Tuesday 17 February 2015

Firmware attacks

Read an article on the use of hard drive firmware to hide malware (http://www.reuters.com/article/2015/02/17/us-usa-cyberspying-idUSKBN0LK1QV20150217), to me it is not that surprising that it is being used as an attack vector. Firmware in general is a good target; look at the USB controller hacks (https://srlabs.de/badusb/) to see what can be done if a device can be attacked

Firmware is software but often stored in rewritable memory, as software it is open to the same bugs and problems as all software and hence have vulnerabilities. It also like software can be written to add additional functionality and rewritten to the storage media. All though vulnerabilities are being discovered in firmware, the firmware in devices is not updated as often as it should. The slowness in updating firmware in network devices contributed to the number of devices being detected as being susceptible to heartbleed in OpenSSL after most software was patched (http://www.technologyreview.com/news/526451/many-devices-will-never-be-patched-to-fix-heartbleed-bug/).

What surprised me is the article emphasised the need to have access to the source code. Firmware like software can be re-engineered, I do recall in my early days with a BBC Micro model B, stepping through code in the EPROMS that were used to extend the functionality of the computer.

A good programmer could step though the firmware in a hard drive or any device and determine the functionality of the routines. It should be possible to determine a suitable call that could be overwritten to point to malware and then return the execution back to the original routine.  This will be helped as the firmware is unlikely to complete fill the storage chips, leaving room for malicious code to be appended and stored.

The concept of the attack through the firmware in hard drives that is executed as a computer executes the bootup via BIOS or EFI can be expanded to any device including graphic cards that have code executed during initialisation.

When firmware with an autorun capability is combined with the universal plug and play capability that operating systems have, it is surprising they are not more attacks are not executed through this attack vector.

Think about the all the devices that use that have firmware within your network, or by your users that connect devices to the network. Can you be sure that they are not introducing malware into organisation? Consider a firewall or a multifunction device containing a worm that infects a network when it is plugged in or restarted, the possibilities and permutations are limited by ingenuity.

No comments:

Post a Comment