In the ever-evolving world of cybersecurity, some lessons are best learned from others’ mistakes. As reported in Dark Reading, the 2023 BlackTech cyberattacks, in which threat-actors replaced the firmware in Cisco routers their own malicious versions, serves as a stark reminder that attackers are getting smarter, and the stakes are higher than ever. Their tactics shine a spotlight on why technologies like secure boot are no longer optional in securing network infrastructure.
BlackTech, a group linked to state-sponsored espionage, infiltrated corporate networks by replacing router firmware with malicious versions. These modified firmware files provided a backdoor for attackers, enabling them to spy on network traffic, move laterally within the network, and hide their tracks for long periods.
One of their most alarming techniques involved bypassing standard security checks. By downgrading router firmware to older versions, they exploited devices that lacked mechanisms to verify the integrity of the software. As a result, the group created persistent, hard-to-detect backdoors on critical network devices.
How secure boot could have prevented this attack
Secure boot is a security feature that ensures that only trusted, authenticated software runs on your hardware. It uses cryptographic verification to validate the digital signature of firmware before it’s loaded, preventing unauthorised changes and blocking malicious firmware from booting. In this way, it creates a secure foundation for each connected device. Only the right software can get in.
The BlackTech exploit hinged on its ability to replace legitimate firmware with malicious versions. Secure boot would have rendered this impossible by catching unauthorized modifications during startup. Devices lacking this feature were left vulnerable, allowing attackers to persist in networks undetected.
Modern routers often come equipped with secure boot. Older, legacy devices, however, may lack this protection—making them prime targets for sophisticated attacks.
A few simple steps can add massive protection
End users of IoT and edge devices should prioritize secure boot when purchasing their devices. Manufacturers, on the other hand, must select hardware modules that support secure boot and ensure it is implemented correctly.
Investing in a well-secured device is far cheaper than dealing with the fallout from a security breach. If your device supports secure boot, ensure it is enabled, and keep the firmware updated regularly to address vulnerabilities and enhance security features.
There’s a human element involved in most cybersecurity breaches and it’s particularly important to implement protective credentials with strong passwords and multifactor authentication. BlackTech gained initial access by exploiting weak admin credentials.
Secure boot is no longer just an option
Features like secure boot aren’t just “nice-to-haves” anymore – they’re critical components of a modern security strategy. What’s more, secure boot is now mandated by legislation for many applications. For example, in the medical sector, the FDA requires secure boot for Class 2 medical devices to protect patients and prevent malware from targeting connected device networks. Furthermore, the requirements of the EU Cyber Resilience Act, which was passed into law on 11th December 2024, cannot be met without ensuring that each device on a network has a unique, immutable, and cryptographically protected identity that supports secure boot. Without such mechanisms, it is impossible to deliver the firmware-over-the-air (FOTA) updates that are essential to maintaining device security over its lifetime.
Overcoming the complexities of implementing secure boot
Implementing secure boot can be complicated and beyond the experience of embedded device developers. A hardware security root-of-trust, a combination of unique identity and the ability to generate cryptographic keys, is now present in many microcontrollers but it can be a long, steep learning curve to implement the associated functionality. Embedded development teams are now spending up to 30% of their time on device security issues, potentially distracting them from other valuable and productive work. Chip-to-cloud IoT device security platforms such as QuarkLink can bridge the gap between embedded device development and cryptographic security, automating many of the processes involved while eliminating errors. In fact, it’s estimated that such platforms can accelerate the implementation of device security by up to 10X. You can read more about QuarkLink here.
For general guidance, NIST now runs a comprehensive “Cybersecurity for IoT Program” and for application-specific advice, Crypto Quantique’s team of specialists is on hand to help. You can reach them here.
About the author
David Haslam is a technology focused David Haslam with over 25 years’ experience in leading-edge software development. He is a strong advocate for agile methodologies and DevOps practices, driving efficiency and collaboration across cross-functional teams. In his previous role his commitment to excellence and forward-thinking approach helped Avalara Inc. develop a massively scaled, cloud-based platform ahead of an $8.4 Billion exit. He is adept at aligning technology initiatives with business goals, ensuring that software not only meets the current market demands but are also future-proof and delight the customer.
