The cybersecurity world has placed a good deal of attention on malware such as the Black Lotus bootkit, and the Android-based bank credential-stealing malware Xenomorph. As these large threats loom, we are reminded about one of the most vulnerable industries, where application and platform security are essential, healthcare. According to a Check Point Research (CPR) report, cyberattacks on healthcare organizations increased by 60% in 2022, to a rate of 1,426 attacks per week. Understandably ransomware seems to be the most desirable type of these attacks, where heavy reliance on data through networked systems and the privacy requirements of that data are paramount. January 28, 2023, Zoll, a maker of wearable defibrillators, fell victim to an attack where the personal records of over 1 million people were stolen.

Healthcare IT Ecosystem Vulnerabilities are Expanding

The healthcare industry has been steadily expanding its IT footprint, bringing more and more devices online and collecting and analyzing critical data. This effort accelerated during the COVID pandemic, where telehealth appointments, remote patient monitoring services, and amended insurance offerings were able to extend quality care to consumers at a quicker and less-expensive rate. This rapid expansion, however, has created more vulnerabilities. Additionally, the use of third parties in the healthcare IT infrastructure has opened the door for more cyberattacks.

Vulnerability in Healthcare Data Centers  

More recently Healthcare data centers have had attacks occur on their foundational technology, on server motherboard firmware. As reported by firmware and supply chain security company Eclypsium in June 2022 through a series of leaked chats. the Conti ransomware gang was trying to gain access to the Serial Peripheral Interface (SPI) bus, through Intel ME firmware “to gain indirect access to the UEFI/BIOS, drop additional payloads, and gain runtime control of the system below the operating system using System Management Mode (SMM).” The report goes further to involve the Russian Foreign Service Bureau (FSB) as a beneficiary.

Vulnerability in Connected Medical Devices

According to a Healthcare Innovation report, data shows that 53 percent of connected medical devices and other IoT devices in hospitals have a known critical vulnerability. And these vulnerabilities are increasingly happening in the foundational technology of the healthcare components. One example was a firmware vulnerability found uncovered in the control panel of Swisslog Healthcare’s Translogic Pneumatic Transport System (PTS) in August 2021. A vulnerability known as “PwnedPiper” was able to infiltrate and allow for unauthenticated and unencrypted firmware updates. The attacker could then take over a hospital’s entire PTS, shutting down a critical system for transporting medication, blood, and lab samples.

Protection of Healthcare IT at Its Foundation

In order to prevent such cyberattacks through firmware, healthcare providers should incorporate a firmware resiliency or platform root of trust (PRoT) solution to create a chain of trust for higher layers of the IT stack by detecting, protecting, and recovering device firmware to a trusted state. To secure against the Conti attack, such solutions can authenticate the boot and peripheral device firmware while filtering the SPI bus for intrusions.

Healthcare devices like the Translogic PTS could also utilize a PRoT solution, preventing attackers from compromising the device firmware with unauthenticated and unencrypted code. Utilizing a Hardware Root of Trust (HRoT) controller,  firmware updates can be verified against its cryptographic key. Any failures would drive recovery of the firmware to a known, authenticated version, avoiding system downtime and potential breach into the medical device.

Tektagon Platform Root of Trust for Healthcare IT

AMI Tektagon is a NIST® SP 800-193 compliant family of Platform Root of Trust solutions that includes comprehensive image verification, runtime protection, and recovery from the platform and peripheral firmware corruption. Provided as a simple drop-in for use with AMI Aptio and MegaRAC boot firmware, Tektagon delivers design flexibility, hardware reuse, and comprehensive support for cloud service providers, server ODMs and OEMs, central office and edge switching and client and embedded device manufacturers.

To learn more,  please contact our sales representatives.

“Firmware presents a large and ever-expanding attack surface,” says the U.S. government in a joint report from the U.S. Department of Homeland Security and the Department of Commerce. This 2022 report, a response to the Cybersecurity Executive Order of 2021, pointed out significant weaknesses in the firmware supply chain. Firmware attacks have a unique advantage over other attacks because of their ability to execute malicious code undetected by operating systems and most security solutions.

