Yuriy Bulygin knows all about computer vulnerabilities. He spent most of his career at Intel Corp. studying security flaws in chips, including several years as the company’s chief threat researcher, until last summer. So you can believe him when he says he’s found something new: His latest research, set to be published on May 17, shows hackers can exploit previously disclosed problems in microprocessors to access a computer’s firmware—microcode that’s stored permanently inside processors and other chips—to get to its most sensitive information. “The firmware has access to basically all the secrets that are on that physical machine,” he says.
The hacking technique Bulygin found exploits the Spectre vulnerabilities, initially unearthed by Google and other researchers and disclosed earlier this year. The tech giant discovered that millions of computers and smartphones could be compromised by Spectre, which takes advantage of glitches in how processors try to predict what data they believe users will need next, and fetch it in advance. Bulygin’s technique goes a step further by enabling hackers to read data from a particular type of firmware called system management mode memory. The code is linked to access rights that control key functions of the machine, including shutting down the central processing unit if the computer gets too hot or letting administrators configure the system. With access to the SMM memory, hackers can get essentially any data they want.
Cloud computing services may be at the greatest risk, Bulygin says, because the glitch could be used to breach protections for keeping companies’ data separate on physical servers. The hackers who access those systems’ firmware can not only move between the databases and steal information but also look through the firmware’s own code to reveal some of the servers’ most heavily defended secrets, including encryption keys and administrative passwords.
Bulygin now heads Eclypsium Inc., a startup focused on protecting against threats to firmware. It attracted $2.5 million in seed funding from Intel and venture capital company Andreessen Horowitz in October. (Bloomberg LP, which owns Bloomberg Businessweek, is an investor in Andreessen Horowitz.) Until now, most cybersecurity outfits have focused on protecting software and networks, not the guts of the machines. Spies have known about risks to firmware for ages; a perusal of the classified National Security Agency documents that Edward Snowden leaked shows intelligence services have been attacking it for decades using tools called implants. Those can be anything, including malicious code or chips designed to hijack circuit boards to modify firmware and other legitimate code.
Corporations and cybersecurity companies are paying a lot more attention now to the hardware threat, says Joe FitzPatrick, a former security research scientist with Intel and founder of Hardware Security Resources LLC. “In general, if there’s a hardware implant, nothing can be trusted on the system,” he says.
The danger attracted scant attention until now because companies were too focused on covering the basics. This year, Gartner Inc. projects spending on cybersecurity will total almost $100 billion, with most going to consulting, outsourcing, and other services. Only a fraction goes to defense against hardware-level threats. “It hasn’t been something that the security industry has focused on,” says Martin Casado, an Andreessen Horowitz partner who led the company’s investment in Eclypsium. “It’s a heavily, heavily technical, heavily specialized space.”
Eclypsium is one of a handful of companies developing technology to look for malicious modifications to the firmware inside companies’ data centers. ReFirm Labs Inc. in Fulton, Md.—whose founders worked at the NSA—has teamed with software developers to monitor the firmware they’re building or using from third parties to ensure that malicious code isn’t added in the early phases of development. Apple Inc. bought LegbaCore, a forensics startup from the Washington, D.C., area that specialized in firmware, in November 2015.
One obvious potential client: the U.S. government. Last month the FBI and the Department of Homeland Security warned that since at least 2015, hackers working for the Russian government have exploited large numbers of network routers and switches—including home equipment—in part by modifying their firmware to establish a permanent presence on the afflicted machines. The goal was to route traffic through Russian government-controlled servers and copy it for espionage purposes, the agencies said.
Bulygin doesn’t know whether hackers have already tried to use the techniques he discovered to infiltrate computers, because this new class of hardware attack is virtually undetectable. Software hacks can usually be removed with a security update, but malicious code that makes its way into firmware could be there forever because of its role in the backbone of a chip or processor. “It’s a blind spot with a huge attack surface,” Bulygin says, “which is obviously not a good combination.”