US regulators have done little to address firmware vulnerabilities, think tank argues

The code embedded inside devices that bridges interactions between hardware and software is frequently exposed to security vulnerabilities, but lawmakers and federal officials have not paid enough attention to them, a national security think tank analysis argues.

The report, released Wednesday by the Foundation for Defense of Democracies, contends that firmware vulnerabilities remain largely unaddressed, despite ongoing U.S. efforts focused on shoring up the nation’s cybersecurity structure through sweeping regulations and standards.

Firmware, the microsoftware responsible for telling hardware and software how to talk with one another on a device, enables several functions of modern computers but has gotten little attention across federal cybersecurity and technology initiatives, according to the report.

For example, there is no mention of the term “firmware” in an April 2023 release from the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency focused on principles for deploying products that have pre-installed features to shield them from cyberattacks. Additionally, the 2022 CHIPS and Science Act — a law designed to bolster domestic semiconductor manufacturing and research — mentions “firmware” just one time.

Firmware-linked cyberattacks are not frequent but, when executed, often give hackers “more bang for their buck,” according to report author Michael Sugden, who briefed members of the media on the topic.

“[They] are often harder to detect and harder to remove than their software cyberattack counterparts,” he said. Common antivirus scanning tools “can only detect malware at the software level, which leaves firmware completely in the dark,” he added.

Firmware is often made vulnerable due to weak code bases that aren’t addressed during their building and deployment processes, leaving them open to attacks across the software supply chain. For instance, security research firm Eclypsium last year discovered a hidden back door in the firmware of Taiwan-based motherboard manufacturer Gigabyte that allowed for hijacking and installation of malicious code.

The FDD report specifically cites a high-profile cyberattack on some 30,000 Viasat KA-SAT modems carried out by Kremlin-linked operatives immediately following Russia’s invasion on Ukraine in 2022. “In this case, tens of thousands of consumers had to throw out their devices, as an update or patch at the firmware level would have been impossible for reasons particular to the Viasat modems,” the analysis says.

Among several recommendations, the report suggests the creation of a national repository for known firmware threats, as well as updates to the National Institute of Standards and Technology’s 2018 firmware resiliency guidance.

Firmware has often been an uncommon way for hackers to access systems, which could explain why the Biden administration and Congress have done little to address the issue at this point, said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at FDD and former head of the Cyberspace Solarium Commission, a congressionally-backed cyber policy advisory body.

“I think it is a very good tool for intellectual property theft, I think it's a pretty good tool for nation states that might want to have access to a network to shut it down at a later date,” Montgomery said. 

“I think as [adversaries] come off the sugar high of ransomware, we’re going to start seeing a lot more action in the firmware business,” he later added, referring to this past year’s frenzy of ransomware activity, in which hackers held organizations’ data hostage in exchange for a ransom payment.