Cyber attacks against Firmware are growing
According to a study carried out by Microsoft, there is a significant growth in the attacks aimed at firmware nowadays. The study has found that about 80% of companies have suffered at least one firmware attack over the last two years – yet, the budgets that they set for firmware security are very limited, only 29%.
Firmware is software that provides the necessary instructions for how the device works and performs a basic set of tasks and functions. It also provides guidance on how the device communicates with the other computer hardware.
It operates without going through APIs, the operating system, or device drivers and is typically built into the read-only memory (ROM). When a device is powered on, firmware is the first to run and starts sending instructions to the device’s processor to execute.
Due to this, firmware is a perfect target for cyber criminals because it is the environment where confidential details such as passwords and encryption keys are kept.
Microsoft’s report reveals a disturbing trend where Firmware is the last in the list for security protection investments. The study – which involved 1,000 security decision-makers from companies in China, Germany, Japan, the United Kingdom, and the USA – has found that the focus on security investments goes to automated technologies for threat protection, security updates, and vulnerability detection.
Organizations fear malware attacks more
According to the report, many organizations are concerned about their systems being compromised by malicious software. Vulnerabilities in firmware are somewhat left behind due to a lack of awareness and a lack of automated solutions. As per the statistics, most decision-makers believe that it is three times more likely for software to be compromised rather than firmware.
What works in favor of the firmware attackers is that many devices on the market today have no way to guarantee that an intruder has not accessed the firmware before the boot phase or at runtime under the kernel.
The survey showed that only 36% of the companies that were participating in the study have invested in hardware-based memory encryption and just 46% of them have spent their budget for hardware-based protections for kernel.
From the analysis, it also becomes clear that the security teams spend more time on detection and incident response and much less on the prevention of firmware attacks.
The positive news is that with growing awareness about the risk of attacks on firmware, the readiness to invest in proper protection also grows.