Firmware Security and Updates

From Whonix



Info This chapter contains general security advice and is unspecific to Whonix ™.

Due to the difficulty of this topic and the specificity of hardware and host OS firmware, this issue is generally outside the scope of Whonix ™ documentation. The links provided further below may not be the most relevant to the end user, necessitating further individual research.

Firmware on Personal Computers[edit]

Firmware is generally defined as the type of software that provides control, monitoring and data manipulation of engineered products. [1] In the case of computers, firmware is held in non-volatile memory devices such as ROM [archive], EPROM [archive] or flash memory [archive] and is associated with: [2] [3] [4] [5]

Firmware Updating and Security Problems[edit]


The major problem with updating firmware is that it cannot be done automatically in most cases. Therefore, it is difficult to fix functionality or security issues after the hardware has shipped. While utility programs are often available to update BIOS, firmware in other devices is rarely updated and mechanisms for detecting and updating firmware is not standardized. [2]

If firmware can be upgraded, this is usually possible via a program created by the provider. Old firmware should always be saved before upgrading. If the process fails or the newer version performs worse, the process can be reverted. [6] Updating firmware may or may not improve security. On the one hand it may fix vulnerabilities, but on the other hand an update may introduce a new backdoor.

Unfortunately most end users must blindly trust the hardware producer, so it probably better to install non-free updates rather than risk being vulnerable to known attacks in the wild. [7] Until these re-writable firmware areas are locked down or the code is open-sourced and vastly simplified, it is likely to remain a rich environment for malicious adversaries. [8] [9]

The reality is that advanced adversaries are routinely hacking the firmware of Internet routers, switches and firewalls [archive], along with harddrive firmware [archive], and UEFI/EFI and ethernet adapters [archive]. The number of targets is already in the tens of thousands on an annual basis. Subverting firmware in this manner provides a stealthy and persistent presence that can eavesdrop on or re-route all network data, or access information in invisible storage areas that are unecrypted (bypassing disk encryption). Worst of all, firmware sabotage is believed to survive software updates or complete operating system re-installations. Attacks may also be designed to corrupt firmware so machines are prevented from booting, even with an external drive. [10]

Supply Chain Attacks[edit]

Compromising a computing company's infrastructure is an advanced attack methodology that has risen to prominence over the last ten years: [11]

Supply chain attacks can happen when hackers gain access to a software company's infrastructure—development environment, build servers, update servers, etc.—and are able to inject malware into new software releases or security updates.

A recent example of malware that successfully targeted computer firmware is the late-2018 "Operation ShadowHammer" attack, which affected an estimated half a million Windows users utilizing ASUS hardware. In this case, the ASUS Live Update Utility [archive] -- which is responsible for automatically updating components like BIOS, UEFI, drivers and applications -- was compromised.

It was discovered that the backdoored utility actually targeted the MAC addresses of a few hundred users, which were actually hard-coded into the trojan samples analyzed. The implication is that an advanced nation state attacker was willing to infect an untold number of innocent users for their targeted operations on a far smaller subset. [12] This sophisticated supply chain attack involved several steps: [13]

  • The ASUS server which served the live update tool was compromised.
  • The malicious file was signed with legitimate ASUS digital certificates so the software appeared genuine. [14] The file was actually a three-year old binary containing harmful code.
  • Users downloaded the malicious, backdoored utility through the ASUS update server.
  • The trojan utility searched for targets using a set of unique MAC addresses. [15]
  • Once located, a command-and-control server under the attacker's control installed additional malware on the machine.

This attack is concerning because it reveals adversaries are prepared to undermine the security underpinning the entire supply chain for their purposes, whether it is manufactured/assembled components or via breaches of trusted vendor software channels. As most users of specific computer hardware trust the manufacturing company, this is a very difficult problem to address, particularly since it can remain undiscovered for a long period.

In addition, this mode of attack suggests that overall improvements in computing security are forcing sophisticated attackers to "raise their game," because in general they choose the path of least resistance when attempting to infiltrate the systems of targets. [11]

For further reading on this topic, see:

Processor Microcode Updates[edit]

One recent example of a firmware vulnerability is the processor microcode update for modern chips to address speculative [archive] execution flaws [archive]. The Debian package [archive] is non-free software, therefore only available in the Debian nonfree repository, meaning it is not installed by default in all Whonix variants. [16] [17] Whonix recommends to avoid nonfree software but in this case idealism would result in insecurity.

It is unnecessary to apply these updates in standard Non-Qubes-Whonix ™ and Qubes-Whonix ™ guest VMs, as they do not have the ability to alter the microcode. However, processor microcode updates should always be applied on the host operating system (for processors by Intel or AMD) [18] and baremetal configurations like Physical Isolation. [19]

Microcode Package Check[edit]

In the following checks, the package is not installed if there is no output.

To check whether the microcode package is installed.

Debian based[edit]

On the host. Run.

dpkg -l | grep microcode


In dom0. Run.

dnf list | grep microcode

The Qubes check should confirm the microcode_ctl.x86_64 package is already installed. [20]

Install Microcode Package[edit]


Install intel-microcode.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the intel-microcode package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends intel-microcode

The procedure of installing intel-microcode is complete.


Install amd64-microcode.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the amd64-microcode package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends amd64-microcode

The procedure of installing amd64-microcode is complete.


It is possible to check if the system is vulnerable to the Spectre [archive] and Meltdown [archive] attacks, which use flaws in modern chip design to bypass system protections.


Install spectre-meltdown-checker.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the spectre-meltdown-checker package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends spectre-meltdown-checker

The procedure of installing spectre-meltdown-checker is complete.


sudo spectre-meltdown-checker --paranoid ; echo $?

Forum Discussion[edit]

See: [archive]


  1. [archive]
  2. 2.0 2.1 [archive]
  3. [archive]
  4. [archive]
  5. [archive]
  6. [archive]
  7. Also see this debian-security mailing list thread: How secure is an installation with no non-free packages? [archive]
  8. [archive]
  9. Mark Shuttleworth, founder of the Ubuntu Linux distribution, has described proprietary firmware as a security risk [archive], stating "firmware on your device is the NSA's best friend" and calling firmware "a trojan horse of monumental proportions".
  10. [archive]
  11. 11.0 11.1 [archive]
  12. [archive]
  13. [archive]
  14. Reinforcing the notion that digital certificates are an imperfect security mechanism.
  15. MD5 hash values were hard-coded and found to correspond to unique MAC addresses for network adapter cards. This indicates the attackers knew the MAC addresses of their targets in advance.
  16. Relevant Debian packages for processor microcode: Intel [archive] and amd64 [archive].
  17. Installing these updates by default would require the Debian nonfree repository, and logically also make Whonix images nonfree.
  18. ARM is less affected than Intel architecture.
  19. See: [archive]
  20. This package is installed by default in Qubes to automatically protect users against hardware threats.

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Firmware Security and Updates&body= link= Security and Updates link= Security and Updates link= Security and Updates%20 Security and Updates

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.