Microsoft has released a security report indicating an increase in firmware attacks. It also highlights the complexities of fighting back against these types of exploits. Their insusceptibility to automated removal processes is chief among the reasons why they are so formidable.
Microsoft cites a recently commissioned study on firmware security investments compiled by Security Signals. It shows that over 80 percent of businesses have experienced a firmware attack within the past two years. The survey also found that across the board, only 29 percent of enterprise security budgets were allocated to tackling firmware exploits. The Security Signals study involved interviews with 1,000 enterprise security decision-makers (SDMs) from the United States, Germany, UK, Japan and China.
How Firmware Attacks Work
Firmware hacks are effective because they compromise a device before it boots. They attack the deep-level code that controls hardware and software when the system is starting and during runtime. The two primary avenues for Windows systems are usually Basic Input Output System (BIOS) and Unified Extensible Firmware Interface (UEFI) protocols.
Tackling the Menace
According to data obtained from the National Institute of Science and Technology (NIST), firmware attacks have increased by more than five times over the past four years. Current remedies against these types of attacks include the use of Kernel data protection (KDP) and memory encryption solutions. They work by blocking malware from accessing kernel memory.
According to the Microsoft - Security Signals report, 36 percent of enterprises are proactive in this area and fortify their systems using hardware-based memory encryption mechanisms. This is still less than half of all businesses involved in the research study.
That said, a series of recent firmware attacks have led to more vigilance. The recently-discovered ThunderSpy bug targeting Thunderbolt ports revealed the level of damage that firmware vulnerabilities can cause. ThunderSpy works on devices utilizing Thunderbolt ports and allows a hacker who has physical access to the device to read the drive’s contents and copy data. Among the more scary aspects about it is that it allows a malicious penetrator to bypasses drive encryption, Secure Boot, antivirus, and other related security measures.
The level of data access through ThunderSpy is immense because it leverages direct memory access (DMA). Other related firmware exploits that are still being found in the wild include the RobbinHood, Derusbi, Uburos, Sauron, and GrayFish vulnerabilities. To tackle this problem, Microsoft has come up with a new category of devices designed to thwart such security threats called Secured-core PCs.
They feature revolutionary security features such as Credential Guard, Virtualization-Based Security, and Kernel DMA protection.