Mark Shuttleworth, the founder of the popular Ubuntu Linux distribution, believes proprietary and unverifiable firmware code poses a serious security threat to users and he encourages hardware manufacturers to implement support for their innovations through the Linux kernel instead.
"If you read the catalogue of spy tools and digital weaponry provided to us by Edward Snowden, you'll see that firmware on your device is the NSA's best friend," Shuttleworth said Monday in a blog post.
[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter.
"Your biggest mistake might be to assume that the NSA is the only institution abusing this position of trust -- in fact, it's reasonable to assume that all firmware is a cesspool of insecurity courtesy of incompetence of the worst degree from manufacturers, and competence of the highest degree from a very wide range of such agencies," he said.
Shuttleworth argues that manufacturers have made a habit of adding support for new functionality through firmware because in the past they were shipping computers with Windows, an operating system they couldn't change. However, that's not the case with Linux, and Linux "is almost certainly the platform that matters" in the new world of embedded devices, he said.
The ACPI (Advanced Configuration and Power Interface), a specification that allows operating systems to discover, configure and monitor hardware components, is an example of a design that shouldn't be replicated in future devices, according to Shuttleworth.
"Arguing for ACPI on your next-generation device is arguing for a trojan horse of monumental proportions to be installed in your living room and in your data centre," he said. "I've been to Troy, there is not much left."
Over the years security researchers have found vulnerabilities in the proprietary firmware of many devices, from credit card readers to routers and industrial control systems, and they generally concluded that such software had not been developed with security in mind.
In November, security researchers from Rapid7 revealed that the IPMI (Intelligent Platform Management Interface) firmware in motherboards from server manufacturer Supermicro had serious vulnerabilities. IPMI allows system administrators to manage and monitor servers remotely from outside their main OS through a BMC (Baseboard Management Controller) directly connected to the motherboard's southbridge and a variety of sensors.
Last week, developers of Replicant, an Android-based operating system, claimed they found a backdoor in Samsung Galaxy devices that resulted from a vulnerability in the proprietary code handling communications between the Android OS and the firmware controlling the modem, also known as the baseband.
Other security researchers have also warned in the past that vulnerabilities in the baseband firmware used in mobile devices could be used to bypass the security controls implemented in the main OS.