Firmware malware are persistent and particularly hard to detect. This is because their infection chains typically target computing components with Ring 0 access privileges and higher. The control privileges are far beyond what a typical computer user controls and are at the intersection of hardware and memory communications.
Access to firmware allows attackers to modify hardware responses, system memory, and installed applications. Malware attacks can be executed through numerous modes, including via Bluetooth, Wi-Fi, and over standard internet connections.
Why Firmware Malware Is So Formidable
The following is are some of the reasons why firmware malware are so hard to overcome.
1. Malware Can Circumvent Regular Antimalware Tools
Firmware malware has the ability to corrupt high-privilege layers. Because security applications are controlled by the operating system running on top of firmware, compromised firmware can be used to gain access to every installed software. A firmware intrusion also allows malicious entities to implant code that enables remote administration of the infected machine.
2. Malware Is Persistent
Firmware malware is incredibly hard to root out once it gets ahold of a machine. Even temporary solutions (such as using virtualizers) only offer short-term reprieve by preventing whole sectors from being compromised simultaneously.
Changing operating systems and re-imaging the system also doesn’t solve the problem. A complete firmware update is usually recommended to overcome the issue, and in extreme cases, a hardware upgrade.
3. Malware Takes Over Preboot Operations
Firmware malware usually gains operational control of a system even before it boots. This is because it controls the hardware and booting sequence protocols.
In recent years, a significant number have targeted the Intel Manageability Engine (ME), a subsystem in Intel chipsets that is situated in the Platform Controller Hub.
The Management Engine operates even when the computer is off, and the only way to completely shut it down is to unplug the computer or remove the battery if it’s a laptop.
As such, firmware malware targeting the ME system operates on an almost continuous cycle without going through verification sequences, thereby making detection exceptionally hard. The good news is that pulling off a successful ME exploit is hard. In instances where such intrusions occur, state-sponsored actors are usually involved.
Common Attack Vectors
Basic Input/Output System (BIOS) and Unified Extensible Firmware Interface (UEFI) systems are usually the primary vectors for firmware attacks. Infections are usually carried out via rootkits and bootkits.
1. BIOS Malware Attacks
BIOS-level malware usually rewrites the BIOS code and injects a malicious one. Because BIOS is located in memory rather than in the hard drive, this type of malware can’t be detected using regular antivirus.
Technically, reprogramming the BIOS is a task that can only be performed by a superuser. Most BIOS firmware codes are designed to prevent this by blocking edits on the Serial Peripheral Interface (SPI). They also attempt to limit System Management Mode (SMM) and BIOS interactions to uphold BIOS integrity.
System Management Mode (SMM) is present in x86-based processors. Because of its high memory privileges, it is used by hackers to access the operating system and firmware.
Unfortunately, many firmware providers only apply superficial security safeguards to these sensitive areas, thus allowing some critical modifications to be made by malicious entities.
2. UEFI Firmware Malware
UEFI, just like BIOS, runs when the computer is starting and before the OS launches. It operates in a chip embedded on the motherboard. Firmware attackers usually try to modify its code to have systematic control over a machine.
Some UEFI intrusion malware leverage intrusion versions of tools such as RWEverything, which allow hackers to reprogram firmware. In some instances, they utilize them to hijack the SPI controller, which in turn manages the UEFI.
Many malicious UEFI kits start by analyzing whether it is unlocked or write-protected. UEFI firmware is typically supposed to be write-protected, but some vendors leave this option open. This allows hackers to implant their own UEFI patches.
Prevention of Firmware Attacks
The following are some of the mitigation measures that should be taken to prevent firmware malware.
1. Scan for Compromises
To prevent a system from firmware attacks, the integrity of the BIOS or UEFI should be first checked. CHIPSEC framework is among the premier recommended tools. It scans the BIOS for corrupted sectors and generates a report indicating whether the configurations are locked or not. It also shows those that have been modified.
It is important to note that the framework is by no means sufficient in preventing attacks and is merely a diagnostics tool.
2. Enable TPM
Enabling Trusted Platform Module (TPM) in BIOS after buying a new machine enhances security. The feature validates the integrity of the hardware through cryptographic hashing.
It checks whether the master boot record (MBR) and option ROM configuration-hashes match the expected value. Resolving to the expected value means that their codes have not been tampered with.
3. Use Machines with Intel BootGuard
It is best to use a computer with Intel BootGuard enabled. Many modern computers come with this feature. It prevents the machine from relying on unsigned firmware images. Like TPM, it also relies on an algorithmic hashing protocol to verify the information.
4. Enabling Windows Defender System Guard in Windows 10
Windows Defender System Guard in Windows 10 has a feature that prevents firmware attacks by ensuring secure boot through hypervisor-based attestation and Dynamic Root of Trust (DRTM). Windows 10 also has a UEFI scan engine that scans for firmware malware.
The scanner compares insights from chipset manufacturers to guarantee integrity and is an extension of Microsoft Defender ATP.
Firmware Malware Solutions Are Getting Better
PC manufacturers are beginning to pay greater attention to firmware malware, especially because this group of threats has the capacity to infect entire networks. Tech giants such as Microsoft are also beginning to take a proactive role by providing easy mitigation solutions.
Microsoft already has a class of PCs specifically equipped to prevent firmware attacks. Dubbed Secured-core PCs, they come with kernel-level protection made possible through Virtualization-based security (VBS), Windows hypervisor code integrity (HVCI), and Dynamic root of trust measurement (DRTM).
Online security companies such as Kaspersky and ESET are also fighting back and now have their own UEFI scanners.