'Firms should be more worried, cyber attacks on the rise'

Cyber attacks

Computing giant Microsoft recently put out a report claiming that businesses globally are neglecting a key aspect of their cyber-security - the need to protect computers, servers and other devices from firmware attacks.

Its survey of 1,000 cyber-security decision makers at enterprises across multiple industries in the UK, US, Germany, Japan and China has revealed that 80% of firms have experienced at least one firmware attack in the past two years.

Yet only 29% of security budgets have been allocated to protect firmware.

However, the new report comes on the back of a recent significant security vulnerability affecting Microsoft's widely-used Exchange email system.

And the computing giant launched a range of extra-secure Windows 10 computers last year that it says will prevent firmware from being tampered with.

So is this just an attempt to divert attention and sell more PCs, or should businesses be more worried?

How a firmware attack works

Firmware is a type of permanent software code used to control each hardware component in a PC.

Increasingly, cyber-criminals are designing malware that quietly tampers with the firmware in motherboards, which tell the PC to start up, or with the firmware in hardware drivers.

This is a sneaky way to neatly bypass a computer's operating system or any software designed to detect malware, because the firmware code is in the hardware, which is a layer below the operating system.

Security experts have told the BBC that even if IT departments are following cyber-security best practices like patching security vulnerabilities in software, or protecting corporate networks from malicious intrusions, many firms are still forgetting about the firmware.

"People don't think about it in terms of their patching - it's not often updated, and when it is, sometimes it breaks things," explains Australian cyber-security researcher Robert Potter.

Mr Potter built the Washington Post's cyber-security operations centre and has advised the Australian government on cyber-security.

"Firmware patching can sometimes be tricky, so for a lot of companies, it's become a blind spot."

The National Institute of Standards and Technology (NIST), an agency within the US Department of Commerce, continually updates a National Vulnerability Database (NVD) with new security flaws.

The database has recorded a five-fold increase in attacks against firmware in the last four years.

Coronavirus lockdowns in multiple countries have led to multiple employees working from home and connecting remotely to work servers. Each one of those computers and mobile devices is an opportunity.

Carrying out a firmware attack might be complex, says Mr Cirlig, but if attackers could silently steal critical information from a c-suite executive's laptop, like passwords, they could then use it to infiltrate a company's networks and steal more data.

Nation-state hackers would be most likely to use such an attack, he adds.

"This is a big operation with big pay-offs - it's not something that a small group of cyber-criminals has the manpower to do."

Creeping soon to a network near you

Although firmware attacks are not as ubiquitous as phishing scams, malware or other cyber-attacks, the cyber-security experts the BBC spoke to say now is the time for businesses, and the technology industry as a whole, to pay attention to hardware security.

Firmware attacks are not common on a day-to-day basis, but that's because people don't realise they're being infected by such an attack," says Mr Boyd.

"It's like when ransomware first came onto the scene - people didn't know of anyone who was infected by it, and if big organisations were, they wouldn't tell anyone about it, as there was an element of shame, not wanting their clients to know they'd been infected."

Mr Boyd adds that a new generation of "budding hardware enthusiasts" who have been learning their way around firmware by "modding video game consoles over the last decade" could well pose additional threats to enterprise cyber-security going forward - a point Mt Cirlig fervently agrees with, since he hacked the firmware in his own car when he was younger.

"Microsoft is right to raise this as a major issue, because we need to bring firmware designers and operational technologies along the journey of cyber-security, the way we have with software companies," says Mr Potter.

"As we connect more things to the internet, we're connecting a lot more devices that haven't been designed with cyber-security in mind. And if the trend continues, bad guys will go after it."