In The Invisible Man, author H.G. Wells’ main character is stealthy, persistent, formidable and enthusiastically destructive. Those same characteristics describe the emerging class of malware known as firmware exploits.
Firmware attacks target the hard-coded programming written into nonvolatile memory in order to control the function of various hardware devices. Firmware has become an attractive target for hackers because exploits at this level are notoriously difficult to detect and fix. Information Systems Audit and Control Association (ISACA) research reveals that more than 50 percent of cybersecurity professionals reported at least one incident of malware-infected firmware in 2016.
The most well-known type of firmware is the Basic Input / Output System (BIOS) used to perform hardware initialization during a computer’s booting process, but there’s actually a tremendous amount of firmware in the technology we use. It’s in just about every PC component, including graphics cards, network interface cards, mice, keyboards and web cams. Routers, switches, smartphones, digital cameras and more also rely upon embedded firmware.
What makes firmware exploits so sinister is that they can give an attacker almost complete control of a machine — far more control than can be achieved with an operating system or application exploit. Firmware attacks can be nearly impossible to detect because conventional security scans and antimalware solutions don’t scan firmware.
Security researchers say firmware exploits are frequently overlooked because most security and IT managers are far more focused on threats such as Distributed Denial of Service attacks, phishing attacks and ransomware. They have their hands full with patch management, firewall configurations, identity management and more.
In an effort to counter firmware exploits, a number of companies are offering solutions with silicon-based security measures. This involves the use of silicon chips with embedded security features such as cryptographic processors, encryption acceleration and breach detection.
These security-embedded chips verify the boot process and create a “chain of trust” from the bare-metal hardware up to the operating system or hypervisor. It provides a “known good sequence” of expected actions at startup, and any deviation from this expected sequence will automatically generate alerts and mediation processes.
Hewlett Packard Enterprise (HPE) recently became the first to put silicon-based security into industry-standard servers with the introduction of its next-generation ProLiant portfolio. HPE’s custom Integrated Lights Out (iLO) silicon creates a trusted link with HPE iLO firmware to ensure servers do not execute compromised firmware code.
At boot, an iLO management controller is the first device initialized. The system cannot continue without that first handshake to iLO, establishing a secure initialization process. The handshakes continue to extend the protection throughout the chain, all the way up to the operating system and applications, ensuring a clean handoff of known good credentials with a continuous protection stream.
Additionally, HPE has built a number of security measures into the firmware itself. Access through an iLO portal involves a multilayer process that includes authentication, authorization, data integrity and security keys. iLO firmware is digitally signed with a private key that prohibits unauthorized code from executing.
In The Invisible Man, the villain doesn’t escape punishment for his crimes. He is eventually hunted down, captured and killed. By hardening its server hardware, using intelligence to better detect anomalies and adding encryption down to the component level, HPE is making it possible to bring firmware exploits to an equally decisive end.