Episode 49 — Defend Against Firmware and Physical TTPs: Shimming, USB Attacks, BIOS/UEFI, Memory
In this episode, we’re going to look at a class of threats that can feel unsettling because they target the parts of a computer you usually never think about: the moment it starts up, the hardware it trusts, and the physical ways someone can interfere with it. Many beginners imagine cyberattacks as something that always happens over the internet, but physical access and low-level tampering can be just as powerful, and sometimes more difficult to detect. Firmware is the software that lives very close to the hardware, guiding how components start and communicate, and if firmware is compromised, attackers can gain deep control that can survive reboots and sometimes even survive reinstalling the operating system. Physical tactics can also bypass software protections by exploiting ports, devices, or the simple fact that someone can touch the machine. The goal here is not to make you paranoid, but to give you a clear mental map of common techniques and the defenses that reduce risk. We’ll talk about shimming, USB attacks, BIOS and UEFI, and memory-related threats, and we’ll connect them to practical defensive thinking that makes these threats less mysterious.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
A helpful starting point is to understand why firmware and physical techniques are attractive to attackers. High-level malware often depends on the operating system and common security tools, so defenders can detect it through logging, endpoint sensors, and updates. Firmware compromises can sit below many of those controls, meaning they can hide from normal monitoring and can launch early in the boot process before security software is fully active. Physical techniques are attractive because they can bypass network boundaries entirely; if someone can plug something into a device or open the device, they can sometimes trigger behavior that software defenses weren’t designed to stop. These techniques are not used in every attack, because they often require proximity, time, or special access, but they matter a lot in high-value environments and in scenarios like stolen laptops, unattended kiosks, or devices deployed in public spaces. As a beginner, it is useful to see this as a different threat model: instead of a remote attacker probing from far away, you have an attacker who is close enough to interact with the device physically. Defensive choices change based on that model, because you need to protect not just the network and software, but the device’s body and its startup process.
BIOS and UEFI are foundational terms here, because they describe the early firmware environment that initializes the system and starts the process of loading the operating system. BIOS is the older style of firmware interface, and UEFI is the newer, more feature-rich approach that has become common on modern systems. Regardless of which one is present, the firmware layer controls early hardware initialization, chooses what boot device to use, and can enforce certain security policies. If an attacker can modify this layer, they can influence what code runs first and can potentially load malicious components before the operating system. That is dangerous because it can undermine many protections that assume the operating system is in control. From a beginner perspective, you can think of BIOS and UEFI as the stage manager that sets the scene before the actors come on stage; if the stage manager is compromised, the show can be manipulated from the beginning. Defending this layer means controlling who can change firmware settings, ensuring firmware updates are authentic, and using integrity protections that detect or block unauthorized modifications.
Secure Boot and measured boot, which you learned earlier, connect directly to BIOS and UEFI threats because they are designed to protect the boot chain. Secure Boot checks signatures to ensure the system loads trusted boot components, and measured boot records what loaded so integrity can be proven later. These features can reduce the risk of bootkits and other early-start threats, but they depend on correct configuration and on the integrity of the firmware itself. If the firmware is compromised deeply enough, an attacker might attempt to disable protections or fake evidence, which is why hardware-backed trust components are so important. Beginners should understand that security features exist, but they are not always enabled or managed correctly, and attackers often look for systems where the protections are off or misconfigured. Defending against BIOS and UEFI threats therefore includes ensuring those protections are enabled and that firmware settings are locked down with strong administrative controls. It also includes monitoring and inventory, because you can’t protect firmware well if you don’t even know which devices exist and what firmware versions they run. In short, firmware defense is a combination of prevention, verification, and good hygiene.
Shimming is a physical technique that can be surprisingly simple in concept, even if the real-world tools can vary. A shim is a small device or insert placed between two components, such as between a keyboard cable and the keyboard port, or between a storage device and the motherboard connection. The idea is that the shim can intercept or modify signals, allowing an attacker to capture information like keystrokes, alter communication, or introduce malicious behavior. For beginners, an easy way to understand shimming is to imagine someone placing a tiny listener in the middle of a phone line so they can hear the conversation without being obvious. Because shims can be physical and subtle, they can be hard to notice, especially if the device is in a public or shared space. The defensive response is often physical security and device integrity checks: controlling access to hardware, using tamper-evident seals, performing inspections, and designing environments so devices are not left unattended in risky locations. Shimming reminds us that not all threats involve software at all; sometimes the attack is literally inserted into the hardware pathway.
USB attacks are another major physical tactic, and they matter because USB ports are designed for convenience and broad compatibility. When you plug in a USB device, the computer often tries to identify it and make it usable quickly, which creates opportunities for abuse. A malicious USB device might pretend to be a keyboard and type commands rapidly, or it might present itself as a network adapter and redirect traffic, or it might exploit vulnerabilities in how devices are recognized. The danger comes from trust and automation: the system may trust that a plugged-in device is harmless and may accept input without strong verification. Beginners should understand that USB attacks are not always about copying files; they can be about injecting actions or changing the system’s view of what hardware is present. This is why physical access to ports can be so valuable to an attacker, especially in environments like conference rooms, front desks, or shared workspaces. Defending against USB attacks involves limiting what devices can connect, controlling who can use ports, and educating users that unknown devices are not gifts, they are potential attack tools.
