Device and chip makers have an obligation to improve their firmware protection to defend against threats. If nothing else, they need to defend themselves. Selling products that are later revealed to have vulnerabilities is expensive and bad for the company’s reputation. Therefore, instead of taking a reactive approach, original equipment manufacturers (OEMs) should take the time to improve firmware protection by establishing a firmware risk mitigation process.
Improving Firmware Protection with Risk Mitigation
Industry Groups and Public Sector Support
The good news is that various industry groups and public sector organizations have already done a great deal of heavy lifting to improve firmware protection. Part of their work involves developing and promoting firmware standards and specifications that cover security. For example, the Unified Extensible Firmware Interface Forum publishes the UEFI specification, including the UEFI Secure Boot feature.
This standard describes how firmware should be built to verify the state of any code before it is run as part of the boot process. Under UEFI Secure Boot, code that has been modified or damaged will not run. Thus, even if malware is injected, it is significantly less likely to run and cause harm. The UEFI Secure Boot standard has been implemented across many Windows-based and Linux-based platforms, including desktops, notebooks, tablets, IoT devices, and servers.
Trusted Computing Group (TCG) is another organization improving firmware protection. TCG designs hardware that can store and protect platform secrets like encryption keys and other data that need to be secure. Its Trusted Platform Module (TPM) covers this precious data through a chip or software chip emulation. In addition to developing solutions, it also contributes to security attestation standards such as NIST 800-155 and cyber resilience standards like NIST 800-193.
TCG oversees a wide range of category-specific working groups that publish specifications and guidance documents, including:
- PC Working Group maintains the PC Client Platform Firmware Profile Specification, PC Client Platform Firmware Integrity Measurement Specification, and EFI Protocol Specification.
- Device Identifier Composition Engine (DICE) is working to define how small, low-cost devices can develop a secure identity and root of trust. This would enable them to begin the process of attestation without the need for a TPM chip and other hardware.
Original Equipment Manufacturer (OEM) Responsibility
While the work of these groups is of great use to the industry, it is still up to OEMs to:
- Implement recommendations and standards
- Monitor all of the specifications and vulnerability alerts
- Develop and distribute patches for vulnerabilities once they become aware of them
Unfortunately, not all organizations have the resources or expertise to establish and implement these processes. In general, the process tends to be intimidating, making the operationalization of firmware risk mitigation uneven across the industry.
Some OEMs are diligent about firmware protection and ongoing patching. They may even have an automated firmware updating service that pushes patches to end-user devices. However, not all OEMs patch firmware. This is not a healthy state of affairs, but it is very real. This deficiency is due to a lack of resources, expertise, or both. The result is a firmware ecosystem that is rife with unremediated vulnerabilities.
Some attackers are highly organized and even automated. For example, the Trickbot botnet automatically scans hardware worldwide for malware vulnerabilities and enables malicious actors to read, write or erase firmware.
While some OEMs are diligent about firmware protection and patching, the reality is that many OEMs do not remediate firmware vulnerabilities.
Outsource Firmware Protection to the Experts
Building a firmware protection and risk mitigation program in-house is difficult, even for large and well-resourced organizations. It requires consistent effort and focus to stay on top of firmware vulnerabilities.
Employees may lack the necessary depth of expertise. Many manufacturing and security engineers are more interested in working at the application or operating system level than focusing on firmware. Developing and testing patches for firmware is labor- and time-intensive and must be maintained for years, even decades, after manufacture.
Even for embedded developers, firmware is quite an esoteric field — but the stakes are critically high.
Outsourcing your firmware protection and risk mitigation offers several benefits. The right provider will be backed by significant engineering experience and specific knowledge with a proven track record in this field. They’ll ensure that the OEM is notified of the firmware vulnerabilities that can affect its products and develop effective patches. Their efforts will be timely, reducing the exposure window in which a vulnerability can manifest as a security incident or product recall.
Outsource Risk Mitigation with Phoenix Technologies
Phoenix offers a security subscription service that helps manufacturers track and remediate firmware vulnerabilities. Our established Phoenix Security Team is one of the largest and most experienced groups of firmware development experts in the world with a proven track record of providing security-related services. In addition, we receive firmware security notifications from industry partners, groups, and security agencies and actively monitor security conferences and public internet sources.
Phoenix maintains a comprehensive and detailed vulnerabilities database and sophisticated vulnerability response processes. With our Phoenix FirmCare security-as-a-service program, we quickly identify security gaps, develop patches and help manufacturers successfully deploy them.
Phoenix chairs the UEFI Security Response Team (USRT) and has deeply rooted and strong relationships with the major silicon vendors. Our established relationships allow us to be among the first to know when new firmware threats emerge, so we are ready to help our clients combat them before the threats are publicly announced. Our well-defined internal processes streamline the entire disclosure timeline, from initial report through patching and validation. We can produce patches before vulnerabilities are disclosed publicly and help OEMs and original design manufacturers (ODMs) do the same. Our external processes ensure that manufacturers are notified of newly discovered threats and are aware of the engineering status throughout the disclosure timeline. In addition to threat notifications, we regularly issue security advisories to our licensees with detailed information about known product vulnerabilities, patches, and mitigations. These advisories include the Common Vulnerability Scoring System (CVSS) for firmware vulnerabilities to indicate the severity of each threat and references to additional external sources of information.
Additional Phoenix Solutions
Phoenix also provides a range of security products and services to keep devices and firmware secure. We’re able to quickly deliver these solutions by working closely with silicon and OS vendors, along with OEM and ODM customers, distribution partners, and industry groups.
- Phoenix SecureWipeTM: Securely erase all data and partitions on solid-statedrives (SSDs) and hard disk drives (HDDs) from the firmware, independent of the OS.
- Phoenix PassKeyTM: Combine firmware-enforced start-up protection with physical authentication devices, such as smartphone/Bluetooth or FIDO devices to provide resilient firmware-rooted anti-intrusion security for PCs.
- Phoenix BIOS Self-Healing: Automatically recover firmware from the last known backup with no user intervention when your system is in crisis.
- Phoenix Remote Management Console: Easily monitor, configure and update firmware remotely from a single management console using the industry-standard Redfish framework.
- Phoenix FirmCareTM: An annual support package that includes the monitoring and notification of identified firmware vulnerabilities. Patch creation and delivery are also available for devices that use original Phoenix firmware.