Firmware Vulnerabilities Creating an Expanded Attack Surface

Back in 2009/2010, I was sitting in a hotel ballroom at a cyber security conference, listening to a security researcher talk about supply chain management security. He was speaking specifically to the risk of compromised hardware components shipped from overseas to the US. The talk was fascinating, and the attendees listened with rapt attention. Everyone agreed that this should be an area of heightened focus; hardware components were increasingly bought from manufacturers in countries known to employ nation-state threat actors targeting US firms. The justification for this risk: cost. What’s more, these hardware components could route through various geographic locations, introducing opportunity for tampering at various stages of the shipment, making vulnerability tracking exponentially difficult. The question became: Even if a trusted manufacturer quality checks components before shipment, how can recipients be certain that backdoors or implants weren’t added to the firmware along the way?

The best solutions offered during that discussion were to thoroughly vet partners/suppliers and to test components as they arrived. At the time, however, testing every component was a process no one in the room could fathom; analyzing firmware-level and chip-level code for security vulnerabilities required a specialized skill set based on manual work which created a high barrier to adoption. Still, device makers and enterprise security teams deploying and managing hardware (including laptops, servers, and networking infrastructure) needed visibility into vulnerabilities and exploits in the firmware on those devices.

If in 2009/2010 supply chain security was a concern, in 2019 it has become mandatory. The National Vulnerability Database recently announced that the number of reported firmware vulnerabilities has increased more than 30% since last year and is 6 times greater than reported firmware vulnerabilities from three years ago.

This data shows that the attack surface is expanding, and adversaries are taking note. The Spectre and Meltdown flaws jostled the security community into greater awareness of the scope of the problem—Intel chips manufactured during a 20-year period are subject to caching and speculative execution—but fewer firms have the ability to do something about it, even though firmware is generally the most privileged software running on a device and its exploit could allow full adversarial control.

Research-first focus

Eclypsium co-founder and CEO Yuriy Bulygin spent more than a decade at Intel, researching hardware and firmware vulnerabilities and leading the Advanced Threat Research team where he met future co-founder and CTO Alex Bazhaniuk and future VP of R&D John Loucaides. Together, the trio dove deep into the hardware/firmware space and participated heavily in the open source community. Bulygin then created CHIPSEC, a platform security assessment framework and open source community supported by Intel and Google, which helps feed Eclypsium’s strategy and execution today.

Founded in 2017, Eclypsium focused first on their comfort zone: researching “low level” vulnerabilities and attacks in firmware and hardware. The company’s research helped them quickly establish thought leadership and awareness, and build a product based on research that provides customers with “actionable tools that can be used to find vulnerabilities and threats in their hardware supply chains," said Bulygin during a recent phone call. He believes the commitment to research and heavy involvement in the open source community have been key to the company’s success, earning them customers in both the U.S. federal government and private enterprise. It doesn’t hurt, of course that Loucaides is a former NSA engineer and that Eclypsium, while under 50 people strong, employs Steve Mancini as Chief Information Security Officer, something Bulygin doesn’t see frequently among startups but feels is necessary to maintain their position in the marketplace.

More than asset inventory and analysis

From a product perspective, Bulygin explained to me that the goal of the platform is to give customers an easier, faster, and automated way to monitor devices for hardware/firmware risks and compromise. The problem is complicated: Myriad components comprise each device, each potentially including multiple firmware vulnerabilities; even if vulnerabilities are known, hardware is often not easy to patch without the risk of business disruption or downstream technology/dependency issues; and hardware can be scattered across on-premises, cloud, and hybrid environments, making it hard to find in the first place.

Eclypsium’s product is device- and environment-agnostic, allowing customers to scan every piece of IT hardware. The process extracts firmware images and configuration that is sent to the Eclypsium Analytics engine, which analyzes the information, compares it a global reputation database, and provides results on vulnerabilities, including outdated firmware as well as any unknown firmware modifications.

Once an inventory is complete, a kernel-level agent is deployed, allowing the platform to monitor firmware for infections, exploits, and anomalous behavior, and alerts the user if an issue is detected. From there, the user can take action—they can continue to monitor the device, block further communication to/from it, apply a patch (if appropriate), or remove the device altogether. Further, Eclypsium Analytics produces contextual information that helps customers determine risk. Eclypsium can look across a user’s environment and find all devices in an environment that have a specific vulnerability, it can determine which vulnerabilities have been updated and which ones haven’t, it provides information on how to patch a vulnerability and any issues with patching that have been reported (e.g., if an applied patch has caused bricks or reboots), and supplies a risk score based on a combination of the Common Vulnerability Scoring System (CVSS) and threat data from Eclypsium’s own research team.

Moving forward

In short, Bulygin says Eclypsium’s platform provides three core things: Visibility into deployed hardware/firmware, detection of known and unknown implanted threats (based on global firmware reputation and whitelisting, static analysis, hardware behavioral profiling, and proprietary research), and firmware risk and patch management. Though a large part of cyber security today focuses on the operating system level up, firmware attacks could lead to greater devastation given that command and control over infected firmware would give an attacker full management over a server and the ability to leave behind implants that could remain undetected for years. Something as simple as a USB or even a remote attack could be used to infect devices at any point in hardware’s supply chain—from build to shipment to installation—allowing an attacker to remotely exploit firmware. It’s an attack vector that has been widely recognized but largely ignored for many years, but Eclypsium is remedying that through a research-based, stepwise approach.