Ransomware, worms, and trojan horses get all the attention—but firmware attacks pose just as significant a threat. Find out how to defend against them with HPE Gen10 Plus servers.

When I was growing up, I would spend my summers doing odd jobs around my neighborhood, giving quotes to my neighbors for whatever they needed done. Mowing lawns was always popular, but I did it all—small landscaping gigs, little demolition projects (my favorite), and everything in between. I must have done a thousand jobs in my neighborhood over the years, but one memory has always stuck with me: the damage done to Mrs. Fuller’s apple tree by termites.

It was one of the saddest jobs I ever did because it means chopping down the tree that supplied apples all summer long to the neighborhood children. It had been ruined by the destructive pests.

I didn’t know it at the time, but one day I would be working to defeat a “termite” of a different kind. Preventing malware from infiltrating the firmware of a server is not so different from preventing termites from eating the trunk of Mrs. Fuller’s apple tree. Firmware is a permanent type of software embedded in a piece of hardware and controls basic low-level functions of a server. Because malware attacks aimed at firmware go right to the foundation, they bypass the software that’s meant to detect potential threats.  

The threat nobody is talking about

Firmware hacks don’t get the attention they deserve alongside ransomware, worms, and trojan horses. But the threat they pose is just as significant—one could argue, even more significant. By infecting the lower stack of a device, the malware completely bypasses the antivirus software. The power criminals have once the server infrastructure is infected is nearly limitless, granting the “keys to the kingdom” to whoever controls the malware. If a firmware attack is successful, ransomware and other malware can be employed at will. If termites (malware) attack a branch of Mrs. Fuller’s apple tree, we can chop off the branch. But if they attack the trunk, they have access to everything, compromising the entire tree.  

Studies from both Gartner and Microsoft have illuminated just how common firmware attacks have become. Gartner found that 70% of organizations lacking a firmware upgrade plan will be breached by 2022 (YOU HAVE THREE MONTHS!). Microsoft’s report, that surveyed 1,000 cyber-security decision-makers at enterprises around the world found that 80% of companies have experienced a firmware attack in the last two years. These are staggering numbers that ought to be making bigger headlines, but it seems that security executives may finally be taking note after a few high-profile firmware attacks.   

Robbing from the rich and giving to the poor-er, keeping for themselves I mean, is what the hackers at RobbinHood had in mind in 2019. Attacking the databases of a number of US city governments, RobbinHood held the data hostage until a ransom was paid in Bitcoin.  

Thunderspy attacks are another troubling type of vulnerability that exhibit how undetectable firmware attacks can be. For Thunderspy to be successful, a server needs to be physically tampered with, but it only takes about 5 minutes for a criminal to access the server infrastructure, reprogram the firmware, and carry out one of these attacks. Going straight for the direct memory access (DMA) that hardware components use to talk to one another, this attack is virtually traceless as data can be read and copied even while a hard drive is asleep, encrypted, or locked.

One of the most prominent cyberattack groups comes from Russia. Most commonly known as Fancy Bear, but also as APT28, Sofacy, Sednit and a few other aliases, they are credited with the first UEFI rootkit which, until it was discovered in 2018, had only been discussed as proofs of concept, never reality—a sci-fi script turned reality. The US Department of Justice determined that it was Fancy Bear who was responsible for the hack on the Democratic National Committee just before the 2016 presidential election. 

Firmware attack prevention 

The Microsoft study that I mentioned earlier highlights company’s shortcomings in their response to the rise in firmware attacks. Because firmware attacks are beneath the operating system where credentials and encryption tools live, the “protect and detect” method is already too late. The trunk of our tree has been compromised and the attack can now spread through the branches. There needs to be more investment in proactive measures.  

