Proprietary firmware poses a security threat, Ubuntu founder says

Hardware manufacturers should move the software part of their innovations into the Linux kernel, Mark Shuttleworth said

Mark Shuttleworth, the founder of the popular Ubuntu Linux distribution, believes proprietary and unverifiable firmware code poses a serious security threat to users and he encourages hardware manufacturers to implement support for their innovations through the Linux kernel instead.

"If you read the catalogue of spy tools and digital weaponry provided to us by Edward Snowden, you'll see that firmware on your device is the NSA's best friend," Shuttleworth said Monday in a blog post.

"Your biggest mistake might be to assume that the NSA is the only institution abusing this position of trust -- in fact, it's reasonable to assume that all firmware is a cesspool of insecurity courtesy of incompetence of the worst degree from manufacturers, and competence of the highest degree from a very wide range of such agencies," he said.

Shuttleworth argues that manufacturers have made a habit of adding support for new functionality through firmware because in the past they were shipping computers with Windows, an operating system they couldn't change. However, that's not the case with Linux, and Linux "is almost certainly the platform that matters" in the new world of embedded devices, he said.

The Advanced Configuration and Power Interface (ACPI), a specification that allows operating systems to discover, configure and monitor hardware components, is an example of a design that shouldn't be replicated in future devices, according to Shuttleworth.

"Arguing for ACPI on your next-generation device is arguing for a trojan horse of monumental proportions to be installed in your living room and in your data centre," he said. "I've been to Troy, there is not much left."

Over the years security researchers have found vulnerabilities in the proprietary firmware of many devices, from credit card readers to routers and industrial control systems, and they generally concluded that such software had not been developed with security in mind.

In November, security researchers from Rapid7 revealed that the Intelligent Platform Management Interface (IPMI) firmware in motherboards from server manufacturer Supermicro had serious vulnerabilities. IPMI allows system administrators to manage and monitor servers remotely from outside their main OS through a Baseboard Management Controller (BMC) directly connected to the motherboard's southbridge and a variety of sensors.

Last week, developers of Replicant, an Android-based operating system, claimed they found a backdoor in Samsung Galaxy devices that resulted from a vulnerability in the proprietary code handling communications between the Android OS and the firmware controlling the modem, also known as the baseband.

Other security researchers have also warned in the past that vulnerabilities in the baseband firmware used in mobile devices could be used to bypass the security controls implemented in the main OS.

"Proprietary firmware can introduce vulnerabilities to an otherwise secure platform," said Henry Hoggard, a security consultant at London-based security firm MWR InfoSecurity, Tuesday via email. "It is also possible that the firmware can contain backdoors that would give attackers high privileged access to the system."

Compared to Ubuntu, and Linux in general, where there are processes in place to ensure that any issues found in the code can be fixed and the patches delivered to millions of users in a timely manner, "the processes for finding and fixing problems in firmware are non-existent and not improving," Shuttleworth said.

Because of that, the Ubuntu founder believes that hardware manufacturers should start adding support for their new features directly into the Linux kernel and should provide only "declarative firmware that describes hardware linkages and dependencies but doesn't include executable code."

In theory this would be a good approach, because it would allow the code to be reviewed by a much wider audience and vulnerabilities to be more easily found and fixed, Hoggard said. "It would also give users the peace of mind that there are no malicious components present on their systems."

However, there are some logistical issues, as vendors might not want to wait for their code to be accepted into the Linux kernel and may find it easier and more manageable to stick with the current model, Hoggard said. Vendors might also have a problem with this approach if it involves exposing their intellectual property, for example any algorithms they have developed in-house, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesonline safetysecurityRapid7MWR InfoSecurityhardware systemspatch managementExploits / vulnerabilities

More about BMC Software AustraliaBMC Software AustraliaGalaxyLinuxNSARapid7SamsungUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts