Product Security Glossary

Firmware Security

What is firmware security?

Firmware security involves protecting the firmware of your computer or devices from being exploited by bad actors.

What is firmware?

Firmware is the controlling code of a computing device.  It’s called “firmware” rather than “software”, because it’s installed onto either a chip or a memory card rather than onto a normal storage device. It can be changed or updated, but it’s not meant to be readily accessible by the end user.  On a PC, the firmware consists of a chip that contains the Basic Input Output System (BIOS), which is what starts the computer before the operating system can be read in. On embedded devices, such as printers, industrial controllers, or medical devices, the firmware is either a chip or a memory card that contains the operating system and all necessary programs that need to run on the device. In any case, firmware security is important. 

Why do we need firmware security?

Without proper firmware security, bad actors could take complete control of computing devices, resulting in data loss, data theft, or damage to either property or people.  This could be done in a few different ways.  Attackers could implant malware that could exfiltrate sensitive data, spy on your activities, or allow attackers to take control of your device.  Attackers could also “brick” a device, which would make it completely inoperable. 

The big challenge with firmware security is that any malware that gets implanted into certain types of firmware, such as a computer BIOS chip, is pretty much impossible to detect with an anti-virus program.  Even if you were to do a clean installation of the operating system, malware in the firmware could still survive.

How can we have firmware security?

Mainly, the responsibility for firmware security falls upon the device manufacturers.  Manufacturers need to produce firmware that can be easily updated when necessary, yet that is also resistant to malware infections.  One thing that device makers can do is to store a hash value of their devices’ firmware on their own servers, and program the devices so that they will verify the firmware hash against what is on the servers.  Another thing that device makers can do is to store secret keys in a secure area that hackers can’t reach, and use proper authentication to ensure that only authorized personnel can log in. Device makers need to keep on top of the security news and ensure that any vulnerabilities that may crop up in their devices get remediated as soon as possible. All this can be done with automated tools that scan the firmware, crate a Software Bill of Materials (SBOM), locate vulnerabilities and exposure, and alert on newly discovered vulnerabilities based on the SBOM.  

Users also have a role to play in firmware security.  Devices should always be protected with a secure authentication scheme, and they shouldn’t be exposed to the Internet any more than they have to be.  Whenever possible, users should set up the devices behind a strong firewall, and run a good Intrusion Detection System. 

Finally, end users who have any doubts about the firmware security of their devices can contract with a scanning service to check their firmware for any vulnerabilities.  This is something that the users can do before deploying the devices. 

Firmware security is important.  Proper implementation can make things safer and more secure for you, your customers, and your equipment.