaked havoc, companies strove to ingrain security into code writing, and make it incrementally harder to exploit flaws that inevitably surfaced in a vast threat landscape. Then, much the same cycle unfolded as virtual computing came along and became popular; and then the cycle repeated itself, yet again, as web browsers took center stage in digital commerce.

We’re in the very early stages of a similar cycle playing out with firmware exposures. “With security for the OS and virtualization maturing, the attackers are going down even deeper and hitting the firmware,” Loucaides said. “They’re able to bypass protections for operating systems and bypass protections for virtualization, as well as bypass almost any of the other protections in the system.”


One type of common firmware vulnerability isn’t so much a coding flaw as it is an architectural soft spot, if you will. For example, it is possible to install an update on many instances of firmware without ever having to produce a digital certificate verifying the authenticity of the fix.

This means anyone who can manage to gain access to the targeted computing device — either physically or remotely – is in a position to install a tainted firmware update. Typically, this will be an update that plants a rootkit or a back door – one that automatically persists, executing each time the compromised computing module is booted up.

This is already happening in the wild on a rising curve. In July 2015, researchers at FireEye described how hackers successfully modified the firmware of certain types of Cisco routers, putting themselves in prime position to surveil the victim’s network and potentially move laterally to different machines.

Notable flaws

Then there are the coding vulnerabilities known to be widely dispersed in business networks, just waiting to be discovered and exploited. The Meltdown and Spectre vulnerabilities that exists in Intel processing chips are a prime example.

Disclosed at the start of 2018, Meltdown and Spectre spin out of a technique adapted in the late 1990s, called “speculative execution,” which essentially takes shortcuts at the chip level, slightly delaying verification checks to buy more clock speed. Lo and behold, it turns out that speculative execution can be manipulated at the firmware level to gain access to sensitive data residing in the memory of the compromised device.

Another example are the vulnerabilities recently discovered in many of the baseboard management controllers, or BMCs, of servers. Eclypsium researchers last September disclosed how it’s possible to install an unauthorized firmware update in Supermicro BMC modules without being challenged for any type of cryptographic signature verification.

A few weeks later Bloomberg broke a huge story about how China managed to slip compromised firmware into the production line of several plants producing Supermicro motherboards. This involved arranging for the imbedding of malicious code in a tiny BMC chip installed in brand new Supermicro servers – hardware that was subsequently put into service inside Apple, Amazon and more than two dozen other unnamed companies,

More recently, in March 2019, computer maker Asus confirmed reports that someone successfully hacked servers the company used to remotely issue firmware updates. The result: tainted firmware updates got remotely installed on some 70,0000 computers in the field.

Asus promised to strengthen security of its firmware update process. Notably the company declined to comment on reports that the hackers were tied to the Chinese government and were able to pull off the hack by using a stolen digital certificate to authenticate the tainted firmware updates.

Coming flare ups

Not long after the Asus disclosure, the FCC began publicly expressing its concerns that China may have, in fact, placed hidden backdoors in the firmware of switching equipment that Huawei supplied, so cheaply, to rural carriers.

Strategically, this would give China a foothold deep inside America’s communications infrastructure; it also improves China’s ability to disrupt infrastructure in the U.S., should they ever choose to attempt to do so. Commissioner Stark wisely is calling for removal and replacement of all of the Huawei telecom equipment.

Moving forward there’s every reason to expect firmware exposures and exploits to flare up at a rising clip. This is a natural offshoot of vulnerability research by both white hat researcher and black hat hackers accelerating. We’re in an early phase of a time-honored cycle, folks.

The good news is that there is a cadre of security startups and established vendors who, once again, are innovating like crazy to help companies get a handle on a fast-emerging exposure. This time it happens to be firmware.

Eclypsium is among them. Launched in 2017, the company is led by CEO and co–founder, Yuriy Bulygin, who formerly led senior-level security teams at Intel, and CTO and co-founder Alex Bazhaniuk, also an Intel security alumn. John Loucaides, the engineering chief, whom I interviewed, has deep Intel and U.S. government experiences.

Eclypsium uses advanced firmware security technology to poke at a wide array of hardware interfaces, creating a known-good profile for each device. “We can then find deviations from that profile and identify devices that aren’t like other devices,” Loucaides told me. “In addition, we have a database of millions of firmware images that we’ve comprehensively analyzed, and we can tell you if a new device you turn on for the first time is in a normal state.”

This approach gives an organization “actionable visibility” into all of their firmware, he said. The idea is to provide a much more efficient and effective means of managing firmware vulnerabilities and keep security updates on course.

Clearly, cybercriminals and state-adversaries can be expected to intensify firmware attacks. It’s encouraging to see robust technologies and best practices emerging to help companies mitigating these risks. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone