Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/31/2018
06:26 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Hardware Cyberattacks: How Worried Should You Be?

How to fit hardware threats into your security model as hardware becomes smaller, faster, cheaper, and more complex.

For most organizations, it's time to put modern hardware threats into perspective.

This year has had its share of hardware scares. We kicked off 2018 with the Spectre and Meltdown attacks; most recently, a Bloomberg BusinessWeek report detailed how Chinese plants implanted network monitoring and control chips on motherboards made for Supermicro.

Hardware technology – and, consequently, hardware attacks – have come a long way as devices have grown smaller, faster, cheaper, and more complex. Attacks that used to cost thousands of dollars can be done for a few hundred bucks or less. Now people panic when a report describes an implant the size of a grain of rice, one which is allegedly everywhere but nobody can find it.

"Reactions are not rational or appropriate to what should be done," says Joe Fitzpatrick, trainer and researcher at SecuringHardware.com. He'll be putting hardware threats into context and explaining how they fit into enterprise threat models during a briefing, titled "A Measured Response to a Grain of Rice," at Black Hat Europe in London this December.

Everything is possible but none of it is reasonable, he continues. The current discourse around hardware attacks is focused on sensationalism. We have reports of devices few people have heard of, doing things few know are possible, happening on a scale fewer understand, he explains in the abstract for his upcoming session. Now, following the Bloomberg report, they want to tear apart their motherboards and send them to be tested for implants, he says. 

Fitzpatrick likens this reaction to a person going to the doctor and requesting chemotherapy. "But I heard on the news someone died, and they had cancer," he says they say, and as a result, they want the treatment intended to prevent the worst. But they don't have cancer, Fitzpatrick says, and they've ignored the steps to stay healthy: sleep well, exercise, don't drink, and don't smoke.

"We see people hearing about the threat, and then reacting to the threat, without protecting themselves from the threat," he explains. The same is true in tech, Fitzpatrick says: Businesses want to be safe but don't take precautions. If your first time thinking about supply chain security is when reading about a malicious implant on someone else's server, then you're missing preventive steps, he says.

"The best you can do is realize the threat model is changing," Fitzpatrick explains. "There are better approaches to securing the supply chain and hardware than getting someone to tear apart old servers."

You don't need to ship out your server to protect against hardware attacks, but you should be taking a closer look at your threat model and how you approach supply chain security, Fitzpatrick advises.

Hardware Attacks: How They Look, What to Do
The hardware threat is real, Fitzpatrick explains, but there are several misconceptions around how they look and work. "People dismiss hardware attacks as too difficult, too expensive," he says. "But they're getting easier, cheaper, and more feasible."

Twenty years ago, building computer hardware cost thousands of dollars. The process has since become less expensive and far faster. These changes have shifted the threat model, but consumers and security experts alike haven't yet begun to acknowledge or prepare for it.

Software security pros, for example, look for flaws in the layers of abstraction that make up systems and applications. But when they get to hardware, they assume it's solid. This isn't the case, Fitzpatrick says. Hardware is also built on layers of abstraction. Spectre and Meltdown are examples of what happens when people poke holes in what they assume is a brick wall.

We can't think of hardware as monolithic, he continues. It has flaws, but they affect consumers and businesses differently. For consumers, he says hardware attacks are a lower priority compared with other security risks they face. They have bigger problems to worry about, like the Internet of Things devices they're plugging into home networks.

For businesses, supply chain security should be a greater priority, Fitzpatrick adds. Each hardware component is programmable, and each could be malicious. That said, he continues, you should also know what's rational. Your threat model may have been developed when hardware cost thousands to develop. Now a $10 card skimmer can compromise hundreds of credit cards. Is that in your threat model?

"I imagine everyone has a software security plan," Fitzpatrick says. "What they need to realize is all of that software runs on hardware, and whoever they purchase their hardware from, they need to have a conversation around supply chain security."

The hardware implant is a special case, he notes. Businesses should be more worried about getting counterfeit or low-grade devices. Make sure you know the hardware you have and where it came from.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:37:36 PM
Harder to detect, too
Moreover, detecting compromised hardware -- particularly backdoors embedded directly into the chipset -- is way more difficult. And, absent full reverse engineering, detection methods may not be foolproof, depending upon how thoroughly and cleverly the attacker hid the backdoor (which may be quite a bit, considering).

Yet another reason why enterprises don't want to think about this. It's easier to take the tack of Ser Janos Slynt in GoT/ASoIaF -- insisting "There's no such thing as giants" while watching actual giants plainly approaching.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...