cryptogon.com

Hardware manufacturers must take steps to address this problem before more firmware disasters comes to pass. In the past, hardware manufacturers have been more worried about physical and side-channel attacks. Manufacturers therefore focused mainly on making their hardware and firmware opaque and tamper-proof in hopes that, if no one could reverse engineer the firmware, then no one would be able to attack it. Unfortunately this defense has proven ineffective. This should serve as a stark reminder of the old adage: “Security through obscurity is no security at all.” We we need to take back transparency and verifiability in our hardware.

Although this is a daunting problem, it is solvable. To avert this disaster there are three things that must happen right away:

Firmware must be properly audited. Hardware manufacturers need to hire security professionals to audit their firmware and publish the results. Preferably, hardware companies should hire full time security staff to make sure that their code is audited before it ever gets installed. Hardware manufacturers could also release the source code for their device’s firmware, allowing independent security researchers and laypersons to review the code as well—and perhaps even improve it. People have a right to inspect the code that is running on their computers.
Firmware updates must be signed. Firmware updates should be signed by the manufacturers so that we can be sure we are installing trusted code when we upgrade our firmware. Additionally, manufacturers should ensure that there is an easy mechanism for the average user to check the signature and upgrade their firmware. Ideally users would not have to rely on the broken certificate authority system to verify these signatures.
We need a mechanism for verifying the integrity of installed firmware. Of course, even if we have signed updates to firmware, some piece of malware could reprogram the firmware already on the device and have a good long life, before it eventually gets updated (if ever). Because of this, we need a way to verify the code on our hardware devices at boot time or run time in a way that can’t be subverted by malicious firmware already on the device. 2