New to CAPEC? Start Here
Home > CAPEC List > CAPEC-682: Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities (Version 3.9)  

CAPEC-682: Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities

Attack Pattern ID: 682
Abstraction: Standard
View customized information:
+ Description
An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.
+ Extended Description
When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.212Functionality Misuse
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
View NameTop Level Categories
Domains of AttackSoftware, Hardware
Mechanisms of AttackAbuse Existing Functionality
+ Execution Flow
Explore

  1. Determine vulnerable firmware or ROM code: An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities

    Techniques
    Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on.
Experiment

  1. Determine plan of attack: An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.

Exploit

  1. Carry out attack: An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.

    Techniques
    Install malware on a device to recruit it for a botnet.
    Install malware on the device and use it for a ransomware attack.
    Gain root access and steal information stored on the device.
    Manipulate the device to behave in unexpected ways which would benefit the adversary.
+ Prerequisites
Awareness of the hardware being leveraged.
Access to the hardware being leveraged, either physically or remotely.
+ Skills Required
[Level: Medium]
Knowledge of various wireless protocols to enable remote access to vulnerable devices
[Level: High]
Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Modify Data
Confidentiality
Read Data
Access Control
Authorization
Gain Privileges
+ Mitigations
Design systems and products with the ability to patch firmware or ROM code after deployment to fix vulnerabilities.
Make use of OTA (Over-the-air) updates so that firmware can be patched remotely either through manual or automatic means
+ Example Instances

An IoT company comes out with a line of smart products for home use such as home cameras, vacuums, and smart bulbs. The products become popular, and millions of consumers install these devices in their homes. All the devices use a custom module for encryption that is stored on a ROM chip, which is immutable memory and can't be changed. An adversary discovers that there is a vulnerability in the encryption module code that allows authentication bypass, gaining access to any device. The adversary then develops botnet code that is remotely downloaded onto the infected devices. This code scans the internet for nearby devices from the same product line and exploits the vulnerability, loading the botnet code onto these new devices. Over time, the adversary now has a botnet of devices that can carry out malicious activity such as a DDoS attacks. Once the vulnerability is found, it is impossible to remediate because the vulnerable code is unable to be updated.

Older smartphones can become out of date and manufacturers may stop putting out security updates as they focus on newer models. If an adversary discovers a vulnerability in an old smartphone there is a chance that a security update will not be made to mitigate it. This leaves anyone using the old smartphone vulnerable.

+ References
[REF-723] Alex Scroxton. "Alarm bells ring, the IoT is listening". TechTarget. 2019-12-13. <https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening>. URL validated: 2022-09-08.
[REF-724] Matthew Hughes. "Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed". Situation Publishing. 2019-12-11. <https://www.theregister.com/2019/12/11/f_secure_keywe/>. URL validated: 2022-09-08.
[REF-725] Brian Krebs. "Zyxel Flaw Powers New Mirai IoT Botnet Strain". Krebs on Security. 2020-03-20. <https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/>. URL validated: 2022-09-08.
[REF-726] Colin Schulz, Stefan Raff, Sebastian Kortmann and Nikolaus Obwegeser. "Digital Age Organizations: Uncovering Over-the-Air Updates in the Smart Product Realm". International Conference on Information Systems (ICIS) 2021. 2021-12. <https://www.researchgate.net/publication/356065917_Digital_Age_Organizations_Uncovering_Over-the-Air_Updates_in_the_Smart_Product_Realm>. URL validated: 2022-09-08.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 29, 2022
 

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. CAPEC is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2007–2024, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.