close
search
search X

Firmware security risks and mitigation

All Posts

Firmware security risks and mitigation

Kezhang Lin
December 03, 2019

 


Firmware is a software program or set of instructions programmed on a hardware device. It provides the necessary instructions for how the device communicates with other computer hardware. Considering how ubiquitous firmware is, one would expect firmware security to be concerned seriously – sadly, that couldn’t be further from the truth.


Digital product aficionados are very keen on Root, and replacing the original system of their mobile phones with ROM developed by various third-party sources, but they often ignore the risks involved. Some third-party ROMs may be pre-populated with rogue software, quietly placing advertisements in the background or stealing private data.


This type of attack is similar to other remote attacks, but it can allow the device to sneak the data to the designated server without exploiting any vulnerability.


Common misunderstanding
When it comes to firmware security, engineers tend to believe solutions like firmware data encryption, code confusion or code reinforcement could fix the problems resulted from Root. For example, an integrity-checking feature will be added to the code, and if the device fails in the integrity check, it will be rebooted.


However, the reboot logic is untenable if the check logic is deleted directly by hackers or security professionals. So, when the check logic fails to determine whether the code is the original one, how can we determine the security of firmware?


New approach to firmware security
Firmware is an often-overlooked component of devices that are highly vulnerable and increasingly attractive entry points for hackers. Hackers have targeted firmware as a place to embed malware and hide other malicious code that can ultimately compromise a system.


Under the current technical conditions, the integrity cannot be guaranteed by software alone, and a new approach to firmware security risk mitigation is needed. Hardware must be involved to truly solve the problem:


1. The code that starts securely is embedded inside the chip to prevent the startup process from being altered. After the device is started, the processor will immediately execute the code in read-only memory (called the Boot ROM). The Boot ROM code contains a public key to verify that the underlying Boot loader is signed, so as to determine whether or not it should be allowed to load. Every component in each step of the startup process should be encrypted and signed to ensure its integrity. And each step can continue only after the successful verification. A secure boot chain helps ensure that the underlying software is not tampered with.


2. The second defense mechanism is anti-degradation, which is an important concept in the firmware attack. If the device can be degraded, attackers will install early versions of the firmware once they have control of the devices, and use an unfixed bug in the old version to do the damage.


3. The third defense mechanism is the security in the OTA upgrade. The transmission of software update information on the device end should apply the HTTPS communication mechanism to ensure the data confidentiality and integrity of the firmware update package, and prevent data leakage and tampering with the firmware package.


In addition, device manufactures usually maintain debug ports (e.g. JTAG and UART) for the purpose of debugging in product design, program burning in production, and diagnosis testing. To prevent attackers from obtaining detailed information on implementations through these ports, it is necessary to take measures to turn off the debugging ports or add authentication on them. 


Hikvision product security long-term support policy
As a globally leading IoT solution provider, Hikvision always focuses on improving our service regarding product security. We also provide a long-term support policy to quickly respond to cybersecurity issues, so that customers can use our products with confidence that they will be protected.


Our long-term support policy for product security includes response to security vulnerabilities, firmware updates, and provision of firmware with security certification. Among them, Hikvision provides continuously optimized firmware to prevent security vulnerabilities, ensuring trusted protection in the whole product lifecycle.


Please click here to know more details regarding the applicable products.  

Tags: Cybersecurity Firmware Security
Recommended Related Blogs
Topics
AI Business operations CSR Cybersecurity Imaging Know-how Security Operations Thermal Trends
Tags
360 Degree View AI ANPR ATM Security Access Control Accurate Alarms Alarm Management Audio Back To Business Banking Solutions Building Solutions CSR Campus Security Cloud Cloud Storage Color Image Converged Security Convergence Crowd Safety Cybersecurity Data Security Data Transmission Deep Learning Dewarping Dual-Lens Camera Education Solutions Energy Environmental Protection Explosion-proof camera False Alarm Reduction Fire Prevention Firmware Security Fisheye GDPR HTTPS Hard Hat Detection Healthcare Heat Mapping Hikvision Cameras IOT ITS Image Fusion Intelligent Manufacturing Intelligent Parking Lot Management Intelligent Video Monitoring Intruder Alarm System Intrusion Detection Intrusion Verification Kepler Vision Technologies Night Nurse Live Stream Logistics Logistics Park Solution Low-Light Imaging Multi-Dimensional Perception Network Segmentation Off-Grid Installations Parking Guidance Parking Solutions People Counting Perimeter Protection Port Authorities Privacy Protection Proactive Security Product Security Public Transportation Quality Rail Remote Control Remote Monitoring Residential care facilities Road Transport Secure-by-Design Shipping Smart Search Smart Security Solar Cameras Stadium Sustainability System Integration TPP Graffiti Spotter Temperature Screening Thermal Imaging Traffic Management Traffic Solutions UHD VSAAS Vehicle Security Warehouse Security Webcam Wide-Area Protection Zero Trust
Subscribe to newsletter
Subscribe to our email newsletter to get the latest, trending content from Hikvision

This website uses necessary cookies to enable the website to function well. We would like to use additional cookies to provide you the best experience on our website. For more information, please see our cookie policy.

Manage Accept
Contact Sales
Technical Support
Online Service
Subscribe Newsletter
Where to Buy
Contact Us
back to top
Top