A related concept is that some USB threats can persist or spread by modifying firmware on certain peripheral devices. This is unsettling because it means even the accessory can become part of the attack, and it may not be obvious that the accessory is compromised. Not every environment faces this risk equally, but the concept reinforces an important beginner lesson: peripherals are computers too, in the sense that they can contain firmware and behavior. Defensive strategies include using trusted supply chains for hardware, restricting the use of unauthorized peripherals, and maintaining a policy for how devices are issued and replaced. It also includes practical handling rules, like not using random charging cables or unknown adapters in high-value contexts. Even simple controls like physically blocking unused ports can reduce opportunity. The goal is to reduce the chances that an attacker can introduce a malicious device into the environment in the first place.
Now let’s talk about memory, because memory attacks can be physical, logical, or a combination, and they often target sensitive data that exists briefly while a system is running. Memory is where active programs keep data as they work, and that can include passwords, cryptographic keys, session tokens, and decrypted information that would otherwise be protected on disk. Attackers like memory because it can reveal secrets in their most usable form, and because many protections focus on files and storage rather than what is temporarily present in memory. Physical access can enable certain memory extraction techniques, especially if the device is unattended or if it is in a state where memory contents can be captured. Even without physical access, malware can read memory if it achieves sufficient privileges, which is why memory protection is tied to privilege management and isolation. Beginners should learn that encryption at rest protects data on disk, but it does not automatically protect data when it is actively in use. Protecting memory therefore involves both limiting who can run code and limiting what even privileged code can see.
Memory-related threats also connect to the idea of cold boot risks, where data in memory can sometimes persist briefly after power loss and could be retrieved with specialized methods. The practical takeaway is not to obsess over edge cases, but to understand that physical control of a device can create opportunities to extract data that was assumed to be temporary. This is one reason why full-disk encryption is often paired with strong pre-boot authentication and why devices should be configured to lock quickly when unattended. It is also why high-security environments may enforce shutdown requirements rather than allowing devices to remain in sleep states in uncontrolled locations. Another important defensive concept is reducing the amount of sensitive data held in memory longer than necessary, which is part of good application design and key handling. For beginners, the key idea is that memory is an active workspace, and attackers who can access the workspace can sometimes see things they couldn’t see on disk. Defense is about reducing access to that workspace and limiting what can be learned even if access occurs.
All of these threats can be grouped under the idea of tactics, techniques, and procedures, often abbreviated as T T P s, which is a way of describing how attackers actually operate in the real world. Shimming is a technique that relies on physical insertion, USB attacks rely on device impersonation and trusted connections, BIOS and UEFI attacks rely on tampering with the boot foundation, and memory attacks rely on accessing active secrets. The defensive side mirrors these with layered controls: physical access control, device hardening, boot integrity protections, strong authentication, restricted ports, and careful handling of secrets. A beginner-friendly strategy is to think in terms of opportunity and persistence. Physical attacks often require opportunity, meaning time and access, so reducing unattended exposure is a big win. Firmware attacks often aim for persistence, so ensuring verified boot and controlled firmware updates reduces that goal. Memory attacks aim for secret extraction, so reducing privileges, enforcing lock screens, and using isolation and hardware-backed protection reduces that reward. When you map the attacker goal to a defensive control, the topic becomes more manageable.
It is also important to consider detection and response, because some of these threats are hard to detect with typical network monitoring. If a device is compromised at the firmware level, it may behave strangely, but it might not trigger common malware signatures. If a shim is installed, the device might function normally while quietly leaking information. If a USB device injects actions, it might look like the user typed them. That means prevention and integrity checks become more important, such as controlling ports, monitoring firmware versions, and using attestation-like checks that can identify devices in unexpected states. Response also includes practical actions like removing devices from service, reimaging systems, and replacing hardware when integrity cannot be assured. Beginners should understand that some compromises are not safely cleaned by simply deleting a file, because the foundation might be altered. This is why hardware and firmware incidents can lead to stronger corrective actions, including hardware replacement, especially when the cost of uncertainty is too high.
To conclude, defending against firmware and physical T T P s is about recognizing that the attack surface is not limited to the network or the operating system. Shimming shows how an attacker can intercept signals by inserting a physical middle layer, USB attacks show how convenience ports can be turned into entry points, BIOS and UEFI threats show how attackers can target the boot foundation for stealth and persistence, and memory threats show how secrets can be exposed while systems are running. The defensive approach is layered and practical: protect physical access, control removable devices, lock down firmware settings and updates, use boot integrity protections, and reduce the exposure of secrets in memory through good privilege control and isolation. The most important beginner takeaway is that security depends on assumptions, and physical access changes many assumptions at once. When you design and operate with that reality in mind, you reduce the chance that someone can walk up to a device and quietly turn it into their tool. You also make it easier to trust devices over time, because trust is supported by integrity checks, not just by hope.