Each device – whether server, desktop, mobile, or connected device – has firmware, and firmware attacks typically come as malicious code introduced via a firmware update. This vulnerability exists because firmware can be tampered with from creation to distribution, with firmware-enabled components being exposed throughout the entire supply chain. LoJax and MoonBounce are examples of UEFI firmware attacks that not only reside in the nonvolatile SPI flash containing the boot firmware but execute at a level more privileged than the operating system’s kernel. A single compromised device can be used as a gateway by cybercriminals to cause a data breach, leading the financial and reputational damages for organizations.

Securing Firmware Reduces Supply Chain Attack Surface

While there is no single magic bullet to secure firmware in the supply chain, below are five best coding practices that can be applied to make firmware more secure throughout the supply chain.

1. Secure-by-design Approach

Security should be integrated at the earliest phase of firmware development. Identifying and implementing security remedies early in the development cycle is a cost-effective way to prevent security vulnerabilities prior to deploying firmware. Good developers are able to understand hardware design, consider potential security risks, and implement preventative measures. Firmware security is further bolstered when the hardware is also designed for security. Components such as a hardware root of trust can detect and protect firmware compromises.

2. Testing and Validation

Development and use of test plans that take advantage of static and dynamic testing tools are critical. Static tools help identify poor coding practices and improve code quality. Dynamic tools help identify vulnerabilities in the runtime environment through various techniques including black box, penetration, and stress testing; just to name a few. Input validation, memory safety, and testing for the threat vectors specified in your threat model are all parts of a solid testing and validation plan.

3. Leveraging Source Control and Collaboration

Source control systems empower developers to maintain change histories, employ automated testing, and enable reproducible builds. Good source control systems promote modern firmware development practices to break up work into smaller pieces for frequent integration with the team’s work. The idea to “commit early, push often” alongside constant collaboration between team members and other stakeholders ensures the firmware meets the requirements and makes way for security and peer reviews.

4. Implementing Software Bill of Materials (SBOM)

Maintaining the firmware’s bill of materials is becoming an increasingly necessary tool to bolster firmware security by providing a complete picture of the firmware’s supply chain. This will allow developers and their organizations to understand the potential security risks associated with the firmware and its third-party components and enables them to make informed decisions about their firmware supply chain.

5. Maintaining a Firmware Security Ecosystem

Even after the secured firmware has been developed, an ecosystem must be maintained for the developers, the firmware, and the customer. Developers need to be able to stay up-to-date on the latest development trends, techniques, and tools in order continuously improve their knowledge, skills, and the resulting product. In addition, developers need convenient means of reporting and remediating vulnerability sightings so they can implement firmware updates in a timely manner.

Vulnerabilities are Inevitable, but Best Coding Practices Can Minimize them

Protecting firmware’s end users requires a well-developed, systematic, security-first ecosystem that is built around the firmware. Through a secure-by-design approach and best practices of development and testing, firmware can be more secure throughout the supply chain. The ecosystem must also include features that alert downstream stakeholders about potential vulnerabilities and provide dynamic firmware updates, enabling end users to automate firmware updates as soon as vulnerabilities are discovered.

With deep experience in developing and delivering firmware to the computing industry, AMI is uniquely positioned to develop, deploy and help secure firmware throughout the supply chain across the cloud, telecommunications, automotive industry, edge computing, and beyond.

To learn more about how AMI can secure your platform firmware, visit AMI Zero Trust firmware.

AMI Tektagon™ XFR Platform Root of Trust (PRoT) Firmware Resilience on Arm-based Platforms

In order to secure platform firmware, the platform-agnostic AMI Tektagon XFR PRoT solution is a perfect fit. This solution leverages the Lattice™ Mach-NX Series, a low-power FPGA Hardware Root of Trust (HRoT) controller to detect, recover and protect against host firmware intrusions for total firmware resiliency. Additionally, for heightened system security, AMI Tektagon XFR delivers firmware attestation to peripheral devices as well as those on the motherboard. This complete PRoT solution is offered across all major platforms including Arm-based systems.

As cloud and on-premises data centers meet greater demands, it is crucial that there are more systems that can support the performance, scalability, and sustainability requirements with greater manageability. Meeting these demands are the Arm-based platforms, such as that provided in the Ampere Altra processor servers. Architected to meet the greatest functionality demands, these Arm-based platforms can provide all the necessary components to support a fully resilient PRoT solution, on the motherboard as well as peripheral devices.

