A security researcher's recent proof of a BIOS firmware attack has many readers concerned about the future of firmware attacks. Here's the reality.
First of all, I'm assuming you know what firmware is: software written to a rewriteable chip, such as the BIOS chip, a hard drive controller chip, and so on. Almost every electronic device today has a rewritable firmware chip.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Find out how to secure your systems with InfoWorld's Security Central newsletter. ]
Firmware attacks are nothing new. They've recurred on a regular basis, albeit infrequently, since the 1998 CIH computer virus emerged. But it's obvious that the experts are getting worried about future attacks. BIOS manufacturers are rushing to create more defensible firmware versions, for example, and NIST's (National Institute of Standards and Technology) recent publication of two firmware protection guidance documents: Special Publication 800-147 (PDF) and Special Publication 800-155 (PDF). When NIST recommendations are being published to the public domain, serious concern is afoot.
How likely are real, public, widespread firmware attacks? This is the big unknown. But if you think about it, infecting firmware is tens of thousands of times harder than infecting regular software, because of all the different versions and API interfaces. Most malicious tasks -- stealing money, passwords, or identities -- can more easily be accomplished using normal software-only malware.
One exception: It's easier to "brick" (make unusable or unbootable) a computer device with a firmware attack because the attacker just needs to corrupt the firmware code, not modify it. Corruption is pretty easy for a malware programmer. If your firmware gets bricked, recovery could require a chip or motherboard replacement. My best guess is that firmware attacks will focus more on disabling devices than modifying them to do something more sophisticated.
To protect yourself, buy hardware with built-in protections against malicious firmware modification. Many BIOS vendors have been building in more and better defenses over the last few years. Some have added CRC-style checking routines that will either halt the BIOS if unapproved modifications are made (not much better than BIOS corruption) or, much better, deny or rollback any unapproved changes. Forget BIOS passwords alone because they don't help all that much.
The gold standard of firmware protection is defined in the NIST documents above and has culminated in the new open BIOS spec called UEFI (Universal Extensible Firmware Interface) 2.3.1, considered the first strongly secure boot firmware standard. It requires trusted roots, digital certificates, and digital signatures. If you want to worry less about firmware attacks, make sure your future purchases include devices that have UEFI 2.3.1 enabled.
Unfortunately, UEFI 2.3.1 or later requires different chip sets than pre-UEFI motherboards; if you don't already have a UEFI 2.3.1 motherboard (most people don't), it will probably take a new purchase to get one. All Microsoft Windows 8- and 2012-certified computers will have UEFI 2.3.1 and the related Windows Secure Boot technology, which takes advantage of all this, built-in and enabled.