The Zero Trust approach to cyber security has rapidly gone from being just another phrase in “cyber-buzzword Bingo” to being a tried-and-true, effective, and achievable security solution. Mandated for federal agencies by executive order and urgently advised by cybersecurity analysts, Zero Trust is a bright spot in an otherwise challenging time of non-stop ransomware attacks, increasingly porous infrastructure and more vulnerabilities than most teams can quickly address. It is also gaining traction in the boardroom with an increasing number of CISOs and CIOs being asked to report on their Zero Trust strategy and road map.
But successful Zero Trust programs are also holistic: they transcend normal divisions between “networks” and “endpoints” and between “infrastructure” and “applications.” For Zero Trust programs to be effective they need to provide visibility (and deliver results) all the way down to the most obscure, hard-to-reach layers of the stack, like chipsets, hardware and embedded firmware.
Eclypsium delivers Zero Trust assurance at these foundational, bare-metal compute levels. This amplifies Zero Trust’s benefits up and down the length of complex, often convoluted hardware supply chains.
Zero Trust for Firmware and Hardware
According to research firm Gartner, the average endpoint arrives on its user’s desk or lap with 15-20 embedded firmware components. These include powerful and privileged UEFI-based components, system management modules (SMM), microcode on processors, and embedded device drivers. Servers add modules like baseboard management controllers (BMCs) and may arrive from the manufacturer with thirty or more firmware components enabled. And of course virtually all networked and connected devices now come with manufacturer-embedded firmware.
Zero Trust principles insist we know which versions of firmware our systems are running, which ones may be vulnerable, and which ones are actively being exploited in the wild.
A breakdown of CISA’s widely used Known Exploited Vulnerabilities (KEV) list reveals that firmware vulnerabilities are the most actively exploited class of code. This is in part because cyber security teams have done a much better job patching and updating their operating systems and applications. But it’s also because firmware persists throughout the supply chain and acts as a multiplier of possible targets.
Case in point: U.S. security officials have warned that two Chinese companies in particular – Huawei and ZTE – are beholden to China’s government and therefore a major national security risk. The routers, antennas and radios these manufacturers deliver are in the process of being pulled from U.S. cell phone and internet networks not because the gear itself has potential for spying and foreign meddling, but because their embedded firmware can carry invisible instructions and has the power to orchestrate future attacks.
From “Black Box” to “Pandora’s Box”: A Zero Trust Example
In June of 2021, Eclypsium researchers reported widespread firmware-level vulnerabilities in BIOSConnect, the set of features and update tools used by Dell laptops. The vulnerabilities allowed remote code execution, through which an attacker could impersonate Dell and deliver malicious content back to the victim machine.
The scope of vulnerabilities disclosed in the Eclypsium research surprised many observers:
- 129 Dell laptop models were affected
- The chain of vulnerabilities had a cumulative CVSS score of 8.3 (High)
- The vulnerabilities allowed a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device
- Nearly 30 million individual devices were impacted
The Zero Trust lesson: if just one of these 30 million devices was being used in a sensitive or critical process, should it be allowed to remain in the network?
Zero Trust principles say No.
Achieving Zero Trust Up and Down the Supply Chain
A recent joint report from the U.S Departments of Homeland Security and Commerce cited supply chain attacks as the number one threat facing both commercial and federal organizations. Within that report a clear warning was sounded: firmware in those supply chains represents a “single point of failure” that can’t be overlooked.
Despite this warning and even though the job of securing complex supply chains can be a daunting challenge an effective firmware security program may be the best path to securing ICT supply chains:Firmware persists throughout the supply chain: addressing firmware issues addresses vulnerabilities, wherever they exist in the chain.
- New technologies make it easier to assess embedded firmware in real time, whether it’s on the receiving dock, in a staging area, or deployed in the field.
- Firmware is the “DNA of the supply chain”, and because it instructs hardware components on how, when, and where to act, assurance in the security and robustness of embedded firmware provides the highest confidence against compromise.
- Visibility into firmware integrity and vulnerabilities provides insight into the health of the entire supply chain.
Securing global device supply chains is the definitive cyber security challenge of the 21st century. Assessing, protecting and securing the firmware they contain may be the only way to provide a Zero Trust perspective on the security of the entire supply chain.
Eleven Reasons to Extend Zero Trust to Firmware
Organizations need to ensure that their many workers and facilities have the right equipment when they need it. With Eclypsium, IT teams can directly ship devices to locations or workers, then easily verify the posture and integrity of the device.
1
CPU vulnerabilities: Spectre, Meltdown, Portsmash, Foreshadow, MDS, ZombieLoad, PlunderVolt, CrossTalk
2
Converged Security and Management Engine (CSME) Intel: CVE-2017-5689, CVE-2018-3657, CVCVE 2017-5712E 2017-5712
3
Baseboard Management Controllers (BMC): Cloudborne, CVE-2022-6260, iDRACula, CVE-2017-12542
4
USB exploits: Bad USB, USBAnywhere
5
UEFI/SMM exploits: Speedracer, S3 Bootscript, Thunderstrike, Thinkpwn
6
PCI/Thunderbolt: DMA Attacks
7
TPM attacks: ROCA, CVE-2018-6622, TPM-Fail
8
Network cards: Throwhammer, NetCAT
9
WiFi attacks: Broadpwn, CVE-2022-6496
10
SSD: CVE-2022-10705, CVE-2022-11686, CVE-2018-12037
11
DRAM attacks: Rowhammer, RAMBleed
The bottom line? Cyber adversaries – whether nation-state attackers or financially motivated crooks – are better at exploiting our firmware than we are at defending it.
Resources: Creating a Zero Trust Firmware Strategy
The President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity was issued on May 12, 2021 and called for federal agencies to advance towards a Zero Trust architecture model for their networks. This Eclypsium white paper breaks down that order in the context of hardware and firmware designs, from endpoints and servers to networked and connected devices.
In this white paper, analyst firm TAG Cyber dissects what it means to achieve a Zero Trust network posture in an age of highly distributed networks, virtualization, and rapid digital transformation. It breaks down how current endpoint detection and response (EDR and XDR) solutions are missing visibility into the firmware layer but can be augmented by modern controls.
This solution brief outlines the four principles of Zero Trust described above and aligns them to firmware security practices.
This joint white paper by Teldyne Lecroy and Eclypsium breaks down Direct Memory Access (DMA) attacks targeted at SSD and other component supply chains and proposes a firmware-first defensive strategy.