Skip to content

Firmware security

Computing devices and busses are far less secure than they could be, with many non-obvious exploits that take advantage of trust the device drivers place in the devices with which they are communicating. Reverse engineering these devices to find exploits does not require nation-state level resources. Once installed, this sort of malware is very difficult to detect and may not be possible to remove. Additionally, the Internet of Things brings the risk of devices that are never updated and will have security vulnerabilities for their entire lives.


  • Nation States are actively building firmware malware.
  • Every device has a full featured CPU these days, which can lie to the rest of the system.
  • Exposing buses to the outside world can lead to exploits.Thunderstrike (Hudson, 31C3 2014)
  • Embedded systems are never upgraded, leading to "forever-day" bugs



  • Hardware buses tend to be trusted by the kernel.

  • Embedded device vendors have no clue about security.

    • Windows has had decades of attacks to deal with and has entire teams to track bugs, and Windows and OSX roll out updates every week.
    • Device vendors just want to get the hardware out the door.
    • IoT devices need update routines, but security is important. i.e. how secure is Tesla's over-the-air software update for their cars?
    • Embedded Linux systems in routers, fileservers, cameras, etc are being targeted with "forever-day" attacks since the devices are never updated.
    • Default password are used everywhere.
    • Intel is getting better about boot time security: Boot Guard moves the root of trust into hardware inside the CPU.


One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.How Omnipotent hackers tied to the NSA hid for 14 years (Ars Technica, 2015-02)

2 guys + 4 weeks + $2k = Multiple vendors' BIOSes inflected. It's time to start checking your firmware.CanSecWest presentation (Xeno Koveh, 2015)

The (in)security of a given piece of software is mainly a function of how many smart people have uninterrupted time to exploit it.Matthew Green (2015)

Macbook batteries ship with a default unseal password (0x36720414). This was found by reverse engineering a Macbook battery update. On Macbook batteries, the full access mode password is also hardcoded and default (0xffffffff). Apple laptop batteries Writeup, Presentation (Miller, BlackHat 2011)

Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. ... many users may not realize they are at risk since they are unaware they own devices that run Linux. Linux worm targeting hidden devices (Symantec, 2013)


2015 Security Talks

Last update: November 8, 2020