Skip to main content
Cover

How to Handle Malicious Firmware

Firmware modifications attack (Cui, Costello and Stolfo, 2013) was researched before. The way of a massive attack on hard disk firmwares like this scale has not been fully understood. This paper intends to explore potential ways to handle the scenario.

Intro

Firmware Integrity Verification

Recent research in device attestation (Li, McCune and Perrig, 2011) could be applied to detect malicious firmware. However the performance issue is a concern, especially in the context that the payload can be stored in different regions of the drive and accessing those different regions is slow and subject to various time delays.

Firmware Integrity Verification

Signed Firmware Update

To protect a device from malicious firmware updates, cryptographic integrity checks can be used. The use of asymmetric signatures can be attempted in this case, and each device would be manufactured with the public key of the entity performing the firmware updates. But signed firmware protection does not prevent an attacker with physical access to the device from replacing it with an apparently similar, but in reality backdoored, device.

Signed Firmware Update

Data Encryption

Encryption of data at rest with key kept out of the management of the hard disk is another possibility. Under some conditions, encryption of data at rest mitigates the possibility of data-exfiltration backdoors on storage devices. It renders establishing a covert communication channel more difficult for remote attackers and prevents the untrusted storage device from accessing the data in the first place. Data encryption comes with a price of performance trade-off and cost overhead.

Data Encryption

Intrusion Detection System

Current intrusion detection systems and antivirus software products use, to a large extent, pattern matching to detect known malicious content. The malicious firmware could be detected by such tools only if the magic value is known to the latter. This is still a question mark.

Intrusion Detection System

Conclusion

The discovery of massive implementation of malicious firmware is unsettling. It calls for more research and more international cooperation in the cybersecurity community.

 

References

C. Castelluccia, A. Francillon, D. Perito, and C. Soriente. On the difficulty of software-based attestation of embedded devices. In Conference on Computer and Communications Security, pages 400{409, Chicago, USA, 2009. ISBN 978-1-60558-894-0.

A. Cui, M. Costello, and S.J. Stolfo. When Firmware Modifications Attack: A Case Study of Embedded Exploitation. In Network and Distributed System Security Symposium, 2013.

Y. Li, J.M. McCune, and A. Perrig. VIPER: Verifying the Integrity of PERipherals' Firmware. In Conference on Computer and Communications Security, pages 3-16, Chicago, USA, 2011. ISBN 978-1-4503-0948-6.