Disquieting? Unnerving? Alarming? I’m searching for the right word to describe my discovery that a brand-new network switch from a leading global device manufacturer had more than 2,500 firmware vulnerabilities ranging from low to critical in severity – fresh out of the box!
A switch is a device that connects multiple devices in a network, and not to be confused with a router, which connects multiple switches. Switches and routers are relatively simple devices, yet they are often riddled with vulnerabilities that make them easy prey for hackers. Why is that a problem? Because networks rely on switches and routers to move information. Hackers seize control of switches and routers so they can seize control of networks.
I made my discovery while using the NetRise Platform, which enables you to search databases of firmware images for vulnerabilities and other problems. What shocked me was the sheer number of known firmware vulnerabilities in new hardware.
Remember, we’re only talking now about known existing vulnerabilities in firmware. For example, if you’re worried about log4j-related vulnerabilities, you can simply search for log4j and generate a list of issues ranked by severity within moments.
But wait, it gets even more interesting. NetRise has recently unveiled Trace, an AI product that enables you to search for unknown potential vulnerabilities. Let’s say you have a hunch there are vulnerabilities in the firmware that nobody knows about and that don’t have specific names. You can use Trace to search for telltale clues that would reveal potential security issues.
“This is a game changer because you can identify potential vulnerabilities before they even go to market,” says Terry Dunlap, a convicted hacker who subsequently worked for the U.S. National Security Agency and now provides cybersecurity training.
Since many firmware vulnerabilities are the result of sloppy coding, you can search for low-hanging fruit if you’re familiar with the typical errors made by coders when they’re rushing to meet a deadline. “I would search for calls to strcpy() and calls to exec(). I would also look for hard-coded admin credentials and root credentials,” Dunlap says. “What’s also quite common and usually done purely by mistake is forgetting to remove a test account or a debugging account before a firmware device goes into production. Those kinds of mistakes create opportunities for hackers to gain remote access to a device. So I would search for all the user accounts and associated passwords that might be left behind and embedded in the firmware.”
What comes to mind here, of course, are lurid stories of surgical teams closing up patients before removing sponges, clamps and other equipment. Leaving behind a few snippets of code might not rise to the same level of malpractice, but once the image is in your mind, it’s hard to forget.
Firmware security issues are neither trivial nor harmless. As I mentioned in my previous article, billions of devices depend on firmware to run effectively and reliably. In addition to performing essential tasks in the devices we use in our everyday lives, firmware is indispensable to the safe operations of nuclear power reactors, hydroelectric generators, water treatment plants, transportation systems and data networks.
Make no mistake: Our adversaries are well aware of widespread firmware security issues and they are already exploiting them. I urge you to read People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, an advisory from the Cybersecurity and Infrastructure Security Agency.
We are aware of the risks and we can’t pretend they don’t exist. There may be some situations in which “see no evil, hear no evil, speak no evil” is an appropriate strategy, but this is definitely NOT one of them.