Enter HPE  

Our first line of defense, the Silicon Root of Trust (SRoT) goes deep—literally down to the silicon, and offers a security foundation that allows only the recognized firmware to be installed onto the server. Because it’s built on a hardware-validated boot process that is rooted in hardware that cannot be changed or modified, only code from an established, unchanging source can start the server. If a threat is detected, it can recover rapidly to the last known secure state without any manual assistance. Being able to guarantee that even the silicon in the hardware is secure is something that only HPE offers. Insurers from Marsh McLellan’s Cyber Technology Evaluation Program dubbed the HPE Silicon Root of Trust a “close to perfect solution.” Think of the Silicon Root of Trust as the defense against termites for the roots of the apple tree. 

In order to protect the trunk of the tree, HPE Integrated Lights-Out firmware, or iLO, raises the security bar eve higher because of its unbreakable relationship with the Silicon Root of Trust. Because the iLO chip is baked into the silicon itself with a unique “fingerprint”, it will identify the iLO firmware as a match to the fingerprint. Any tampering with the firmware will make it incompatible with the chip and will not be allowed to run. When the iLO firmware is verified by the chip, it then goes on to verify the UEFI BIOS, the System Programmable Logic Device, the Innovation Engine, and the Sever Platform Services. Referred to as the Secure Start Base, the initial familiarity between the chip in the silicon and the iLO firmware is what makes this process so secure. With iLO, servers can be configured, updated, and maintained with confidence from anywhere using strong authentication, configurable user privileges, authorization processes, and encryption on keystrokes, data, and security keys.  

Moving up the line of security and protection offered by the SRoT is the UEFI Secure Boot. For bad actors, capitalizing on  a pre-boot attack opportunity can grant systematic control of a server. UEFI malware will detect whether or not it is unlocked or write-protected. Surprisingly, not all UEFI systems are write-protected and if it is unlocked, malware can activate its own UEFI patches. To combat this threat during the boot process, HPE Secure Boot verifies the identity of several key components, including OS UEFI boot loaders, UEFI drivers loaded from PCIe cards, mass storage devices and other shell applications. UEFI Secure Boot is built in to Gen 10 Plus servers and ensures that each application launched while booting is checked against a digital signature and validated through a series of trusted certificates.

Further up the trunk of the tree and building once again on the foundation built by the Silicon Root of Trust and iLO, another new HPE Gen10 Plus feature provides yet another layer of protection. When HPE device manufacturers have the servers on the production floor, they have an opportunity to bind them to unique device identifiers. This could be considered the “birth” of the device and the identifier is known as an iLO IDevID. When the identifier is issued, a Certificate Signing Request is sent (through a private network) to HPE’s Certificate Authority where it is signed and protected by FIPS 140-2 Level 3 Validated Hardware Security Modules in HPE’s data center. These credentials will stay with a server for the duration of its lifetime regardless of what goes on with the Operating System. Without the highest level of security during the production of servers, all the features previously mentioned could be undone by human error or bad actors with access to servers or server components at any stage of the supply chain. That’s why HPE takes a global approach to securing components from manufacturing to transit to the warehouse.

For enterprise companies in financial, healthcare, and government sectors that need the highest level of assurance of a safe and secure supply chain, we go a step further and offer the HPE Trusted Supply Chain. This ensures peace-of-mind that all server components are assembled domestically, without passing through the hands of anybody but highly-vetted HPE employees. Companies can even request delivery a dedicated truck driver with security and HPE personnel to set up the servers and make them operational. HPE is the only major server company to offer this, and soon the same option will be available in Europe and Asia.  

While working to saw at the trunk of Mrs. Fuller’s tree all those years ago I could never have imagined that years later I would be comparing the experience to preventing firmware attacks. The advances in both cyber-security and malware have been astonishing, but what I know for certain is that HPE will remain on the cutting edge, securing valuable data and letting the world work more safely and efficiently.   

Be on the lookout for our next blog post where we dive deeper into current events of security threats and defenses.  For more information, please visit us at hpe.com.

Cole Humphreys
Hewlett Packard Enterprise

https://twitter.com/hpe_server
linkedin.com/showcase/hpe-servers-and-systems/
hpe.com/servers