The Risks and Rewards of Open Platform Firmware

Can you build a product using open platform hardware? Yes, if you understand the risks.

Open-source hardware is great for a lot of things. It gives students and educators a great learning platform, and it's the perfect solution for all sorts of DIY projects . But can you design a commercial product around open source?

You can if you understand the risks and take the proper security precautions, particularly when it comes to your firmware.

Speaking at the 2017 Embedded Systems Conference (ESC) in Boston Brian Richardson, a technical evangelist for Intel, praised open hardware platforms for many reasons: they offer publicly available designs; they're based on open-source concepts; and they encourage experimentation, new features, and new designs. The DIY and Maker community has already heavily embraced hobbyist boards like the Raspberry Pi and Arduino, and there are other products on the market as well such as the MinnowBoard and Intel's own Galileo Board .

Intel technical evangelist Brian Richardson explains how UEFI Capsule can enable secure remote firmware updates to an audience at ESC Boston 2017. (Image source: Design News)

“On an open hardware platform the firmware is made available primarily for debugging and hacking,” Richardson told the audience. “It ships with unsigned binary firmware images because as a maker if we signed binary it doesn't do you any good. It also assumes updates are run by a developer – and hopefully not a hacker.” The trouble comes, Richardson said, because the platform identifiers are not unique. If a developer uses GitHub or some other open-source repository to get a GUID for a platform that means everyone else can get and use the same one as well, even people with bad intentions.

There are also problems inherent in the way firmware itself operates. “Firmware initializes hardware, establishes root-of-trust, then hands things off to OS ... which creates an opportunity for someone else,” Richardson said. “Standardization is good but it means people who want to do bad things only have to read one book. If everyone plays by the rules this is great...but guess what? People don't play by the rules.” Compounding this is that firmware is more deeply embedded into the system than a program running off a hard drive. If your computer catches a virus at the most extreme you can at least wipe your drive to get rid of it. No amount of wiping will clear exploited firmware.

Last year an exploit, dubbed ThnkPwn, was discovered in Lenovo and other brand laptops and Intel motherboards that allows hackers to install malicious code directly into a computer's Extensible Firmware Interface (UEFI), the modern equivalent of BIOS meant to standardize firmware across manufacturers. Once this is done an attacker can disable critical security features at the hardware level and can pretty much have the run of your system. Think of it like a thief rather than having the keys to your house instead having access to the locksmith who makes any and all possible keys to your house.

So how do you deploy products based on open designs without creating a BlackHat presentation waiting to happen?

The first step Richardson said is to build for release

Comments

What is missing here is the reality that a product for the real world consists of more than a processor and some code. "Hardware" includes the balance of the product, the part that actually delivers some action in the real world. While code seldom breaks or wears out, hardware frequently does fail, and so it should have more attention and engineering, aside from the efforts to reduce the cost by reducing the value as much as possible.

yes man, its a very useful article. i tried it on my sites. its work. thank you so much. acer driver update acer support http://best-pc-security.uk/

Add new comment

By submitting this form, you accept the Mollom privacy policy.