For most organizations, it's time to put modern hardware threats into perspective.
This year has had its share of hardware scares. We kicked off 2018 with the Spectre and Meltdown attacks; most recently, a Bloomberg BusinessWeek report detailed how Chinese plants implanted network monitoring and control chips on motherboards made for Supermicro.
Hardware technology – and, consequently, hardware attacks – have come a long way as devices have grown smaller, faster, cheaper, and more complex. Attacks that used to cost thousands of dollars can be done for a few hundred bucks or less. Now people panic when a report describes an implant the size of a grain of rice, one which is allegedly everywhere but nobody can find it.
"Reactions are not rational or appropriate to what should be done," says Joe Fitzpatrick, trainer and researcher at SecuringHardware.com. He'll be putting hardware threats into context and explaining how they fit into enterprise threat models during a briefing, titled "A Measured Response to a Grain of Rice," at Black Hat Europe in London this December.
Everything is possible but none of it is reasonable, he continues. The current discourse around hardware attacks is focused on sensationalism. We have reports of devices few people have heard of, doing things few know are possible, happening on a scale fewer understand, he explains in the abstract for his upcoming session. Now, following the Bloomberg report, they want to tear apart their motherboards and send them to be tested for implants, he says.
Fitzpatrick likens this reaction to a person going to the doctor and requesting chemotherapy. "But I heard on the news someone died, and they had cancer," he says they say, and as a result, they want the treatment intended to prevent the worst. But they don't have cancer, Fitzpatrick says, and they've ignored the steps to stay healthy: sleep well, exercise, don't drink, and don't smoke.
"We see people hearing about the threat, and then reacting to the threat, without protecting themselves from the threat," he explains. The same is true in tech, Fitzpatrick says: Businesses want to be safe but don't take precautions. If your first time thinking about supply chain security is when reading about a malicious implant on someone else's server, then you're missing preventive steps, he says.
"The best you can do is realize the threat model is changing," Fitzpatrick explains. "There are better approaches to securing the supply chain and hardware than getting someone to tear apart old servers."
You don't need to ship out your server to protect against hardware attacks, but you should be taking a closer look at your threat model and how you approach supply chain security, Fitzpatrick advises.
Hardware Attacks: How They Look, What to Do
The hardware threat is real, Fitzpatrick explains, but there are several misconceptions around how they look and work. "People dismiss hardware attacks as too difficult, too expensive," he says. "But they're getting easier, cheaper, and more feasible."
Twenty years ago, building computer hardware cost thousands of dollars. The process has since become less expensive and far faster. These changes have shifted the threat model, but consumers and security experts alike haven't yet begun to acknowledge or prepare for it.
Software security pros, for example, look for flaws in the layers of abstraction that make up systems and applications. But when they get to hardware, they assume it's solid. This isn't the case, Fitzpatrick says. Hardware is also built on layers of abstraction. Spectre and Meltdown are examples of what happens when people poke holes in what they assume is a brick wall.
We can't think of hardware as monolithic, he continues. It has flaws, but they affect consumers and businesses differently. For consumers, he says hardware attacks are a lower priority compared with other security risks they face. They have bigger problems to worry about, like the Internet of Things devices they're plugging into home networks.
For businesses, supply chain security should be a greater priority, Fitzpatrick adds. Each hardware component is programmable, and each could be malicious. That said, he continues, you should also know what's rational. Your threat model may have been developed when hardware cost thousands to develop. Now a $10 card skimmer can compromise hundreds of credit cards. Is that in your threat model?
"I imagine everyone has a software security plan," Fitzpatrick says. "What they need to realize is all of that software runs on hardware, and whoever they purchase their hardware from, they need to have a conversation around supply chain security."
The hardware implant is a special case, he notes. Businesses should be more worried about getting counterfeit or low-grade devices. Make sure you know the hardware you have and where it came from.
- 8 Threats That Could Sink Your Company
- Pervasive Emotet Botnet Now Steals Emails
- Destructive Cyberattacks Spiked in Q3
- New Report: IoT Now Top Internet Attack Target
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.