I’m always amazed when 20 year old exploits become news. Having said that, last week’s furor around the Equation cyber espionage group, detailed by Kaspersky, warranted a response.
The infiltration technology described by Kaspersky – introducing rogue firmware into the IT infrastructure supply chain – has been around for a very long time. The only new wrinkle here is that some of the functionality is delivered by the Internet in the form of zero day exploits, poor credential security on lights out cards, and phishing attacks that trick users into opening malware.
The objectives of this technology are to monitor and collect information, as well as to provide a jumping off point for direct control – should that become necessary.
About the Firmware Infiltration Process
The truth is that firmware infiltration is not all that difficult. However, it does require some tools that are not normally found in the toolkits of routine hackers, but are common among nation states.
The processors/microcontrollers and peripheral components that are generally used in IT infrastructure are off-the-shelf, with full development kits and tools. Most of the peripherals and motherboards receive regular updates (BIOS), with public access to the firmware packages which allows tampering. The toolkit for this infiltration would be the SDK for the chipsets used, as well de-compilers of the publicly distributed firmware.
Should there be an attempt to employ encryption or signing, it can be resolved by the use of appropriate chemistry and microprobes on the silicon itself. Other maintenance and debugging modes of the hardware, along with peripheral noise, can complete the reverse engineering.
Who is Behind Equation?
All of this points to a team with both hardware and software skills. Certain types of reverse engineering would require more expensive equipment, but nothing that would be outside the range of governments and well-funded criminal organizations.
Most of the major cyber warfare entities (governments) worldwide are familiar with this methodology and use it. I’ve been asked if Equation bears the signs of the NSA. The bottom line is that the NSA could be the author of the infiltration. However, there are plenty of other entities worldwide that are capable of this type of intrusion. Really, any competent software engineer with experience in firmware design could reverse engineer the technology and build firmware infiltration.
Remediating Firmware Infiltration
The only sure ways to guard against these types of attacks are to disconnect from the Internet (air gap critical systems) and not allow untrusted peripherals on the network.
Another remediation option is to frequently changing the lights-out management system’s password. However, the firmware infiltration issue has not been raised by auditors or industry analysts yet. Therefore, only those companies with active cyber warfare defense technology are currently aware of this threat and taking steps to remediate the risk.
Finally, while firmware infiltration is not terribly complex, there is little reason to invest the amount of energy needed to successfully implement this exploit unless the target is of high value. The normal consumer is not at risk – unless there is something really interesting about what you do that piques the interest of a government somewhere on the planet.
By Philip Lieberman, President and CEO, Lieberman Software
Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in the cyber security market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions for this burgeoning security field.