Firmware can be thought of as software installed in hardware. It often comes pre-installed on your computer or smartphone and is responsible for getting your device up and running when it comes out of the box. Components like your monitor, USB ports, and your camera work on firmware. Although firmware can be updated, it is not something that the average user can easily get to. It’s not like normal software that can be manipulated. There’s a good reason for this. No company wants competitors prying into their source code and learning important design secrets. Because it cannot be easily manipulated, firmware is often considered safe against hacking attacks. But if a user can’t ‘see’ into the firmware, how can they tell if the firmware is safe or not? Your normal antivirus program can’t do that for you because it can’t look that deep into the hardware.
So firmware, to be safe, must be completely closed down. If not, it can be open to serious attacks. One such attack is known as a Bad USB attack. Because so many devices or components can be connected to a computer through the USB port, USB firmware has to be somewhat malleable and be ready to accept a number of configurations. This is, unfortunately, its weak point. Any device plugged into a USB port could carry malware that can reprogram the firmware. Such malware can, for example, make the USB stick ‘look like’ a keyboard that a hacker can use to take control of the computer or smartphone. It can also be used to inject malware deep into the system and even rewrite the bios. In such a case, there is nothing the user can do to get rid of the problem. Even reinstalling the operating system won’t do it because the infected firmware will simply be installed with it.
Another way firmware can be infected is by having it compromised during the manufacturing process or at some place along the supply chain. This could be done by criminals or governments. Among the most prominent operators in this field are, to no surprise, the Chinese. Malware in firmware has been found in a variety of Chinese electronic products from kettles to e-cigarettes. On smartphones, it often has a surface manifestation such as a realistic looking icon. German security experts found such malware on a Chinese manufactured smartphone that was activated through a false Google Play Store icon. The malware could “retrieve personal data, intercept calls and online banking data, read emails and text messages or control the camera and microphone remotely“. As is true for all good firmware-based malware, it is impossible to remove. Since so many of the world’s electronic devices are made in China these days, and since the Chinese government can control the manufacturing process at any point, it is not surprising that firmware-based malware/spyware is present on so many products. But China is not alone in using firmware for unethical purposes.
Earlier this year, Kaspersky Labs detailed the operations of The Equation Group, “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques”. Kaspersky identified “two modules which allow reprogramming of the hard drive firmware of more than a dozen of the popular HDD brands. This is …the first known malware capable of infecting the hard drives.” This malware has “the ability to create an invisible, persistent area hidden inside the hard drive… used to save exfiltrated information which can be later retrieved by the attackers.” The malware also had the ability to compromise air-gapped computers. It is little wonder that Kaspersky once referred to this malware as “The Death Star of Malware Galaxy”.
Although the group used normal methods to get their malware on networks, they have occasionally gone one step further. For example, at a science conference in Houston, the group managed to replace CDs of conference materials with infected versions, thereby infecting any machine that used the CD. Through such techniques, the group targeted “Government and diplomatic institutions, Telecommunications, Aerospace, Energy, Nuclear research, Oil and Gas, Military, Nanotechnology, Islamic activists and scholars, Mass media, Transportation, Financial institutions and companies developing encryption technologies.” From the targets and the complexity of the malware, it doesn’t take much imagination to conclude that a nation-state was behind the malware’s development. (For a detailed description of this malware, read Kaspersky’s report here.)
Although most security experts agree that The Equation Group malware was designed by the NSA, Kaspersky never makes this connection. Maybe they have contractual obligations that they don’t want to jeopardize. In any event, it appears that this firmware- rewriting malware is only used on select targets, probably computers not connected to a network which also contain valuable information. It doesn’t matter if the information on these computers is encrypted because the malware exists below the encryption level. The malware also stores stolen files on hidden areas of the hard drive which can be retrieved at will by the attackers.
The malware replaces the original firmware with infected firmware which cannot be removed even when the firmware is updated. Even reinstalling the OS won’t work because the system will recognize the infected firmware as the real thing. In fact, the only way to stop the malware from persisting is to take a hammer and destroy the hardware. In other words, just get a new computer and start over from scratch.
The average person does not need to worry about this sort of attack, at least for the time being. The problem here is that other nation-state attackers may use this as a model to develop their own firmware malware. This would be easier to do if they have been the victims of such an attack and have been able to back-engineer some of the architecture. Recently, Apple Macs have been shown to be vulnerable to a firmware worm called, Thunderstrike and Thunderstrike 2. This simply shows that no operating system is safer than any other, and a number of security firms and security experts believe that firmware attacks are on the rise. In short, we may be on the verge of a whole new era of hacking.