Hardware and Firmware Vulnerabilities (Domain 2)
In this episode, we are focusing on vulnerabilities that live below the software layer—those found in hardware, firmware, and aging systems. These vulnerabilities are often harder to detect, difficult to patch, and frequently overlooked. They pose significant risks because they can allow attackers to bypass operating system controls and embed themselves at the foundational level of computing devices. We’ll cover firmware risks, end-of-life hardware, and the unique challenges presented by legacy systems.
Let’s begin with firmware risks. Firmware is the low-level software embedded directly into hardware components. It controls everything from how your motherboard communicates with your CPU to how your printer functions. Because firmware operates below the operating system, it has deep access to system resources. If compromised, firmware can give an attacker persistent, stealthy control over a device.
Firmware vulnerabilities can be exploited in several ways. Attackers may install malicious firmware that remains even after the operating system is reinstalled. They can exploit flaws in how firmware is updated, allowing them to intercept or inject code during the update process. Firmware-level malware can remain undetected by traditional antivirus tools and can even disable or bypass security controls implemented at higher levels.
A real-world example involved malware that infected the firmware of hard drives, allowing attackers to spy on user activity and retain access even after drives were wiped and reinstalled. These types of attacks are rare but extremely damaging.
To defend against firmware threats, organizations should ensure that firmware updates are applied regularly, and that those updates come from trusted sources. Devices should be configured to prevent unauthorized flashing or modification of firmware. Some platforms offer secure boot or trusted platform modules that help ensure firmware integrity during system startup. Administrators should inventory all hardware components and verify that firmware is being maintained as part of the organization’s standard patch cycle.
Now let’s turn to end-of-life hardware. End-of-life—often abbreviated as E O L—refers to hardware that is no longer supported by the manufacturer. Once a product reaches this stage, the vendor stops providing updates, security patches, or technical support. This leaves the hardware exposed to vulnerabilities that will never be fixed.
Attackers often scan for systems running on E O L hardware because they know those systems are easier to exploit. Even if the software is up to date, the underlying hardware may include flaws that attackers can leverage to gain access, cause disruptions, or pivot into more secure parts of the network.
Managing end-of-life risk starts with awareness. Organizations must track hardware lifecycles and know which devices are no longer supported. In high-risk environments, E O L systems should be prioritized for replacement. If immediate replacement is not possible, these devices should be isolated from critical networks, heavily monitored, and protected with compensating controls.
A case study involved an outdated medical imaging device that remained in use long after support had ended. The system was connected to a hospital’s main network and was eventually exploited through a known hardware-level vulnerability. The attack exposed sensitive patient data and forced a full-scale incident response. This example shows how even trusted systems can become security liabilities over time.
Now let’s talk about legacy systems. Legacy systems include any older hardware or platforms that are still in use but were built on outdated standards. These systems may run unsupported operating systems, use obsolete protocols, or rely on hardware that cannot accommodate modern security controls.
Legacy systems often remain in use because they support critical functions that cannot easily be replaced. This is common in manufacturing, healthcare, and government environments where specialized equipment is expensive or difficult to modernize. But with age comes risk. Legacy systems are often incompatible with endpoint protection, difficult to patch, and poorly documented.
Because attackers know these systems tend to be weak points, they often use them as a foothold into more secure parts of the network. Exploiting a legacy machine may allow lateral movement, credential theft, or access to sensitive data stored elsewhere.
Managing legacy system risk requires a multi-layered approach. First, isolate the system from internet-facing connections and unnecessary internal access. Use firewalls, network segmentation, and strict access controls. Monitor these systems closely for unusual behavior, and limit user interaction to only those who absolutely need access. Document dependencies, and plan for phased replacement when budgets allow.
You can also add external protections, such as host-based firewalls, reverse proxies, and virtual patching, to help reduce exposure even when direct updates are no longer possible.
As you prepare for the Security Plus exam, keep in mind that hardware and firmware vulnerabilities are often persistent, deeply embedded, and hard to detect. You may be asked to evaluate risks related to outdated systems, unpatched firmware, or legacy infrastructure. Know how to identify these systems, describe their risks, and recommend appropriate compensating controls. Be ready to distinguish between end-of-life and legacy systems, and to explain why firmware updates are just as important as software patches.
