Origins of FirmwareThe term firmware was first coined back in 1967 and was meant to designate microprograms resident in the computer’s control memory but not the physical control memory itself. Originally, it referred to the contents of a writable control store containing microcode that defined and implemented the computer's instruction set and that could be reloaded to specialize or modify the instructions that the central processing unit (CPU) could execute at startup. How is it defined today? According to the Tech Terms dictionary, firmware is a software program or set of instructions programmed on a hardware device. It provides the necessary instructions (at startup) for how the device communicates with the other computer hardware. But how can software be programmed onto hardware? Good question. Firmware is typically stored in the flash ROM of a hardware device or its nonvolatile memory. Nonvolatile memory is a form of static random-access memory in which the contents are not lost when the device is rebooted or loses power. While ROM is "read-only memory," flash ROM can be erased and rewritten because it is actually a type of flash memory. Firmware can be found in many places such as startup and timing devices in home appliances, light bulbs, home thermostats, our automobiles, our computers and embedded or installed components such as storage systems. What about the networks routers, switches, firewalls and intrusion detection systems at the office, not to mention the Internet of Things? Yes and yes. Our phones, mp3 players, tablets and a host of other devices also contain firmware. Device manufacturers embed firmware into their products right at the factory. While the firmware in a smart light bulb may not need frequent updates, a smart thermostat may need to be updated periodically to remain compatible with its companion smartphone application. Updates are often issued to fix bugs, roll out new features and improve security. Some internet-capable devices regularly check for new firmware and automatically download and install it, while other device manufacturers require the user to visit the manufacturer's website to download firmware updates and install them manually.
Does Firm Imply Secure?For firmware to be vulnerable to malicious activity, it must have the means to be modified and to communicate with other devices and components. Many older devices use proprietary protocols or hard-coding as a means to communicate. Today, many of these devices are IP addressable, meaning they can be accessible by anyone with a device that can communicate on or over a network. These IP addressable devices can be accessed using the same protocols that have been standards for decades such as TCP, UDP, SSH, FTP, SCP, SFTP, TFTP, Telnet etc. Most support Internet Protocol Version 4 (IPv4), but many can also support the newer IPv6. While firmware is required for systems to start up and run properly, we must consider if our devices are IP addressable (i.e. they connect to a network) if they are susceptible to an attack. What if my phone or other devices start up and appear to run normally but are secretly collecting my keystrokes, running port scans or embedding viruses in my applications and web documents? What if they have been compromised and now could collect and forward data to the dark side of the internet? Should I be monitoring my firmware for malicious activity? Should the security software I choose to download include the ability to monitor firmware components? There are also some questions you may want to ask if you work in the security industry. Are there any commercial or federal standards the require system firmware to be monitored? Is my company or agency compliant to these standards? Am I personally taking responsibility to ensure my personal systems and devices are protected?
Security Introduced into the MixWith our computers, there is some out-of-the-box help today. Out with the old “BIOS” or “Basic Input Output (Instruction) Set” and in with the new “UEFI” or “Unified Extensible Firmware Interface.” UEFI supports “secure boot” and is a specification for a new generation of system firmware that provides the first instructions used by the CPU to startup hardware and passes the control to the bootloader. It helps ensure that your PC boots using only software that is trusted by the manufacturer. Microsoft Secure Boot is a component of Microsoft's Operating Systems that relies on the UEFI specification’s secure boot functionality to help prevent malicious software applications and "unauthorized" operating systems from loading during the system start-up process.
Regulatory or Security Compliance StandardsMost standards are getting tough on the requirement to monitor firmware. Many such as NERC and PCI include a policy that states software and hardware components must be regularly updated, this would include firmware as a component that must be updated. NIST 800-53 is one of the best at spelling this out. SP800-53 SI-7() requires that companies or agencies bound to this standard include a tool that can monitor the integrity of systems. The SP800-53 SI-7() Control Description states: The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. Meanwhile, its Supplemental Guidance states the following:
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.There are 16 sub-sets of policy under NIST 800-53 SI-7(). These include:
- SI-7(1): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS.
- SI-7(2): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS
- SI-7(3): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CENTRALLY-MANAGED INTEGRITY TOOLS
- SI-7(7): SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE