Firmware Security: an overlooked threat
By the end of 2018, more than 23 billion devices were connected to the internet. The majority of these devices are vulnerable to exploitation. They can be hacked in just minutes and cause enormous issues. Becoming part of a botnet to perform a mass DDoS attack, being used as a malicious proxy server, exposing personal data passed through them to the hackers and more importantly providing an easy way for hackers to get access to the private networks are just a few cases that already happened to the hacked devices. For example, the $1 million heist on Russian bank started with hack of a branch router.
Insecure firmware as the whole software stack of a device is the main reason for such attacks. Having very old and vulnerable code-bases, containing a huge amount of outdated vulnerable 3rd-parties, and default or hard-coded credentials are of three main issues a lot of firmwares have in common. On the vendor side, it takes considerable amount of time and budget to find those issues in their firmwares and on the enterprise user side the practice of authentic device risk assessment is nearly impossible since those firmwares which are deployed nearly everywhere are completely black boxes to them. That’s why, according to the 2016 ISACA Firmware Security Report, only 8% of enterprises are fully prepared for vulnerabilities related to the firmware or according to the 2018 SANS industrial IoT security survey, firmware is the most vulnerable aspect of the IIoT infrastructure.