Are you running what you think you're running?
Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its recent Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/securedc, or connect with Juniper on Twitter or Facebook. That's juniper.net/securedc. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: Thanks to our sponsor, Enveil, whose revolutionary ZeroReveal solution protects data while it's being used or processed – the 'holy grail' of data encryption. Enveil delivers privacy-preserving capabilities to enable critical business functions. Organizations can securely derive insights, crossmatch, and search third-party data assets without ever revealing the contents of the interaction or compromising the ownership of the underlying data. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Maggie Jauregui: There are dozens of configurations that are set that are time-sensitive and that if they're not done correctly, the underlying security assumptions that we operate on may be broken.
Dave Bittner: That's Maggie Jauregui. She's a security researcher at Intel. The research we're discussing today is titled, "Three firmware blind spots impacting security."
Maggie Jauregui: It's interesting to think of a computer not just as one system, but as multiple small embedded systems combined into one, and each one of them having their own code that needs to be updated, that we need to make sure is authentic, is recent, hasn't been tampered with. And so, if I'm talking to someone non-technical at all, I would describe it maybe as, a lot of things happen between the moment when you push the reset button on your platform and when you actually see something on the screen.
Dave Bittner: Can you give us a little bit of the history here, the backstory? As the systems have become more complex, as computers are doing more and more things, does that mean that we have more areas within the systems that are running their own firmware?
Maggie Jauregui: It may be. We usually have, you know, one type of memory and one type of network card. They usually don't go up exponentially, then we just have different combinations. And those combinations can be interesting because the awareness of what I'm running exactly is not always there. And that was the whole point of this article of, what are the blind spots? Do we even know what we're running? When you find a vulnerability in one of these components, knowing exactly which systems are affected. It can affect dozens of systems out there and making sure that each one of them has applied updates and are doing all the right things all at the right time, that all of these different components are working together and doing the right things, is tricky.
Dave Bittner: Hmm. Well, let's explore that, I mean, when you're looking into firmware, when you're trying to find those blind spots, can you take us through that process? How does it work?
Maggie Jauregui: So, we've identified three main ones. Firstly, it's important to just even know that firmware is a potential attack vector. Gartner named it one of the top three attack vectors for platforms – firmware security. So, being aware that it's potentially a problem. And one of the things that one of my mentors, Joseph Fitzpatrick – he's a renowned hardware security researcher – mentions, is to make sure to always know your CIA, your confidentiality, integrity, and availability. What specific security objectives do we have for our firmware? Do I care about the confidentiality of certain things? For example, your BIOS password. And if someone had access to my flash content, they may be able to see it, and that may be an authentication bypass, and that would be problematic. So I probably care about confidentiality for my UEFI password. Availability – making sure that my firmware hasn't been corrupted so that we don't have a potential permanent denial-of-service that can be cumbersome and costly is important. We want to make sure that our systems are available to be used. And integrity goes a little bit with the availability – making sure that I'm running what I think I'm running, that what I'm running is authentic, and that what I'm running is recent.
Dave Bittner: Now, how do you go about verifying that? As a researcher, if you're going in and examining firmware in a system, can you walk us through the steps that you take to ensure that what you're seeing is what's supposed to be there?
Maggie Jauregui: So, there are many things that we can do. There are features like hardware roots of trust that do just this, right? That make sure that – that perform measurements and verification on the firmware that we're running to make sure that it's authentic, and that we're running what we think we're running.
Maggie Jauregui: But there's also tools to check the configuration of a platform, because that can be complex. It can be defined differently for different generations of platforms, and there's a lot of different configurations to check. So, running scanners like Chipsec that give visibility into all these configurations are recommended. And Chipsec, for example, is an open-source project that's supported by Intel as well as the security community. And it's – one of the good things about Chipsec is that it's incremental. So, as we find more things and more things are reported to Intel or proactively found, we add them to the scanner so that we can raise the bar across the industry. And everybody – customers and users and OEMs – are able to check for the correct configuration of their specific system.
Dave Bittner: What sort of advice do you have for organizations that want to start down this path? Perhaps they haven't – they haven't really paid much attention to the firmware side of things. It's sort of out of sight, out of mind. How do they get going? Where do they begin?