What will be Revealed by AMI and Arm at the OCP Regional Summit?

At the Open Compute Project’s Regional Summit in Prague on April 19th and 20th, AMI and Arm will reveal AMI Tektagon XFR, deployed on a Broadcom PCIe Card connected to an Arm-based, Ampere Alta processor platform. The solution will show a secure system boot with device attestation using SPDM for active system management.

During the pre-boot phase, Tektagon XFR will initialize with the SPDM device to the Broadcom controller. Once the communication is established, the solution will verify the correct device manufacturer through a certificate exchange. Lastly, Tektagon XFR will run an attestation on signed measurements from the device, comparing it to known “good” values. With a successful attestation, the system will be released to boot. If attestation is unsuccessful, the system will be held at reset.

In addition to the demonstration, AMI and Arm will have a technical presentation about “Secure System Design on Arm using Platform Root of Trust (PRoT).” The session will be held at 9:30 am on April 20th.

Please Join AMI’s Booth Number A15 for the Demo Experience

Interested in viewing this live demo? Participants can find this and other demonstrations in the AMI booth (A15), at the OCP Regional Summit on April 19th and 20th. Stop by and engage with us for further discussions.

About AMI Tektagon XFR

AMI Tektagon XFR is a fully NIST 800-193 compliant integrated PRoT solution that is cost-effective, scalable, compatible, and easy to implement. The solution leverages a Lattice Mach-NX Series, a low-power FPGA controller to deliver pre-verified, PFR-compliant functionality, to a server’s motherboard and peripheral devices. Features of the Tektagon XFR solution include image validation, firmware attestation, and recovery, to deliver full firmware resiliency.

AMI Tektagon™ Answers the Call

Platform Root of Trust (PRoT) solutions, like AMI Tektagon XFR, enabled by the low-power Lattice™ Mach-NX Hardware Root of Trust FPGA can add platform firmware resiliency. However, the effort to implement a PRoT solution is not trivial.  Combine that with the hurdles of integrating different types of platform firmware with the compatibility necessary to initialize the host silicon.  Additionally, developers might be challenged to scale across multiple silicon and platform vendors. These challenges become more significant when building compatibility across different open-source firmware.

What Does AMI Tektagon XFR Demo on AMD Platform Showcase?

At the Open Compute Project’s Regional Summit in Prague on April 19th and 20th, AMI and AMD will showcase the AMI Tektagon XFR running on AMI Aptio OpenEdition UEFI open-source boot firmware using AMD 4th Gen EPYC™ processor-based platform.  The solution delivers detection of firmware intrusions, protection against ongoing firmware intrusions, and recovery from compromised firmware.

During the demo, OCP attendees will be able to see Tektagon XFR, running on the Lattice Mach-NX FPGA perform CPU attestation using SPDM with AMI Aptio OpenEdition boot firmware.  During the pre-boot phase of the platform bring-up, Tektagon will serve as the SPDM requester and issue commands to receive measurements from AMD’s SoC boot images. If the values received are different from the “known good measurements”, the boot process is halted.  Booting will then be prevented until the firmware image is recovered and a good flash image is reported.

Please join us at AMD Booth Number A4 to Experience the Demo

Interested in viewing this live demo? Participants can find this and many other demonstrations in the AMD booth (A4), at the OCP Regional Summit on April 19th and 20th.  Stop by and engage with members of AMD and AMI for further discussions.

About AMI Tektagon

AMI Tektagon XFR is an integrated PRoT solution that is cost-effective, scalable, compatible, and easy to implement.  The solution leverages a Lattice Mach-NX Series, a low-power FPGA controller to deliver pre-verified, PFR-compliant functionality, to a server’s motherboard and peripheral devices.  Features of the Tektagon XFR solution include image validation, firmware attestation and recovery, to deliver full firmware resiliency.

As part of the Forbes Tech Council, our CEO, Sanjoy Maity, authors insightful pieces on a variety of relevant tech industry topics. In his latest piece, he shares his thoughts on the future of sustainable data centers. 

You can read the full article here:  https://www.forbes.com/sites/forbestechcouncil/2023/03/17/pioneering-the-future-of-sustainable-data-centers/?sh=62ad536f49fc. 

