Nowadays, it’s difficult to find any hardware vendor who develops all the components present in its products. Many of these components, including firmware, are outsourced to ODMs. As a result, this limits the ability of hardware vendors to have complete control over their hardware products. In addition to creating extra supply chain security risks, this also produces security gaps in the threat modeling process. Through this research, we wanted to raise awareness about the risks in the firmware supply chain and the complexity of fixing known vulnerabilities.
The firmware patch cycles last typically around 6-9 months (sometimes even longer) due to the complexity of the firmware supply chain and the lack of a uniform patching process. The 1-day and n-day vulnerabilities in many cases have a large impact on enterprises since the latest firmware update wasn’t installed or the device vendor had not released a patch yet. Each vendor follows its own patch cycle. Even known issues may not be patched until the next firmware update is available.
By exposing firmware and hardware threats, this creates serious concerns about an attack surface. Threat actors do not need complex exploits to persist since a lot of devices remain outdated for years, posing serious security risks to enterprise infrastructure. We will discuss the evolution of advanced threat actors and how firmware attacks can remain hidden for years.