Firmware-Sicherheit
Security of embedded software in hardware devices (BIOS/UEFI, routers, IoT, industrial control systems). Firmware vulnerabilities are particularly critical: they persist even after the operating system is reinstalled, are difficult to detect, and often affect many devices of the same model simultaneously.
Firmware is the lowest layer of software: a laptop’s UEFI/BIOS, a router’s firmware, or the operating system of a PLC. An attacker who compromises the firmware gains virtually unbreakable persistence—even after formatting and reinstalling the operating system, the malware remains.
Why firmware is so critical
The key difference from normal malware lies in the level of persistence. Normal malware resides in the Windows file system and disappears upon formatting and reinstallation—it can be detected by AV/EDR.
Firmware malware, on the other hand, is stored in a UEFI flash chip. It survives hard drive formatting and operating system reinstallations and reloads itself at every boot. OS-based security tools cannot detect it.
Real-world attacks
LoJax (APT28, 2018) was the first documented UEFI rootkit in the wild. The Russian hacking group APT28 (Fancy Bear) used it against European government agencies.
CosmicStrand (2022) is a UEFI rootkit attributed to China that infected ASUS and Gigabyte motherboards. It was distributed via the supply chain through tampered hardware.
BlackLotus (2023) is the first publicly known UEFI bootkit that bypasses Secure Boot; it was sold on the dark web for approximately $5,000 and rendered Windows patches ineffective.
Firmware Attack Scenarios
1. UEFI/BIOS Implants
Direct manipulation of the UEFI firmware installs a persistent backdoor that monitors the boot process. Such implants can inject processes, steal cryptographic keys, and prevent software updates. Protection: Secure Boot plus UEFI Integrity Check.
2. Option ROM Attacks
PCIe cards (network cards, GPUs) can be equipped with malicious Option ROMs that execute during boot—even before the operating system. DMA (Direct Memory Access) enables the reading of system memory. Protection: Enable IOMMU (Intel VT-d, AMD-Vi).
3. Supply Chain Compromise
Hardware with pre-installed malware firmware is a growing problem. Well-known examples include counterfeit Cisco switches with modified firmware and charging cables with built-in keyloggers. Protection: Source hardware from trusted suppliers and perform firmware signature verification.
4. Network Device Firmware
Routers and switches are often operated with known vulnerabilities: default credentials are never changed, and firmware updates are never installed. The VPNFilter attack infected approximately 500,000 routers worldwide. Protection: Regular firmware updates and network monitoring.
5. IoT Firmware Vulnerabilities
IoT firmware often contains hardcoded credentials (admin/admin, root/root), insecure update mechanisms without signature verification, and known vulnerabilities from the OWASP IoT Top 10. Protection: IoT segmentation, regular updates, and deactivation of unnecessary devices.
UEFI Secure Boot - Basic Protection
Secure Boot verifies the signatures of all boot components along a chain of trust: UEFI firmware → bootloader → OS kernel. Only signed software is executed. Microsoft keys ensure that Windows is always considered trustworthy; users can add their own keys in Custom Mode.
What Secure Boot Does Not Prevent
- Attacks that steal Secure Boot keys (such as the BlackLotus bypass)
- Supply chain attacks involving compromised devices shipped from the factory
- Direct firmware manipulation without a UEFI password and write protection
Secure Boot Configuration (Checklist)
- Enable Secure Boot (it is often disabled by default!)
- Set UEFI password (prevents Secure Boot from being disabled)
- Check Secure Boot keys periodically: do not allow unknown keys
- Disable CSM (Compatibility Support Module) – CSM allows legacy boot and bypasses Secure Boot
Check Secure Boot status:
# Windows:
Confirm-SecureBootUEFI # True = enabled, False = disabled# Linux:
mokutil --sb-state # SecureBoot enabled = enabledFirmware Hardening for Network Devices
Routers and switches are frequently targeted and are often the most poorly maintained part of an IT infrastructure.
Cisco IOS Hardening
no service telnet ! Disable Telnet → SSH!
service ssh ! Enable SSH
ip ssh version 2 ! SSHv2 (not v1)
no ip http server ! Disable HTTP management
ip http secure-server ! Enable HTTPS management
no ip source-route ! Disable source routing
! Authenticate NTP (prevent time tampering)
ntp authenticate
ntp authentication-key 1 md5<key>
ntp trusted-key 1
! Keep firmware up to date
show version ! Check current version
! Check PSIRT advisory: tools.cisco.com/security/center/psirt
! Check firmware integrity
verify /sha512 flash:c1900-universalk9-mz.SPA.157-3.M10.bin
! Compare hash against Cisco website!Consumer routers (ASUS and similar)
- Enable automatic updates
- Change the default admin password immediately after setup
- Disable remote management
- Disable Telnet/SSH (unless explicitly used)
- Disable UPnP (significantly reduces the attack surface for internal malware)
Firmware Analysis (for Penetration Testing/Security Research)
Extract firmware
- Binwalk: Analyze and unpack firmware image -
binwalk -e firmware.binextracts file system, compression, and embedded keys - JTAG/UART: Hardware debugging interface for direct access to chips via physical pins (Tools: Raspberry Pi + UART adapter)
Static Analysis
- Ghidra (NSA): Powerful open-source reverse engineering tool
- IDA Pro: Commercial, best disassembly quality
- Rizin/Cutter: Open-source alternative to IDA
Dynamic Analysis
# Emulate MIPS firmware in QEMU:
qemu-system-mips -M malta -kernel firmware_kernel.binCommon vulnerabilities in consumer firmware
- Hardcoded credentials
- Telnet daemon without authentication (based on specific NVRAM flags)
- Command injection in the web interface
- Buffer overflow in the uClibc HTTP server
- Unsigned update mechanisms
OWASP IoT Top 10 as a checklist
| # | Vulnerability |
|---|---|
| I1 | Weak Guessable Passwords |
| I2 | Insecure Network Services |
| I3 | Insecure Ecosystem Interfaces |
| I4 | Lack of Secure Update Mechanism |
| I5 | Use of Insecure Legacy Components |
| I6 | Insufficient Privacy Protection |
| I7 | Insecure Data Transfer |
| I8 | Lack of Device Management |
| I9 | Insecure Default Settings |
| I10 | Lack of Physical Hardening |
Enterprise Checklist: Firmware Security
BIOS/UEFI (for all managed endpoints)
- Secure Boot enabled
- UEFI supervisor password set
- Boot order: system drive only
- CSM/Legacy Boot disabled
- Automatically deploy firmware updates via WSUS/Intune
- Intel Boot Guard / AMD Secure Boot verification enabled
Network Devices
- Firmware inventory: Which device is running which version?
- Subscribe to PSIRT advisories (manufacturer newsletters)
- Firmware updates on schedule (quarterly)
- Hash verification after every firmware update
- Default credentials changed everywhere?
- Management interface: accessible only from the management network
IoT/OT devices
- Device inventory: are all IoT devices known?
- VLAN segmentation: IoT separated from the office network
- Firmware: when was the last update? Does the manufacturer still support the device?
- EOL devices: is there a plan for replacement?
- Network monitoring: Can anomalous communication be detected?
Monitoring
- Windows Event ID 1796: Monitor UEFI changes
- Monitor chipset security feature status in SIEM
- TPM attestation: Regularly check UEFI metrics (Windows Health Attestation / Linux ima-evm)
