Firmware security requires firm supply chain agreements

June 17, 2021

CISOs already have a lot on their plates; putting new vulnerabilities on their own network shouldn’t be in addition. But every day, business units, departments, and people bring in connected devices that run compromised firmware, like security cameras, VPNs, printers, and phones. These are the new threat vectors for intellectual property theft across multiple industries and their supply chains.

China is the best at leveraging the supply chain to steal IP, national security, and corporate data by the use of hard-coded backdoors. According to Bloomberg, China’s theft of technology is the biggest threat to corporate America and the US military. And the Russians are experts at infiltrating the supply chain of trusted code as witnessed by the recent SolarWinds breach, along with 20-years’ worth of cyber espionage and attacks.

And it doesn’t stop at the corporate or military levels. Consumers are in the crosshairs of exploitation too, according to research conducted by the Florida Institute of Technology that discovered backdoors and vulnerabilities in consumer doorbells and cameras sold for smart home security.

Yet in light of all the advancements made in cybersecurity products, monitoring, and surveillance, it seems cybercriminals and nation-state attackers are getting away with cyberattacks at an alarmingly successful rate.

How can this be, especially if CISOs are deploying the latest and greatest cybersecurity solutions?

Look at the firmware originating in the supply chain

The lack of industry regulation and the complexity of the global supply chain can incentivize vendors and suppliers to cut corners and pass off the responsibility of security to their customers - this has to stop. If a supplier chooses to have some or all of their manufacturing done in China, they need to be held accountable for that hardware being free of hard-coded backdoors or other easily exploitable vulnerabilities.

Organizations need to actively embed security controls before they take possession of a product. Here are seven of the most important security checks that should be covered off during the procurement cycle for connected devices:

Known Exploits
Potential Zero-Day Threats
Known Vulnerabilities (CVEs)
Expired Crypto Keys
Weak Security Settings
Hardcoded Passwords
Non-Compliance with IoT Security Standards

By proactively embedding security controls of new connected devices going into your network you stop welcoming IP theft and data breaches with arms wide open. But what about the IoT devices already on your network?

Make IoT devices part of your vulnerability management program

It all starts with knowledge and knowing what you’re up against. There are three specific actions you can take to minimize the risk of IP theft from firmware supply chain attacks.

First, conduct an inventory of all your embedded and IoT devices on your network. You have to know what is out there and whether or not the embedded firmware running those devices is vulnerable. Create a priority list of the devices based on the risk to your organization if those devices contained exploitable vulnerabilities or backdoors that could be used to breach your network.

Second, conduct a firmware security analysis on these devices, or request one from your vendors. Do not think running port scanners or network security tools will discover hidden backdoors and other attack vectors. The attack vectors in the examples above would have easily passed modern-day network scanning and security assessment tools. Your teams need to perform a firmware security analysis, not a network security analysis. There is a difference.

Third, based on your newfound knowledge of the threats present in the firmware, you can begin to formulate a defense plan around those threat vectors. Perhaps it’s heightened monitoring of abnormal traffic to and from the devices. Maybe a new set of firewall rules may be in order. Or segregating the device into a special VLAN to minimize any potential impact that could arise. If you trust the vendor and the supply chain, inquire about the availability of any firmware updates you can apply. Even if the manufacturer cannot or refuses to issue firmware security updates, knowing what you’re up against is better than not knowing at all.

Just as organizations require a show of security and compliance due diligence for their enterprise applications, so should they be doing for their IoT devices. They should also be putting this same pressure on their suppliers. Failure to act is a failure to lead. It’s time to step up.

Terry J. Dunlap is the Chief Security Officer & Co-Founder of Maryland-based ReFirm Labs, recently acquired by Microsoft. He turned his childhood arrest for hacking into an illustrious cybersecurity career, first finding a job as a penetration tester at Deloitte, later joining the NSA, and using his skills to track down foreign adversaries and locate nefarious backdoors in embedded devices that could threaten national security.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.