Maggie Jauregui: The single most simple and powerful step towards improving platform security are regular updates. So, we've really come a long way, as a security industry, in companies having their in-house research teams and having security conferences almost every day somewhere around the world, and having bug bounties where companies work with researchers around the world to fix, proactively fix things that are found, coordinated disclosure and embargo, security advisories. If we don't install those, if we don't take advantage of what's there, you know, we increase the window of opportunity for potential attackers – that may not even need to be all that sophisticated, that just saw an update and noticed that now there's a window of opportunity to do some malicious things here.
Dave Bittner: Are there any common misperceptions that people have when it comes to firmware? Any common things that you see where people's understanding isn't really what it should be?
Maggie Jauregui: I think more than the understanding, it's either awareness or there are – there are real reasons why companies and organizations struggle with prompt firmware updates, for example. The downtime can be costly. There can be fear of breaking a platform and having that be potentially catastrophic with industrial control systems or critical infrastructure. So, it's a complex field and there are real reasons why we're not moving in a more swift way. But the large thing I would say is awareness, and then taking steps and precautions so that we don't fall into these fears and potential real problems that can arise with updates, for example.
Dave Bittner: Where do you suppose we're headed? What does the future look like when it comes to how we're going to deal with firmware, how we're going to protect it?
Maggie Jauregui: I believe we're gonna continue to evolve and continue to get more sophisticated. As higher levels of the stack have been hardened. The attention has focused more and more on hardware- and firmware-level security, so the natural order of things is we're just going to get more sophisticated. We're gonna get better at it. We're already a lot better than we used to be. Well, the kind of things that keep me up at night are – I heard a quote that really resonated with me that said, "Old-days are scarier than 0-days." For firmware, I think this is particularly true, especially with the timelines that it takes for us to be able to get updates and for people to choose whether or not they want to install them. So, one of my big fears is having a WannaCry-type scenario in firmware or hardware that is potentially catastrophic – where we have fixes for the issues, but it hasn't been patched. So, hopefully we get better at figuring out ways to patch in ways that are less dangerous.
Dave Bittner: What about trying to discover what you don't know – to know what you don't know? I guess I'm thinking of, you know, is it practical to audit your firmware? To – I'm imagining that person who has a system that's running fine, you know, they're thinking about that old adage of, you know, if it ain't broke, don't fix it. But I suppose you can't function that way these days. You have to go in there and, well, I guess it's a best practice to make sure that the firmware is what it's supposed to be.
Maggie Jauregui: Yes, and that is the main issue and the main blind spot, is visibility. I always like to tie it back to a house example. If you come back to your house one day and the door is open or there's a broken window, you clearly know that potentially something happened and you can go look and find something missing. But if someone has potentially installed a backdoor in your system, they could be just persisting and doing nothing for a long period of time, or they could be having a keylogger installed that sends all of your keystrokes somewhere. There's not a red flag. There's – the detection of my system is in a correct configuration in which I expect it to be, but also, did something happen? The visibility for us to detect both of those scenarios, I think are where we can tackle the lack of visibility, right? Installing and using tools.
Dave Bittner: Do you find that people tend to be a little intimidated when it comes to firmware?
Maggie Jauregui: I believe so. I believe people think it's some dark, obscure art. And that's not necessarily the case, right? It's software, at the end of the day.
Dave Bittner: In your mind, what are the take-homes? When you sort of send someone off with your words of wisdom when it comes to firmware, what sort of things do you share?
Maggie Jauregui: We need to make sure that we have a plan in place to know what we're protecting against and what we're not. Do we care about evil maids, physical presence? Is that in-scope, out-of-scope? What is our CIA? What are security objectives to protect our firmware security? Make sure that we're installing firmware updates on a regular cadence, that we have a strategy for that, and that we're also checking the configuration of our platforms to make sure they're in a state where we expect them to be.
Dave Bittner: Our thanks to Maggie Jauregui for joining us. The research is titled, "Three firmware blind spots impacting security." We'll have a link in the show notes.
Dave Bittner: Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard Peter Kilpe, and I'm Dave Bittner. Thanks for listening.