Skip to main content
banner image
venafi logo

The Hidden Dangers of Unsigned Firmware

The Hidden Dangers of Unsigned Firmware

dangers of unsigned firmware
March 10, 2020 | Eddie Glenn

 

No matter how many security precautions you take, there may still danger lurking in your PC


I consider myself a security-aware computer user. I have a firewall set up, I have up-to-date antivirus software running, I stay away from sketchy software downloads, and I avoid sites that offer free ‘stuff’. And I never open attachments sent via email or text, even from people I know.
 

By all accounts, my computers should be malware free. In my home office, I have a Windows PC, a Linux server, and a MacBook Pro. I have 2 webcams, several routers, a laser printer, and numerous devices that are considered IoT (Internet of Things).
 

I recently listened to a really interesting webcast by Ecylpsium and read their research paper “Perilous Peripherals: The Hidden Dangers Inside Windows & Linux Computers.”
 

And frankly now I’m worried. Really worried.


 

Sign Your Firmware 


For those unaware, a computing device contains software in many of its nooks and crannies. Of course, we all know about software installed on our hard drives. But, did you know that the hard drive itself contains embedded software to help make it work? This embedded software is known as firmware. And it’s located in devices such as webcams, touchpad controllers, network hubs, USB hubs, and lurks in about every sophisticated piece of electronics that you have.
 

Computing device manufacturers don’t build these components themselves. Instead, they buy them from third parties, from all over the world.
 

Here’s where things get scary. Ecylpsium found that a majority of the firmware in these devices are NOT code signed. According to them:
 

“…we then demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers [ed. Dell, Lenovo, HP]. Once firmware on any of these components is infected using the issues we describe, the malware stays undetected by any software security controls.”
 

Think about that. No matter how cautious you are, your computer is still vulnerable to attacks because third party component manufacturers are not signing their firmware.
 

Code signing has been used for over 30 years to authenticate that software comes from where it says it comes from and that it hasn’t been modified by a third party. Why are these component manufacturers not taking the necessary precautions then using decades proven technology?


Have You Heard These Code Signing Excuses?


When I talk to folks in large organizations and ask this question about code signing their software, I hear these common responses:
 

“The more code we have to sign, the more code signing keys we need to make available to our developers and that increases our risks, so we just don’t bother.”
 

“Our developers say we (the PKI team) slow them down and they just bypass our processes anyway.”


“We have bigger fish to fry.”
 

“We aren’t aware of all of the software development going on in our organization.”
 

Folks! Code signing is easy. Most software development environments provide a nifty handy-dandy tool that takes only milliseconds to run. However, what is NOT easy (for developers) is knowing the ins and outs of code signing certificates and keys. What’s not easy is for InfoSec teams to provide developers with an easy to use code signing service that is also fast. What’s not easy is for InfoSec teams to automatically enforce the processes and policies on their development teams that secure the code signing process.
 

Why Venafi Makes Code Signing Easy


Now, let me stop for a moment for a brief, self-serving commercial:
 

All this changed when Venafi introduced Next-Gen Code Signing last year. With Venafi Next-Gen Code Signing, there should be no excuses why a software team of any size doesn’t sign the code they produce. Next-Gen Code Signing automates managing code signing certificates (including issuance through revocation), works with the tools that software developers normally use (including those commonly used for DevOps and Internet of Things), doesn’t add any noticeable time to a software build, and automatically enforces the code signing policies that InfoSec deems important. And most importantly, this secure process eliminates the need for any code signing keys to ever leave a secured storage location (like an HSM or Venafi’s own trusted key storage).
 

I’m not sure how we change this. I guess it starts with the big computer manufacturers requiring their suppliers to sign all of their firmware. And that requires their customers complaining about it. Or it may take a major malware incident.
 

Planes, Trains and Automobiles - Do You Code Sign?  


But the more I think about this, the more concerned I get. I used to develop safety-critical software for airplanes. Today’s planes rely 100% on software and components that come from many different suppliers. During my flight to San Francisco this week to attend RSA, I wondered what precautions Boeing (or Airbus) have taken to ensure that their suppliers code is not tampered with. On BART (San Francisco bay’s mass transit service) I wondered the same thing. There’s a lot of software needed to make BART run.
 

And my mind didn’t stop there.
 

What about our power grids? The medical devices keeping patients alive in ICUs? The list goes on…
 

Is your organization creating software that should be code signed?




 


Related posts

 

Like this blog? We think you will love this.
code-signing-abuse
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more