Firmware is a class of software that is programmed onto hardware devices and controls their basic functionality. Each device’s firmware code is specific to its characteristics and hardware components. Virtually any device that uses software to operate, from servers and PCs to industrial machines to medical devices to smart sensors, has firmware inside it.
In simple devices the firmware provides all the required functionality of the device. More advanced devices with additional computing resources and requirements may have separate operating systems and software components that are integrated but not necessarily purpose-built for their particular device hardware.
A device’s firmware is embedded on its internal memory, such as ROM or flash. Device vendors may have firmware placed on the device permanently during the manufacturing stage so it cannot ever be modified, or they may enable firmware updates via local methods that require physical access or remote methods using a network connection. In some cases, remote updates may be fully automated and transparent.
Traditionally, the device firmware would be updated infrequently, if at all, after release. Today, the need for such updates is on the rise due to the growth in device functionality and intelligence. Technology developments, including new device memory types and connectivity interfaces, have also made firmware updates more operationally feasible. Reasons for updating firmware may include modifying device functionality, addressing new industry requirements, fixing bugs, or remediating discovered security vulnerabilities.
Because of the firmware’s critical role in controlling core device functions, it is very important to ensure its security. This is especially the case with connected devices which are vulnerable to external threats and those that are mission-critical such as medical devices. Attackers can exploit firmware weaknesses to inject malware, intercept communications, steal data or change device configuration, causing significant damage to the device vendor or users.
Vendors are increasingly aware of this issue and building security into their product planning, design and development processes. Some are also implementing security measures to detect and mitigate security threats in real time while devices are in use.