Server firmware could be the next frontier for cybercriminals — and for hardware vendors.
Most cybercrime involves simple and untargeted ransomware. But as security pros harden the data plane where the operating system and applications reside, sophisticated cyberactors look for softer targets. One new attack vector is to sneak in via firmware, beneath the data plane of operating systems and applications.
“Firmware has grown both in complexity and connectivity to the data plane that makes it an ideal place for attackers to exploit weaknesses while avoiding detection,” said Jason Shropshire, senior vice president and CTO at InfusionPoints LLC, a cybersecurity consultant in North Wilkesboro, N.C.
For example, cybercriminals try to corrupt a BIOS update as an easy way to get deep into a network, since many IT pros assume downloaded BIOS updates are safe, said James Morrison, a computer scientist with the FBI’s Houston Cyber Task Force.
Firmware breaches aren’t yet common, but there have been some recent public examples. An original design manufacturer sent an infected motherboard to a top-10 cloud service provider with “phone-home capabilities” buried in the firmware, said Patrick Moorhead, president and principal analyst at Moor Insights & Strategy. Hard drives have shipped with malware on the hard-disk controller, and USB drives are a “cesspool of firmware,” Morrison said.
Security is a constantly moving target, and server firmware has come into greater focus, as the intent, tools, motivation and attack surfaces continue to change, Moorhead said. Network and client devices have become more secure, and hackers go where security is the lightest.
“This is why server firmware is the new cool place to hack,” he said. “Server vendors are the only people who can add the features to guard against.”
The new attention on server firmware security, and the latest features, also come as server vendors’ worldwide revenues dropped 4.6% year over year in the first quarter of 2017 to $11.8 billion, according to analyst firm IDC. Hewlett Packard Enterprise’s revenues slid 16% by comparison.
HPE: Trust silicon, but verify all code
Firmware security has top billing in Hewlett Packard Enterprise’s (HPE) new Gen10 ProLiant servers, which it rolled out last month. “Everybody you talk to, even if they don’t need performance, they need security,” said Bob Moore, director of server software and product security at HPE.
Zygmunt Diaolead system engineer, William O’Neil and Co.
Inside the Gen10 is a “silicon root of trust,” which links the silicon and the firmware, designed to prevent the server from using compromised firmware code. Previously, the only way to guarantee the integrity of the server firmware was to take it offline, run an integrity check, build a golden image and periodically take the server offline, retake the image and compare, Shropshire said. With silicon root of trust, that will be able to happen while the system is running.
HPE’s silicon root of trust is ahead of similar servers for platform integrity, Shropshire said. He compared it to Microsoft founder Bill Gates’ trustworthy computing memo from 15 years ago, which transformed Microsoft’s approach to operating-system security.
HPE’s Gen10 servers also will be built with Intel’s new Xeon Processor Scalable chips, scheduled for release later this year. Dell EMC’s 14th-generation PowerEdge servers, unveiled last month, are built around the same chip. The details of that chip still remain under wraps by Intel, but both vendors claim their next-generation servers will enhance security because of it, along with the Intel’s next Xeon chips, codenamed Skylake.
In the latest wave of new servers using Intel’s newest chips, HPE seems to be doing the most with security, Moorhead said. Both Dell EMC and HPE have boot load protection, but HPE is the only one that validates all the code through its Integrated Lights-Out management controller, he said.
“Pretty much everyone is leveraging Intel’s boot-guard, but only HPE can check every piece of code going in and out of firmware,” he said.
Security became a top priority in the past year for Zygmunt Diao, lead system engineer at William O’Neil and Co., a stock analyst firm in Los Angeles. He said he understands the threat posed to server firmware, and he’s glad a vendor is taking the problem seriously.
However, he said he’s not sure HPE’s new server enhancements will really help defend enterprise IT systems. Even if the new servers protect against firmware breaches, many of them will still tie into legacy systems that could remain vulnerable.
“At what point will it really help customers defend themselves?” Diao asked. “There is still work to do with security.”
Robert Gates covers data centers, data center strategies, server technologies, converged and hyper-converged infrastructure and open source operating systems for SearchDataCenter. Follow him on Twitter @RBGatesTT or email him at firstname.lastname@example.org.