https://www.theregister.com/2023/04/17/opinion_column/

[user] [user] Sign in / up
The Register(r) -- Biting the hand that feeds IT
[magn]
[burg] [burg]

Topics

Security

Security

All SecurityCyber-crimePatchesResearchCSO (X)
Off-Prem

Off-Prem

All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X)
On-Prem

On-Prem

All On-PremSystemsStorageNetworksHPCPersonal Tech (X)
Software

Software

All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X)
Offbeat

Offbeat

All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite
NewsAbout Us (X)
Special Features

Special Features

Spotlight on Databases Defense Tech Week Energy Efficient Datacenters

Vendor Voice

Vendor Voice

Vendor Voice

All Vendor VoiceAmazon Web Services (AWS) Business TransformationDDN
ElasticGoogle Cloud for Startups (X)
Resources

Resources

Whitepapers Webinars Newsletters
[research]

Research

44 comment bubble on white

Firmware is on shaky ground - let's see what it's made of

44 comment bubble on white

Old architectures just don't stack up

icon Rupert Goodwins
Mon 17 Apr 2023 // 09:41 UTC
#
   
  

Opinion Most data theft does clear harm to the victim, and often to
its customers. But while embarrassing, the cyberattack against MSI in
which source code was said to be stolen is harder to diagnose. It
looks like a valuable company asset that's cost a lot to develop.
That its theft may be no loss is a weird idea. But then, firmware is
weirder than we give it credit for. It's even hard to say exactly
what it is.

That used to be easy - firmware was software built into hardware
(don't mention microcode.) In the days when that meant small
expensive ROM chips, only a tiny part of a device's working software
could be stored that way, in general just the low-level routines that
directly operated the hardware and presented APIs to software that
would be loaded in later. Now many devices have enough system flash
on board to hold the complete stack, firmware now includes complete
operating systems and has come to mean that software at the heart of
your technology that controls its behavior and which you can't just
load in as an app.

This somewhat shadowy status has consequences. For a start, it has
virtually no consumer market. Nobody goes out and buys new firmware;
there are plenty of enthusiast alternate firmware images for any
number of devices, but these are almost all free and open source. A
manufacturer might sell you a feature update that's really just a
firmware change, but that's rare. MSI's customers aren't buying
firmware from anyone, they're getting it for free from the company
itself. No illicit market exists to cream off revenues.

[research]

While companies can buy in firmware from other companies, more often,
as with MSI, you're a hardware company writing your own firmware.
That makes most sense; you need to develop both hardware and firmware
in lockstep as both intimately influence the other. This makes most
firmware too tightly linked to platforms to have any value to other
businesses, except as the wrapper for trade secrets.

[research]
[research]

Even this is an illusion; your competitors are entirely capable of
reverse engineering the firmware the moment it leaves your servers.
Even more annoyingly, young people in hoodies can do this and make
highly entertaining videos about the process. The only people really
locked out by locked firmware are ordinary users.

So there's no market in stolen firmware, and not much to be gained by
keeping it secret anyway. So why lock it down? There are the
frequently quoted security reasons - if people could stuff any old
code into the heart of their machines, who knows what evil will
transpire? Only it doesn't, the experience of people who flash their
Android phones with new firmware has been positive because open
source communities are poor vectors of mischief. As MSI's supposed
attackers claim that its private keys were stolen alongside the
source code, users are at risk of fake firmware updates - but if you
go anywhere except to the manufacturer when you update a motherboard,
you deserve to be busted down to abacus operator.

  * Starlink opens final frontier for radio astronomers
  * In the battle between Microsoft and Google, LLM is the weapon too
    deadly to use
  * China crisis is a TikToking time bomb
  * The Shakespearian question of our age: To cloud or not to cloud

Companies like using firmware to lock down their devices to business
models - even when, as Sonos discovered, those models can provoke
customer rebellion. Apple plays the same game, but more cunningly:
you can't put third-party firmware into its devices, but by letting
old devices die in stages after the updates stop coming, it hopes you
won't notice.

But we do. We notice the old devices piling up in a desk drawer,
hardware perfectly fine but with ancient firmware that just won't
play with modern services. We notice that where open firmware and
third-party flash images are allowed, ecosystems spring up that not
only extends their lifetime, but lets them be used in entirely new
ways. We notice that, far from being ridden with malware, third-party
system software can keep up with security patches long after its
locked-down siblings have more holes than a moth breeder's T-shirt.

[research]

So unlocking firmware makes it more secure, not less. It makes
devices more useful, not less. It creates more innovation, not less.
And open source firmware is theft-proof; nobody can steal what you're
giving away.

There's even an argument that closed firmware only the manufacturer
can update will fall foul of the right to repair laws that are
flickering into existence. If your device stops working because of
obsolete embedded software, how do you repair it? You could do it if
you could replace the firmware like any other component, except the
manufacturer is denying you the information you need to do that.

