Firmware Security for the Supply Chain


While security teams often think of attackers coming from the outside, some of the most insidious cybersecurity threats and weaknesses can be embedded within newly acquired hardware before it is ever delivered.

Implants, backdoors, and weaknesses can be intentionally inserted by sophisticated attackers, or inadvertently included due to mistakes or insecure practices by manufacturers and partners. To ensure the integrity of their devices, organizations need to be able to ensure that the systems they acquire are safe, arrive intact and without tampering, and that all updates are valid and secure.

Eclypsium provides a full spectrum approach to supply chain risk management (SCRM) that spans the evaluation and acquisition of new hardware and continues to ensure the integrity of devices throughout the technology lifecycle.


Supply chain-related events may be unintentional or malicious and occur at any point during the system life cycle. Managing supply chain risks involves gaining visibility and understanding of the processes and procedures used to protect the system, system component, or system service throughout the system life cycle.
—NIST, Security and Privacy Controls for Information Systems and Organizations

Supply chain security has quickly become a top concern for enterprise and all levels of government, and for good reason. Threats can enter the technology supply chain in a wide variety of ways, and most organizations lack the tools and processes needed to defend against them.

Sophisticated attackers and nation-state can infiltrate or co-opt technology vendors or their suppliers to surreptitiously implant backdoors or malware within the firmware of a device and its components. These attacks have been seen in the wild, and for security teams it means that the initial trusted or “known good” version of a device is already compromised even before the device is unboxed. Likewise, attackers have successfully targeted the software and firmware update process for devices, allowing attackers to install malware under the guise of valid updates.

However, risks can creep into the technology supply chain simply due to mistakes and unsafe practices. And given the sheer volume of third party technology, components, and code used to build modern devices, there is ample opportunity for mistakes. These weaknesses within system and component firmware can make devices far more susceptible to compromise. Worse still, these vulnerabilities are typically invisible to traditional vulnerability scanners, and once compromised, would allow attackers control the device and persist even if the operating system is reinstalled.


Evaluate Vendors During Hardware Selection

Eclypsium lets organizations evaluate the security posture of prospective devices even before they are acquired. Teams can easily analyze devices during the evaluation phase to find vulnerabilities and missing protections in the system and its components, and identify the vendors that are the most secure.


Verify the Integrity of All Newly-Acquired Hardware

Once a new device arrives, teams can use Eclypsium to verify that the product is safe and hasn’t been tampered with in the supply chain. The system will identify any known or unknown implants, identify any potential weaknesses, and check to see that the device is running the latest firmware.


Verify and Monitor Updates For Deployed Devices

After deployment, Eclypsium continues to provide visibility into the device and its updates. The solution identifies weaknesses that could allow unauthorized updates, ensure that all updates are valid, and continues to monitor the behavior of the system and its components to identify malicious content within the update.

Ready to tackle firmware security in the supply chain? Contact us.

The Eclypsium Platform protects the technology supply chain of your most critical devices including laptops, servers, and networking infrastructure. With Eclypsium, you can ensure your vendors are following industry best practices, that all your devices arrive intact and haven’t been tampered with, and that your devices are not compromised after they are deployed.

The Eclypsium platform scans each system, including its many subcomponents, and automatically analyzes the firmware and how it is configured. This analysis can reveal the presence of implants and backdoors, vulnerable or unpatched firmware, and a variety of missing protections. This analysis can be used during the evaluation phase, upon delivery of new hardware, and even with trusted distributors within the supply chain.

Eclypsium then regularly checks for the presence of any known implants based our industry research and then continues to monitor the behavior of firmware to identify malicious code that has never been seen before.

Comprehensive Vulnerability Analysis of Firmware & Hardware

Visibility into all the key components in laptops, servers and network devices, including CPU, DRAM, Option ROM, UEFI, BIOS, ME/AMT, SMM, BMC, PCI, NIC, TPM and more to identify risk associated with vulnerabilities, misconfigurations and outdated or changed firmware. Find vulnerabilities in your devices including weaknesses from 3rd party vendors that your supplier may not be aware of.

Integrity Check of New Devices

Eclypsium ensures that your new devices haven’t been tampered with in the supply chain and verifies that system and component firmware match the official firmware from the vendor. Automatically identify any missing or misconfigured security settings and find firmware that needs to be updated before initial deployment.

Detection of Implants and Backdoors

Eclypsium identifies known and unknown threats using IOCs, behavioral and static analysis based on the largest global firmware white list and reputation database, with over 3M hashes across 23+ hardware vendors.

Hardware Assurance Reports

Generate detailed reports (PDF, JSON, HTML) for any or all devices throughout the entire lifecycle, including integrity, risk and firmware version and change information. Reports can be shared with management and across departments to ensure no changes to the security posture of the device.

Want to see how firmware protection works? Request a demo.