If a rate the risk I would say, the firmware can be manipulated when the device has already been broken into, so no additional security by adding secure boot. My question: What is the risk of not having secure boot in this specific context? Thank you
In a proper secure boot, firmware cannot be manipulated if the device has been broken into. If it is, it won't boot. If the attacker wipes the device, the key should be held by the SOC durably so newly loaded software cannot be loaded if it is not signed by the installed manufacturer key. Secure boot is about assuring the engineer and the customer that proper operation will be maintained even in the face of physical access to the device. If all of this is not true of one's device the allure of secure boot can be diminished.
Embedded system software is often (and probably should always be) highly limited to exactly what the system needs to run. In these cases root can do little more than run valid software. Some threats of an attacker adding software with this assumption:
- Attacker added software can cause unexpected behavior causing a reduction in customer perception of the product (ie causing crashes, slow operation, etc).
- Attacker added software can cause material harm to user or user's property (overrunning factory equipment, disable brakes on a vehicle, etc).
- Attacker added software can assist in reverse engineering, secrets exfiltration, customer information spying, etc.
Most of these are of course also possible if there is a runtime vulnerability (remote code execution, etc). But adding a file to disk is a lot easier than finding and exploiting a runtime vulnerability. When I did TARAs this was covered under 'likelihood' rather than 'severity.'
