Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/31/2018
06:26 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hardware Cyberattacks: How Worried Should You Be?

How to fit hardware threats into your security model as hardware becomes smaller, faster, cheaper, and more complex.

For most organizations, it's time to put modern hardware threats into perspective.

This year has had its share of hardware scares. We kicked off 2018 with the Spectre and Meltdown attacks; most recently, a Bloomberg BusinessWeek report detailed how Chinese plants implanted network monitoring and control chips on motherboards made for Supermicro.

Hardware technology – and, consequently, hardware attacks – have come a long way as devices have grown smaller, faster, cheaper, and more complex. Attacks that used to cost thousands of dollars can be done for a few hundred bucks or less. Now people panic when a report describes an implant the size of a grain of rice, one which is allegedly everywhere but nobody can find it.

"Reactions are not rational or appropriate to what should be done," says Joe Fitzpatrick, trainer and researcher at SecuringHardware.com. He'll be putting hardware threats into context and explaining how they fit into enterprise threat models during a briefing, titled "A Measured Response to a Grain of Rice," at Black Hat Europe in London this December.

Everything is possible but none of it is reasonable, he continues. The current discourse around hardware attacks is focused on sensationalism. We have reports of devices few people have heard of, doing things few know are possible, happening on a scale fewer understand, he explains in the abstract for his upcoming session. Now, following the Bloomberg report, they want to tear apart their motherboards and send them to be tested for implants, he says. 

Fitzpatrick likens this reaction to a person going to the doctor and requesting chemotherapy. "But I heard on the news someone died, and they had cancer," he says they say, and as a result, they want the treatment intended to prevent the worst. But they don't have cancer, Fitzpatrick says, and they've ignored the steps to stay healthy: sleep well, exercise, don't drink, and don't smoke.

"We see people hearing about the threat, and then reacting to the threat, without protecting themselves from the threat," he explains. The same is true in tech, Fitzpatrick says: Businesses want to be safe but don't take precautions. If your first time thinking about supply chain security is when reading about a malicious implant on someone else's server, then you're missing preventive steps, he says.

"The best you can do is realize the threat model is changing," Fitzpatrick explains. "There are better approaches to securing the supply chain and hardware than getting someone to tear apart old servers."

You don't need to ship out your server to protect against hardware attacks, but you should be taking a closer look at your threat model and how you approach supply chain security, Fitzpatrick advises.

Hardware Attacks: How They Look, What to Do
The hardware threat is real, Fitzpatrick explains, but there are several misconceptions around how they look and work. "People dismiss hardware attacks as too difficult, too expensive," he says. "But they're getting easier, cheaper, and more feasible."

Twenty years ago, building computer hardware cost thousands of dollars. The process has since become less expensive and far faster. These changes have shifted the threat model, but consumers and security experts alike haven't yet begun to acknowledge or prepare for it.

Software security pros, for example, look for flaws in the layers of abstraction that make up systems and applications. But when they get to hardware, they assume it's solid. This isn't the case, Fitzpatrick says. Hardware is also built on layers of abstraction. Spectre and Meltdown are examples of what happens when people poke holes in what they assume is a brick wall.

We can't think of hardware as monolithic, he continues. It has flaws, but they affect consumers and businesses differently. For consumers, he says hardware attacks are a lower priority compared with other security risks they face. They have bigger problems to worry about, like the Internet of Things devices they're plugging into home networks.

For businesses, supply chain security should be a greater priority, Fitzpatrick adds. Each hardware component is programmable, and each could be malicious. That said, he continues, you should also know what's rational. Your threat model may have been developed when hardware cost thousands to develop. Now a $10 card skimmer can compromise hundreds of credit cards. Is that in your threat model?

"I imagine everyone has a software security plan," Fitzpatrick says. "What they need to realize is all of that software runs on hardware, and whoever they purchase their hardware from, they need to have a conversation around supply chain security."

The hardware implant is a special case, he notes. Businesses should be more worried about getting counterfeit or low-grade devices. Make sure you know the hardware you have and where it came from.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Maggie Jauregui
50%
50%
Maggie Jauregui,
User Rank: Author
3/16/2021 | 4:28:19 PM
Bringing supply chain into existing threat models
Regardless of the veracity of the claims, this story brought a spotlight to the vulnerability of modern systems against supply chain and hardware attacks. Hopefully, this new awareness will lead to evolving comprehensive threat models that expand their scope to consider physical presence attackers at different levels.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:37:36 PM
Harder to detect, too
Moreover, detecting compromised hardware -- particularly backdoors embedded directly into the chipset -- is way more difficult. And, absent full reverse engineering, detection methods may not be foolproof, depending upon how thoroughly and cleverly the attacker hid the backdoor (which may be quite a bit, considering).

Yet another reason why enterprises don't want to think about this. It's easier to take the tack of Ser Janos Slynt in GoT/ASoIaF -- insisting "There's no such thing as giants" while watching actual giants plainly approaching.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31547
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
CVE-2021-31548
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
CVE-2021-31549
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
CVE-2021-31550
PUBLISHED: 2021-04-22
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
CVE-2021-31551
PUBLISHED: 2021-04-22
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.