Have You Heard About the Rise in Firmware Attacks? How to Protect Yourself!

Have You Heard About the Rise in Firmware Attacks? How to Protect Yourself!

While companies have been focused on securing other areas of their infrastructure, attackers have been going after something that often gets forgotten when it’s time to install patches and updates.

Firmware is the software that provides the instructions for the hardware to operate, and it’s become a major target of hackers over the last few years. According to the Microsoft March 2021 Security Signals report, 83% of all businesses have been victims of a firmware attack in the past two years.

Why so many? There are two main reasons:

  1. Firmware attack volume has risen dramatically, increasing five-fold over the last four years; and
  2. Companies haven’t had firmware security on their radar. Only 29% of most enterprise budgets are allocated for firmware protection.

Why Firmware Is an Attractive Target

Firmware sits outside a device’s operating system (OS). So, when it’s attacked with malware, the breach often can’t be detected because many anti-malware programs are operating at the OS level. 

Because it’s the code that tells hardware how to operate, it also has a lot of high-level privileges and often things like user credentials are stored in the firmware layer.

Another reason that hackers have been going after device firmware is that manufacturers don’t always build visibility into devices, thus attacks fly under the radar and are difficult to track.

Firmware updates also happen less often than OS and software updates, so it’s not unusual for users to overlook them, leaving unpatched code vulnerabilities that hackers take advantage of. 

What Are Some of the Dangers If You Experience a Firmware Attack?

Hackers can get the “keys to the kingdom” when they hack into a device’s firmware because it has so much control over the hardware and other layers, such as the operating system, how the device boots, etc.

Here are some of the attack types that can be done through firmware:

  • Changing the Boot Code: System firmware can be breached in a way to run a malicious code on startup and completely subvert the operating system. 
  • Delivering Malware: A firmware breach can be done to infected other components of a system with malware.
  • Complete Access: The System Management Mode firmware is focused on runtime and is completely outside the operating system. Hacking this firmware allows the attacker complete access to a system while being invisible to the OS.
  • Server Control: If a firmware for Baseboard Management Controllers on a server is breached, it can give the attacker total control over the server and its data.
  • Write to System Memory: A breach of firmware for Network Cards and PCIe Devices facilitates complete damage of the system and the ability to execute malicious code.

Ways to Protect Your Business from a Firmware Attack

Look for Hardware With Firmware Protection

It’s important to keep firmware protection in mind as part of your cybersecurity planning and when you purchase new PCs, servers, and other hardware.

Manufacturers are taking notice of firmware vulnerability and beginning to add protections to devices to make it harder to hack. This includes things like a zero-trust architecture and more visibility for the detection of malware or suspicious system behavior. 

Microsoft released a new range of PCs called Secured-core that are designed with firmware protection in mind.

Put Firmware On a Regular Update Schedule

It’s estimated that 70% of organisations that have no firmware upgrade plan will be breached by 2022. Firmware updates are not typically as visible as those for software and operating systems, so they often go without having critical updates and patches applied.

You must include firmware on a regular update schedule. The easiest way to do this is through a managed IT services plan that includes all updates and monitoring for your devices, including firmware.

Know Which Devices Use Firmware

Firmware is present in just about any electronic device. It acts as the device’s “operating manual,” and there will often be many different types of firmware present. One might control a graphics card, while another handles the boot process.

To keep your firmware properly updated, you need to have a full list of those devices needing to be checked regularly for firmware updates.

Some of the typical types of devices in an office that need firmware updates include:

  • Servers
  • Computers
  • Routers
  • Printers
  • Security Cameras
  • Voice Speakers
  • Mobile Devices
  • Smart Devices (locks, lighting, sensors, etc.)

Keep Users Trained on IT Security

Firmware attacks often originate in the same way as other types of attacks. This would be through a phishing email that either sends a user to a malicious site or contains a malware-laden attachment. 

It’s important for your overall cybersecurity hygiene to train users regularly on how to spot phishing, what types of websites and links to avoid, social phishing, and other IT security best practices. 

Is Your Firmware Leaving You at Risk?

Connected Platforms can help your Brisbane area business review all your firmware for necessary updates and put a plan in place to keep you protected.

Contact us for a free consultation. Call (07) 3062 6932 or book a coffee meeting online.

More blog posts

How to create secure passwords

How to create secure passwords

Weak passwords are one of the biggest security risks to your business.
Why?
Because cyber criminals are getting smarter than ever before. If they manage to crack just one password, they could gain access to your sensitive business data, financial information, or even gain control of your entire system.
Cyber criminals use automated tools to guess passwords, allowing them to try out millions of combinations in seconds. So, if you’re using something like “Password123” or “CompanyName2025”, you’re practically handing them the keys to your business.
A compromised password can lead to big issues, such as:
• Data breaches
• Financial losses
• Identity theft
• Reputation damage
But how do you create strong passwords without driving yourself (and your team) mad?
Think of your password like a secret recipe, where only you should know the ingredients. It should:
• Be at least 14 characters long (the longer, the better)
• Include a mix of uppercase and lowercase letters
• Contain a few numbers and symbols (like @, $, %, or &)
• Not contain any common words or easily guessable information (like birthdays, names, or the word “password”)
Instead of using a single word, you could try a passphrase – a short, random sentence that only you would understand. For example, instead of “Sailing2025”, try something like “Coffee&CloudsAreGreat9!”. This is much harder to crack, yet still easy to remember.
You should also steer clear of these common mistakes:
• Using personal info (your name, birthday, business name, etc.)
• Reusing the same passwords across multiple accounts
• Using simple sequences (“123456” or “abcdef”)
• Storing passwords in an easily accessible place (like a sticky note on your desk)
If remembering unique passwords for every account sounds impossible, there is another option: Password managers. These generate strong passwords, store them securely and autofill them for you.
With a password manager, you only need to remember one strong master password for the manager app itself. The rest are encrypted and stored safely, reducing the risk of data breaches.
Even the strongest password isn’t foolproof, which is why multi-factor authentication (MFA) is also important. MFA requires a second form of verification, like a one-time code sent to your phone or generated from an authentication app.
If you have employees accessing your business systems, it’s a good idea to have a password policy in place to explain your rules and why they’re important. This should include:
• Unique passwords for each system and account
• Regular security training on password best practices
• Business-wide use of MFA for critical systems
• Scanning for compromised passwords regularly
By making password security a priority, you can reduce the chances of a cyber attack creating a nightmare for your business.
And if you need help making your business more secure, get in touch.

Beware these common ‘malvertising’ attacks

Beware these common ‘malvertising’ attacks

Ever clicked an online ad and wondered afterwards if it was a scam?… most of us have – and cyber criminals want us to keep doing it. Here’s what to look out for to stop your business’s data (and profits) falling into the wrong hands…

Call Now Button