Should firms be more worried about firmware cyber-attacks?

Computing giant Microsoft recently put out a report claiming that businesses globally are neglecting a key aspect of their cyber-security – the need to protect computers, servers and other devices from firmware attacks.

Its survey of 1,000 cyber-security decision makers at enterprises across multiple industries in the UK, US, Germany, Japan and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years.

Yet only 29% of security budgets have been allocated to protect firmware.

However, the new report comes on the back of a recent significant security vulnerability affecting Microsoft’s widely-used Exchange email system.

And the computing giant launched a range of extra-secure Windows 10 computers last year that it says will prevent firmware from being tampered with.

So is this just an attempt to divert attention and sell more PCs, or should businesses be more worried?

Firmware is a type of permanent software code used to control each hardware component in a PC.

Increasingly, cyber-criminals are designing malware that quietly tampers with the firmware in motherboards, which tell the PC to start up, or with the firmware in hardware drivers.

This is a sneaky way to neatly bypass a computer’s operating system or any software designed to detect malware, because the firmware code is in the hardware, which is a layer below the operating system.

Security experts have told the BBC that even if IT departments are following cyber-security best practices like patching security vulnerabilities in software, or protecting corporate networks from malicious intrusions, many firms are still forgetting about the firmware.

“People don’t think about it in terms of their patching – it’s not often updated, and when it is, sometimes it breaks things,” explains Australian cyber-security researcher Robert Potter.

Mr Potter built the Washington Post’s cyber-security operations centre and has advised the Australian government on cyber-security.

“Firmware patching can sometimes be tricky, so for a lot of companies, it’s become a blind spot.”

There have been several major firmware attacks discovered in the last two years, such as RobbinHood, a ransomware that uses firmware to gain root access to a victim’s computer and then encrypts all files until a Bitcoin ransom has been paid. This malware held the data of several US city governments hostage in May 2019.

Another example is Thunderspy, an attack that utilises the direct memory access (DMA) function that PC hardware components use to talk to each other.

This attack is so stealthy that an attacker can read and copy all data on a computer without leaving a trace, and the attack is possible even if the hard drive is encrypted, the computer is locked, or set to sleep.

“If device firmware has no protection in place, or if the protection can be bypassed, then firmware compromise is both incredibly serious and potentially invisible,” explains Chris Boyd, a malware intelligence analyst at security firm Malwarebytes.

“Remote or physical compromise which permits rogue code to run can set the stage for data theft, system damage, spying, and more.”

The good news is that firmware attacks are less likely to target consumers, but big firms should beware, according to Gabriel Cirlig, a security researcher with US cyber-security firm Human (formerly White Ops).

“It is a big deal, but fortunately it only works against big organisations, because you need to target specific types of motherboards and firmware,” he tells the BBC.

Typically, cyber-criminals tend to attack operating systems and popular software, because they only make money if they can infect the biggest numbers of end users.

Firmware attacks are less common and more complicated to implement than other types of cyber-attacks, but unfortunately the coronavirus pandemic has accelerated the problem.