By: Erez Kreiner

Cybersecurity has become a major factor in the risk calculation of almost any company, no matter if it is a large enterprise or small home business. Various solutions are offered by many vendors to overcome the security gaps in companies’ networks and devices, and a lot of effort is invested in searching for the “holy grail” of security, the one that will supply a fully protected environment for all devices.

As we all know, this search will probably last forever, as hackers become more sophisticated and rogue nations pool their resources to maliciously attack the larger global community and economy. We can continue to combat the latest threats with the latest cybersecurity solutions, but it’s becoming increasingly more important to analyze the situation from the other side—the side of the attacker trying to hack into a system, or actually place his malicious code in a persistent manner inside an organization’s network, devices or machines.

The hacker’s desire is to change the software and data that is stored in the memory and his “holy grail” is to change the firmware, which is a fundamental brick in any computing mechanism. Computed devices are made of chips, which are millions of electronic circuits that can be condensed into very small areas, creating chips of memory, CPUs, GPUs, or communication, which is commonly called hardware. To make these chips a living and breathing computer device, software is fused in. The lowest software level that connects it to the hardware is called firmware. In most—if not all—cases firmware is a piece of code that is not subject to change by anyone besides the vendors and, many times, firmware is rarely changed at all. When firmware is updated, however, it presents an opportunity for attackers to place malicious code within the firmware, as few security organizations are thoroughly protecting firmware over the air (FOTA) updates.

Attackers try to gain control of networks and devices in many ways, but all the attacks can be categorized into three main vectors:

1. Remote attack—the attacker will probably make use of an Internet connection and he does not have any physical contact with the target.
2. Close attack—when the attacker has some kind of physical contact with the target himself or, through proxies—such as a connected thumb drive—has access to the company network or to communication equipment, etc.
3. Supply chain attack—when the attackers take advantage of the relationship between the company and its business partners and slide the malicious code into a product of a third party, a product that is later supplied to the target.

The common denominator for all these attack vectors and the attacks that utilize these vectors is the attempt to modify the code that runs on the system, either by modifying the code itself or by modifying the parameters—through configuration and calibration—that affect the way the code is executed. In addition, changing and “playing” with the firmware can ensure the attacker that his malicious code would have a long-lasting life in the targeted systems, and that the attempts of the security components to discover its existence will, in most cases, fail.

Focusing on firmware is a result of the huge revolution we all experience now, the IoT or IIoT, where the basic idea and basic meaning is to connect all sorts of devices to the Internet, especially devices that do not include powerful CPUs. Most CPUs are built with poor resources and limited computing power. In these simple devices, the software is mainly or solely firmware.

To make it a bit more colorful, the list of connected devices includes industrial robots, cars, home machines like air conditioners, routers, and 95 percent of the equipment in any new, smart or semi-smart building. It includes the protected relays in the electricity grid and the smart meters attached to every home. The list goes on and on…

One can almost claim that any electric or electronic device will include a few electronic chips, with a non-volatile memory containing the critical code to its operation.

Out-of-the-box approach

1. Most security processes are handled within the CPU.
2. The CPU has many interfaces to many components.
3. Security software vs. hacking software is an endless circle that needs to be broken by introducing another dimension to the game.