Government centre of expertise plans to publish guidance on potential weak link in IT security
The National Cyber Security Centre (NCSC) has revealed an intention to look into the security issues around firmware, with a plan to publish guidance on its configuration and management.
It said it will spend a few months on the project, and has asked for input into which aspects of the issue it should cover.
The organisation referred to the plan in a blogpost that expresses concerns that firmware – the software that is embedded in and controls a hardware device – can be a weak link in IT security.
It says many users seldom if ever update firmware, and that when it is poorly configured or protected it could give attackers access to a device and render it useless.
This applies to the BIOS (Basic Input/Output System), which has rarely been updated for many devices, and the more recent UEFI (Unified Extensible Firmware Interface), which has become the dominant standard in recent years.
NCSC warns that devices could be vulnerable to denial-of-service attacks or hackers gaining a long term presence on their system, and that it is difficult to detect malware running at the BIOS level.
Attacks more attractive
“As security protections on higher level system components – like the operating system – get better, firmware attacks become more attractive,” it says. “This is particularly true for high value targets, where the investment of resources required would be more than matched by the payout from a successful attack.”
It adds that for many devices the management of firmware requires too much manual input, and urges organisations to look at how it could affect them. It has not yet indicated when the guidance could appear.
Image: Electronic Frontier Foundation graphic, Creative Commons Attribution 3.0 through Wikimedia.