Digital Devices at Risk – Understanding and Countering Firmware Threats

Dr. Yuriy Bulygin is the CEO and founder of Eclypsium, the digital supply chain security company that helps organizations protect their critical hardware, firmware, and software.

Prior to Eclypsium, Yuriy was Chief Threat Researcher and led the Microprocessor Security Analysis team at Intel Corporation, as well as the Advanced Threat Research team at Intel Security.

He is also the creator of CHIPSEC, the popular open-source firmware and hardware supply chain security assessment framework.

When enterprises started using CHIPSEC to find vulnerabilities, discover compromised firmware, or just poke around hardware systems, Yuriy founded Eclypsium with Alex Bazhaniuk.

Since then Eclypsium has been on a mission to protect devices from supply chain risks.

In this interview, Yuriy highlights the potential vulnerabilities in the firmware (software running the hardware) in today’s digital devices, and the risk posed by threat actors.

Using a typical PC as an example, which involves contributions from over 265 suppliers, each with its components and code, he notes the ubiquity of software, and liken the supply chain of such a device to a “Wild West”:

“at any point in the supply chain, at any of those links in the supply chain, a compromise may happen”, and “ all of these components and all the code that is developed by those suppliers and vendors has vulnerabilities.”

He elaborated that “even if it’s OK now … 3 months from now, it can be compromised because of those vulnerabilities.”

To give an example, he referenced the recently discovered threat in the wild – “BlackLotus”, an evolution of threats based on open-source frameworks – e.g. Lojax, MosaicRegressor, Moon bounce – discovered in the past 3 to 4 years.

He highlighted the characteristics of such threats:

• These UEFI compromises allow attackers to compromise equipment remotely, for access or persistent malware installation.
• They cannot be removed by reinstalling operating system or reimaging or even replacing the hard drive.
• BlackLotus exploitation of the UEFI system vulnerabilities, particularly the Secure Boot – a fundamental security feature adopted by modern operating systems – sets it apart as an advanced threat, marking the first instance of such threats discovered “in the wild.”

He explained that compromising firmware is attractive for threat actors for many reasons:

• Stay hidden: Detection and protection controls operate at the software application level and above, but there is no equivalent for firmware.
• Achieve “Persistence” – where traditional mitigation measures cannot remove the malware/threats.
• Simplicity – for example, exploiting firmware vulnerabilities to gain access is much simpler than developing a very complicated exploit chain.

Gain high privileges – Remain hidden and persistent while gaining high level of privileges.

To mitigate against malicious firmware implants, Yuriy suggested,

1. assess the supply chain risks (e.g. potential vulnerabilities and threats introduced during procurement and deployment),
2. continuous monitoring of system integrity,
3. implement specialized technologies designed for malicious firmware detection.

Recorded at Singapore International Cyber Week / Govware 2023 – 18th October 2023, 3pm.

#mysecuritytv #govware #sicw