0

Hard drive firmware infections were documented in 2015:

The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates.

You'd think that since then other malware authors would use this or similar code in less-targeted attacks, and these infections would spread. But if a firmware pandemic is around us, you don't hear much about it in the news. How common are firmware infections these days? Are there any reliable estimates?

(It's not unknowable: A researcher could take a random sample of machines, read their firmware and compare it to the manufacturer's images, thus obtaining an estimate of the infection rate)

Improve this question
2
  • It's not common because it is hard to do and even if you do it you only have "god-like control" over the device controller (or whatever MCU) for that particular device. Bad guys would prefer to control stuff you actually care about, like your files on your file system.
    – hft
    Commented Mar 23, 2022 at 0:29
  • Also, your suggested research is much easier as a thought-experiment than IRL. How are you going to read the firmware from this "random sample" of machines? What devices on the machine will you look at? Once you read the firmware you will have some binary blob--how will you reverse engineer it to look for malware? When you find no malware will you publish your null result? It will be uninteresting because people will say, "yeah, you didn't find malware, did you think the NSA or whoever was going to burn their cool firmware hacks on a random sample of commercial devices?"
    – hft
    Commented Mar 23, 2022 at 0:33

2 Answers 2

Reset to default
3

Extremely Uncommon

One fact to consider is that we barely hear about firmware-based malware, which leaves two possible options:

  1. It is extremely uncommon.
  2. It is everywhere and we can't detect it.

As you yourself said, it is not impossible to see if a device has had its firmware modified. And indeed, if it were extremely common, then it would turn up in forensic analysis. We would hear quite prominently that some company has been hacked through firmware-based malware. But realistically, we don't.

Sure, as you said, there were instances of it, but they're not widespread. It's more of a proof-of-concept, or something that can be used for a high-value target. But for the common malware developer and criminal, there are so many infinitely easier options.

For instance, this guy was pwned because he was told to run a powershell snippet. I'm not picking this to make fun of the guy, but to illustrate that it's much easier to just ask someone to do something, rather than to go the extra mile and attempt to install some malicious firmware onto a device, which may risk bricking the system.

So while it is indeed possibile that this will become more important in the future, it's way more likely right now that just nobody is using this and resorting to more "low-hanging fruit".

Improve this answer
0

Estimates? Very few on the real world, most of the cases are proof of concept, and executed on a tightly controlled environment.

A researcher could take a random sample of machines, read their firmware and compare it to the manufacturer's images, thus obtaining an estimate of the infection rate.

This is not always possible. Some devices are very secure (like CPUs, GPUs, chipsets) and extracting firmware from them aren't possible without manufacturer tools, and the manufacturer wouldn't distribute them.

Not only that, but sometimes isn't possible to determine the exact version of the installed firmware, leading to lots of false positives. Some firmwares have a version string, but not all of them. Downloading every single firmware image from a single device is a monumental task, imagine downloading all firmware images for all devices on all manufacturers.

As MeckMK1 said, there's much easier ways to compromise a device that don't need firmware hacking. From social engineering to rootkits, there are lots of avenues for data extraction and system compromise that don't demand restricted tools and knowledge, and don't lead to a bricked system if something goes wrong.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .