The personal blog of our CTO, Lee Fisher will probably be well known to many of you: http://firmwaresecurity.com . All of us, including Lee will be blogging in this space on topics aimed more directly at our customers and and partners.
Perhaps the first question worth considering - what do you mean by firmware security? While our tools often run at the Operating System level, PreOS is working, as the name implies below the level of the Operating System most of the time. The top level of firmware you find in many embedded devices is often a full-blown operating system in the conventional sense. Multi-process support, threading and full multi-user access are available. There are no shortage of firmwares below this level, which are also critical from a security perspective.
Exploits have been discovered in the wild for the firmware at the BIOS and UEFI levels, as well as on storage devices, USB & PCI cards and even in HDMI monitors.
A fresh install of the operating system, or in the case of an IoT device, a reinstall of the os-level firmware is insufficient to avoid the impact of a comprimised lower level firmware.
Some of these firmwares can only be updated by physically pulling the chip from the system and reprogramming it with an EEPROM flash device. But many of them, and more all the time can be modified directly from within the operating system itself.
This is why the United States National Institute for Standards In Technology (NIST) guidelines recommend making golden images for BIOS & UEFI: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf. Quote: “Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture.”
Many organizations, even extremely security concious ones do not follow the guidelines in NIST 800-147 today because of the difficulty involved. Yet the risk is there. PreOS Security can help.
If you are interested in becoming an alpha customer for our products, contact us at [email protected]