In fact, it's probably time to ditch the idea of firmware as a
magical chimaera too dangerous to be freed. The idea only made sense
when hardware imposed far more limits on computer architecture. Its
continued existence doesn't benefit anyone - manufacturers, users,
innovators or the environment. As one of the last ways left to lock
people out from their own devices, it's a barrier, not a shield.
Publish the code. Open the specs. There's no firm foundation for
firmware any more. (r)

Get our Tech Resources
# Share
   
  

Similar topics

  * Cybercrime
  * Firmware
  * Security

More like these
x

Similar topics

  * Cybercrime
  * Firmware
  * Security

Narrower topics

  * 2FA
  * Advanced persistent threat
  * Application Delivery Controller
  * Authentication
  * BEC
  * Black Hat
  * Bug Bounty
  * Common Vulnerability Scoring System
  * Cybersecurity
  * Cybersecurity and Infrastructure Security Agency
  * Cybersecurity Information Sharing Act
  * Data Breach
  * Data Protection
  * Data Theft
  * DDoS
  * Digital certificate
  * Encryption
  * Exploit
  * Firewall
  * Hacker
  * Hacking
  * Identity Theft
  * Incident response
  * Infosec
  * Kenna Security
  * NCSAM
  * NCSC
  * Palo Alto Networks
  * Password
  * Phishing
  * Quantum key distribution
  * Ransomware
  * Remote Access Trojan
  * REvil
  * RSA Conference
  * Spamming
  * Spyware
  * Surveillance
  * TLS
  * Trojan
  * Trusted Platform Module
  * Vulnerability
  * Wannacry
  * Zero trust

Broader topics

  * IoT
  * Operating System

Similar topics

# Share
   
  
44 comment bubble on white COMMENTS

Similar topics

  * Cybercrime
  * Firmware
  * Security

More like these
x

Similar topics

  * Cybercrime
  * Firmware
  * Security

Narrower topics

  * 2FA
  * Advanced persistent threat
  * Application Delivery Controller
  * Authentication
  * BEC
  * Black Hat
  * Bug Bounty
  * Common Vulnerability Scoring System
  * Cybersecurity
  * Cybersecurity and Infrastructure Security Agency
  * Cybersecurity Information Sharing Act
  * Data Breach
  * Data Protection
  * Data Theft
  * DDoS
  * Digital certificate
  * Encryption
  * Exploit
  * Firewall
  * Hacker
  * Hacking
  * Identity Theft
  * Incident response
  * Infosec
  * Kenna Security
  * NCSAM
  * NCSC
  * Palo Alto Networks
  * Password
  * Phishing
  * Quantum key distribution
  * Ransomware
  * Remote Access Trojan
  * REvil
  * RSA Conference
  * Spamming
  * Spyware
  * Surveillance
  * TLS
  * Trojan
  * Trusted Platform Module
  * Vulnerability
  * Wannacry
  * Zero trust

Broader topics

  * IoT
  * Operating System

TIP US OFF

Send us news

---------------------------------------------------------------------

Other stories you might like

 

Criminal records office yanks web portal offline amid 'cyber security
incident'

ACRO says payment data safe, other info may have been snaffled
Cyber-crime6 Apr 2023 | 20
 

Cops put the squeeze on Genesis crime souk denizens, not just the
admins this time

Feds managed to image entire backend server with full details
Cyber-crime5 Apr 2023 | 1
 

Uber driver info stolen yet again: This time from law firm

Never mind software supply chain attacks, lawyers are the new soft
target?
Cyber-crime3 Apr 2023 | 14
 

Why AI inference will remain largely on the CPU

It's a complex argument, but there are good reasons why inference
shouldn't head into accelerators or GPUs
Sponsored Feature
[research]
 

Cybercrims hop geofences, clamor for stolen ChatGPT Plus accounts

Where there's a will...
AI + ML15 Apr 2023 | 11
 

How much to infect Android phones via Google Play store? How about
$20k

Or whatever you managed to haggle with these miscreants
Cyber-crime10 Apr 2023 | 9
 

Russia-pushed UN Cybercrime Treaty may rewrite global law. It's ...
not great

Special report Let's go through all the proposed problematic powers,
starting with surveillance and censorship
Cyber-crime14 Apr 2023 | 22
 

CAN do attitude: How thieves steal cars using network bus

It starts with a headlamp and fake smart speaker, and ends in an
injection attack and a vanished motor
Research6 Apr 2023 | 197
 

LockBit crew cooks up half-baked Mac ransomware

Please, no need to fix these problems
Security17 Apr 2023 |
 

US extradites Nigerian charged over $6m email fraud scam

Maybe our prince has come at last
Cyber-crime14 Apr 2023 | 10
 

Cops cuff teenage 'Robin Hood hacker' suspected of peddling stolen
info

Luxury cars and designer duds don't seem very prince of thieves
Cyber-crime6 Apr 2023 | 24
 

Feds seize $112m in cryptocurrency linked to 'pig-butchering' finance
scams

Thieves go nose-to-tail stripping cash from victims
Cyber-crime4 Apr 2023 | 13

The Register icon Biting the hand that feeds IT

About Us*

  * Contact us
  * Advertise with us
  * Who we are

Our Websites*

  * The Next Platform
  * DevClass
  * Blocks and Files

Your Privacy*

  * Cookies Policy
  * Privacy Policy
  * T's & C's
  * Do not sell my personal information

Situation Publishing

Copyright. All rights reserved (c) 1998-2023

no-js