This article is written by Somadatta Bandyopadhyay, pursuing a Diploma in Cyber Law, Fintech Regulations & Technology Contracts from LawSikho.

Introduction

In an age where everything is going digital and “cyber” is the buzzword, there are pertinent issues that this cyber frenzy brings along. One such area of concern is cyber-attacks. Probably the most broadcasted attacks that fall under the umbrella term “cyber-attacks” are the likes of Trojans and ransomware. But another such cyber-attack that is slowly making computer users sit up and take notice is firmware. 

What is Firmware?

Firmware constitutes the very basis of the hardware of a computer. It’s a software that is implemented into every hardware of the system that helps the hardware function seamlessly. It forms and helps between the communications of the software installed on the system so that the hardware executes the commands properly.

Therefore, attack on this critical infrastructure gives attackers access to the hardware of the system and compromises the entire system. And this access is more often than not unbeknownst to the owner of the system. The compatibility of firmware depends on the computer system where it is installed. It can be completely uninstalled or rewritten, which is where the problem lies.

The problem with firmware is that it has the capability to compromise a computer system even before it has booted. The attacking code gets incorporated into the lower levels that mess with the system both before and after the system is initialized. The malicious code, when it finds its way into the system, targets portions of the operating system and modifies the firmware. It affects the Basic Input Output System (BIOS) of the computer. The dangers of firmware attacks originate from the fact that they can bypass antivirus software and infect the core of the device.

Malicious code can be impregnated in computer systems either using physical devices like corrupt USB or even remotely over a network connection like Bluetooth or Wi-Fi. 

The fact that we can now connect all our electronic devices to the internet, makes them more susceptible to attacks. This widespread usage of electronics is exploited by firmware malware. 

Firmware, not being encrypted, is not capable of detecting any infiltration, therefore it is actually a highly time consuming process before any such infiltration is actually noticed. In the meanwhile, the malware can compromise updates for firmware and can continue to linger even after the hard drive has been wiped out or after the operating system has been reinstalled.

Not taking proper precautions in terms of firmware security could lead to firmware attacks resulting in the attacker spying on user activities, data mining from user systems, controlling the system remotely and also stealing user identity.

Legal respite in case of firmware attacks

The word “cyber” encompasses computers, computer networks and virtual reality. India does not quite have a legislation that is dedicated to the entire cyber world. But it does have an Information Technology Act, 2000, which when read collectively with its underlying Rules, along with some other statutes does give us a legal background to cyber security, cyber-crimes and data protection. India does not have a dedicated cyber law. 

The Information Technology Act, 2000 is abreast of malicious activities like all kinds of malware attacks, hacking, identity theft, electronic fraud, phishing and denial-of-service attacks and identifies them as offences punishable by law. 

‘Cyber security’ is defined under the Information Technology Act, 2000 (‘IT Act’). It mentions protecting everything that covers computers and computer devices including the information contained in them, ancillary devices, resources, and also all information that is stored in them. They have to be protected from disclosing, using, unauthorized accessing, modifying, disrupting or destructing from any external entity.[1] 

The word cyber-crime applies to any act prohibited or deemed to be considered wrong in law involving computers or computer networks that help in the commission-n of the crime. In the case of Jaydeep Vrajlal Depani v. State of Gujarat[2], the Gujarat High Court defined cyber-crime as a category of offense that involves using telecommunications networks to create mental or physical loss or harm to an individual or a group of people. The presence of criminal motive and causing harm using devices, phones and/or the Internet are the main ingredients to this kind of crime.

Although the Act does not specifically categorize cyber-attacks as worms, Trojans or firmware attacks explicitly, every malicious activity including but not limited to tamper of source code, hacking, identity theft, denial-of-service attacks, cyberterrorism, phishing, violations of privacy, malware attacks or even infecting someone’s device with virus, is penalized under the IT Act, with either fines or imprisonment or in certain cases, both.

Since firmware attack means, in a way, gaining unauthorized access to someone else’s computer system, which in turn could fall under the broad term ‘hacking’, Section 66 of the Information Technology Act says hacking would mean if any person intentionally, or at least with the knowledge, alters or deletes or destroys information stored in a computer or an ancillary resource so as to unjustly cause harm or loss to any person. The offence of hacking is penalized under the Act with imprisonment till a maximum period of three years or up to a fine of two lakh rupees or in certain cases, both.[3]

Firmware attacks also cause damage to the computer and an offense of such a nature is taken care of by Section 43 of the Act. The Section lists down certain unlawful activities done by a person who is not the authorized owner of a computer or computer system and neither is in charge of the same, on the happening of which,  he shall be penalized with a fine of an amount up to 1 crore. The activities include:[4]

1. Accessing or securing access to the other person’s computer, ancillary devices or network.
2. Downloading, copying or extracting data from the system database of said computer, ancillary device or network and it includes confiscating data from said person’s portable storage medium.
3. Introducing or causing the introduction of a computer virus or contaminant into said computer, ancillary device or computer network.
4. Damaging or causing damage to said computer, ancillary device or computer network, database of the system or any program or application residing in said computer, ancillary device or computer network.
5. Disrupting or causing the disruption of said computer, ancillary device or computer network.
6. Denying access or causing the denial of access to an authorized person to said computer, ancillary device or computer network.
7. Assisting or facilitating access to a person to said computer, ancillary device or computer network that is unlawful and contravenes the provisions of the IT Act and its Rules thereof.
8. Manipulation of said computer, ancillary device or computer network and thereby charging the services received by one person and redirecting it to the account of a different person.

Although one could argue that in case of firmware attacks, it is the incorporated software that seeps into the core of the system thereby affecting it instead of someone physically monitoring and causing harmful loss in real-time, nonetheless, the loss happening to the affected system of similar nature. Therefore, until an amendment to the legislation is brought about to deal with these specific attacks, the IT Act’s all-encompassing nature could take care of this offense.

Purchase Built-in Firmware Protected Hardware

Since firmware attacks practically go undetected most of the time, as a consumer, the best protection mechanism would be to purchase hardware that comes inbuilt with top-notch firmware security. Vendors in BIOS as well as the manufacturing entities are upgrading their security measures and protocols because of the increase in firmware attacks.

If there is any compromise that has happened with the BIOS, these new protocols make a comparison of the existing BIOS image with the official hash coding function for the BIOS. If there is any discrepancy noticed, it immediately alerts the user. 

Future of firmware security

There is a new set of responsibilities that has now arisen for firmware developers and hardware manufacturing companies. As more and more loopholes are being exposed, new firmware updates and patches would require to be rolled out at frequent intervals to keep updating the security. 

As consumers also it is important to remain alert and aware. Consumers can do their part by purchasing devices that have multi-level firmware security added to them. Existing system updates should be installed as when the operating system notifies. Also, it is very important to not navigate to untrustworthy websites or even plug in USB devices from not trusted resources. 

Although it is almost impossible to be prepared in advance for any kind of cybersecurity issues, because the more issues that come up, the more solutions are figured out, it is at least possible to stay vigilant. Investing the time and money for cybersecurity is also well worth it, especially when it comes to firmware attacks because it goes undetected but can cause irreparable loss to the one under attack.  

References

1. Section 2(nb), Information Technology Act, 2000.
2. R/SCR.A/5708/2018.
3. Section 66 Information Technology Act, 2000.
4. Section 43 Information Technology Act, 2000.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: