Why Firmware Is So Vulnerable to Hacking, and What Can Be Done About It

When Kaspersky Lab revealed last week that it had uncovered a sophisticated piece of malware designed to plant malicious code inside the firmware of computers, it should have surprised no one. And that’s not just because documents leaked by Edward Snowden have shown that spy agencies like the NSA have an intense interest in hacking […]
517501401
Getty Images

When Kaspersky Lab revealed last week that it had uncovered a sophisticated piece of malware designed to plant malicious code inside the firmware of computers, it should have surprised no one.

And that's not just because documents leaked by Edward Snowden have shown that spy agencies like the NSA have an intense interest in hacking the firmware of systems, but also because other researchers have shown in the past how insecure firmware---in nearly all systems---is.

Computers contain a lot of firmware, all of which is potentially vulnerable to hacking---everything from USB keyboards and web cams to graphics and sound cards. Even computer batteries have firmware.

"There’s firmware everywhere in your computer, and all of it is risky," says security researcher Karsten Nohl, who demonstrated last year how he could embed malicious code in the firmware of USB sticks. There's also firmware in all of our popular digital gadgets---smartphones and smart TVs, digital cameras, and music players.

Most of it is vulnerable for the same reasons the firmware the Equation Group targeted is vulnerable: it was never designed to be secure. Most hardware makers don't cryptographically sign the firmware embedded in their systems nor include authentication features in their devices that can recognize signed firmware even if they did.

Although random hackers wouldn't be able to pull off what the Equation Group did in a consistent and stable manner---developing a single module that can reflash the firmware on more than a dozen different hard drive brands and steal data from them without crashing systems---other forms of firmware hacking have been successfully demonstrated.

There has been a lot of theoretical research done on firmware hacking over the years and a few proof-of-concept demonstrations as well. In 2011, security researcher Charlie Miller found that chips in Apple laptop lithium ion batteries were shipped with default passwords, allowing anyone who discovered the password and learned how to manipulate the firmware to potentially install malware that infects the computer and gives a hacker a persistent hold on it even after the operating system is reinstalled. To demonstrate the firmware vulnerability, he altered the firmware of Apple laptop batteries to trick them into reporting a low charge that would cause the charger to overcharge them until they were bricked.

The USB research of Nohl and Jakob Lell showed how they could hide attack code on USB sticks to hijack a computer, alter files or redirect a user's internet traffic to a malicious site.

But not all gadgets and devices are equally vulnerable. One of the few companies that makes hacking its firmware difficult is Apple, which digitally signs firmware and firmware updates for the iPhone. But hackers don't need to alter the firmware to subvert the iPhone. Instead, says Costin Raiu, head of Kaspersky Lab's Global Research and Analysis Team, they could go after firmware in the baseband---the component that allows the phone to connect to cellular networks.

"If you want to put something deeply hidden into the iPhone you can put it in the the baseband," he says, "though this isn't easy to do."

In 2011, researcher Ralf-Philipp Weinmann did just this after finding security vulnerabilities in the firmware of mobile phone chipsets produced by Qualcomm and Infineon Technologies. Weinmann showed how he could subvert the firmware to hack an iPhone and an Android phone and turn them into remote listening devices. The hack wasn't easy, however. Weinmann had to set up a fake cell tower and get the target phones to connect to it in order to deliver his malicious code.

Countermeasures

So what can you do about these firmware security issues? Unfortunately, there's very little. Antivirus products currently don't scan a computer's firmware for malicious code and doing so is not a simple task. So countermeasures for the firmware insecurities are largely in the hands of hardware and chip makers.

Hardware makers should design any firmware or firmware update they distribute to be cryptographically signed. They should also add authentication capability to hardware devices so they can check and verify those signatures. Another protective measure would be to add a write-protect switch on the device side to prevent anyone who is unauthorized from flashing the firmware.

All of these measures would guard against low-level hackers subverting the firmware, but persistent attackers could simply steal the master keys to sign their malicious code and subvert the authentication or write protection.

An additional countermeasure, says Raiu, would be for hardware vendors to give user's the ability to easily read their machine's firmware and establish if it has changed since installation.

If vendors provided a checksum of the firmware and firmware updates they distribute, users could periodically check it to see if it differed from the original. A checksum is a cryptographic representation of data that is created by running the data through an algorithm to produce a unique identifier composed of letters and numbers. Each checksum is supposed to be unique so that if anything changes in the dataset, it will produce a different checksum.

But security changes for firmware could take years to implement say researchers.

"If everyone started fixing this now, it would probably be fixed on most computers in five to ten years," says Nohl. And that's only if vendors feel pressure from consumers to provide firmware security. Unfortunately, he says "[N]o one right now has an incentive to start fixing it."

Andy Greenberg contributed reporting to this piece.