Our CISO, Samuel Cure, recently shared his thoughts with Authority Magazine on cyber defense. You can read “Cyber Defense: Samuel Cure Of AMI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” by clicking here: https://medium.com/authority-magazine/cyber-defense-samuel-cure-of-ami-on-the-5-things-every-american-business-leader-should-do-to-772bc861533. 

We are excited to share that our CEO, Sanjoy Maity, is a member of the Forbes Technology Council. He recently authored a Council post on the importance of supply chain security and protecting enterprises from vulnerabilities.

You can Sanjoy’s full article here: https://www.forbes.com/sites/forbestechcouncil/2023/02/17/securing-supply-chains-and-protecting-businesses-from-critical-vulnerabilities/?sh=716e3b7a5cd5.

Why are UEFI Firmware Exploits so Dangerous?

Before exploring past exploits and possible countermeasures, it is crucial to understand why UEFI exploits are one of the most dangerous types of threats:

• UEFI firmware has elevated access privileges over the operating system (OS) kernel, meaning that any UEFI exploit can alter OS executables and file systems.
• Recovery back to a golden image is also not possible. UEFI images reside in SPI flash, which is non-volatile storage on the motherboard, so recovery from an SSD / HDD format source is not an option.
• In addition, since any malicious code installed in SPI flash cannot be deleted, a reinstall of the OS merely reactivates the exploit.

The Latest Evolution of UEFI Rootkits – MoonBounce

Advanced persistent threat (APT) groups, such as China’s APT41 and Russia’s APT28, have been pioneers in UEFI exploits. In 2018, the first UEFI rootkit detected in the wild was APT28’s LoJax rootkit. In 2020, a suspected Chinese APT leveraged a UEFI rootkit in its MosaicRegressor malware. These two exploits leverage a modified UEFI image that included additional UEFI modules to execute the attack. According to Kaspersky, APT41 created the MoonBounce malware. APT41 carried out its attack not by creating new components but by altering preexisting UEFI components – making it nearly impossible for current security software to detect. Firmware-based rootkit attacks such as this have similar goals of installing a malware loader in user space to communicate with the attacker’s command-and-control (C&C) server and install additional malware. The evolution of BIOS firmware to open designs has only encouraged and empowered rogue actors. Further adding to their arsenal is the move towards an open-source software (OSS) development model for BIOS firmware. This model can potentially give hackers insight into unmitigated vulnerabilities in the OSS or inject malicious code into the projects themselves. Both scenarios provide potential attack vectors vulnerable to subsequent exploitation. UEFI Secure Boot, Intel® Boot Guard and AMD Platform Security Processor (PSP) are advancements to help mitigate UEFI threats, but they have some limitations. These countermeasures can detect when the firmware has been altered but cannot recover the system where the altered firmware resides. This limitation can potentially cause massive downtime spikes to data centers as they manually recover the firmware – if this is even possible. Likewise, Measured Boot with a trusted platform module (TPM) also has its limitations. While remote attestation can detect firmware intrusion, remediation still requires intervention to mitigate an attack.

Protecting a Platform from UEFI Firmware Exploits

Protection from UEFI firmware exploits requires secure bootup. This means the system must start with untampered UEFI/BIOS firmware and trusted baseboard management controller (BMC) firmware (where applicable). The system must also detect run-time exploit attempts and defend against such attacks. Both aspects of platform security require in-depth expertise in BIOS and BMC. AMI has applied its 35 years of deep expertise in BIOS and BMC firmware development to address both requirements and deliver its robust Tektagon™ XFR Platform Firmware Resiliency (PFR) solution. Tektagon XFR provides a Platform Root of Trust (PRoT) for onboard firmware components to detect, protect and, if necessary, recover firmware from unauthorized modification. And by orchestrating a connection between the Root of Trust and other firmware components, Tektagon XFR can deliver advanced features – making the AMI PRoT solution stand out from others. In this instance, Tektagon XFR would simply eradicate the MoonBounce attack from the system. It would detect that the content of the flash had been tampered with during Power On and trigger an automatic recovery from a known good image. To learn more about firmware security with the Tektagon XFR Platform Resiliency Firmware solution, please visit ami.com/tektagon and contact us at ami.com/contact. All trademarks and registered trademarks referenced here are the property of their respective owners in the US and other countries.