I spoke recently with Terry Dunlap, my favorite convicted hacker. After his early adventures on the wrong side of the law, he worked for the U.S. National Security Agency and now he trains cybersecurity professionals.
In our conversation, Terry mentioned that the current state of firmware security reminds him of “the Windows 95 era” of personal computers. I love this analogy, and I think it’s a great way of looking at the challenges currently facing our technology-dependent culture.
But first, a quick refresher: Windows 95 and its immediate successors were created for a nascent consumer market. Yes, Apple products were incredibly cooler than anything Microsoft ever built, but Windows 95 kickstarted the age of universal personal computing. That said, I doubt any of us would use words like “robust,” “reliable” or “secure” to describe Windows 95.
“What’s past is prologue,” wrote Shakespeare. His timeless words aptly describe the bumpy evolution of modern digital technology. It’s like the weather in New England: If you don’t like it now, just wait a couple of minutes.
Firmware security, like everything else in the technology landscape, is a work in progress. Yet it’s rapidly evolving into a more exact and dependable practice, much as other forms of cybersecurity have evolved and crystalized into well-defined processes.
It shouldn’t be surprising that firmware security exists in an evolutionary state. Even though firmware has been around for decades, the idea of focusing on it from a security perspective is relatively new.
As a culture, we’ve been trained to focus on network and software security issues. In a sense, this is a legacy of the Windows 95 era, in which vulnerabilities were detected regularly and installing patches became a commonplace activity. And because we’re human, we prefer focusing initially on “low-hanging fruit” when we’re solving problems. Firmware isn’t “low-hanging fruit” and there has been a tendency to ignore it.
But that was then and now is now. Today, we live in a world of connected black boxes, each dependent on embedded firmware to function effectively. Whether you call it the “Internet of the Things,” the “Extended Internet of Things” or “The Internet of Everything,” there’s no arguing that we have created a powerful global network of connected devices and we can no longer blithely ignore firmware insecurities.
“The first step is just getting a handle on what’s inside of these black boxes,” says Michael Scott, co-founder, CTO and chief scientist at NetRise. “Then we’ll know if there are components inside that haven’t been updated in 15 or 20 years and we can push back at the manufacturer and say, ‘Look, if you don’t update these components, we’re going to switch to another supplier.’ That will force the manufacturers to tighten up their development processes and become more transparent, which will be good for all of us.”
The good news is that industrial-strength solutions for monitoring, analyzing and remediating firmware vulnerabilities already exist. I suggest that you learn more about these solutions, learn how to use them and start using them ASAP – before our amazing ecosystems of connected devices evolve beyond our control.