Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/31/2018
06:26 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Hardware Cyberattacks: How Worried Should You Be?

How to fit hardware threats into your security model as hardware becomes smaller, faster, cheaper, and more complex.

For most organizations, it's time to put modern hardware threats into perspective.

This year has had its share of hardware scares. We kicked off 2018 with the Spectre and Meltdown attacks; most recently, a Bloomberg BusinessWeek report detailed how Chinese plants implanted network monitoring and control chips on motherboards made for Supermicro.

Hardware technology – and, consequently, hardware attacks – have come a long way as devices have grown smaller, faster, cheaper, and more complex. Attacks that used to cost thousands of dollars can be done for a few hundred bucks or less. Now people panic when a report describes an implant the size of a grain of rice, one which is allegedly everywhere but nobody can find it.

"Reactions are not rational or appropriate to what should be done," says Joe Fitzpatrick, trainer and researcher at SecuringHardware.com. He'll be putting hardware threats into context and explaining how they fit into enterprise threat models during a briefing, titled "A Measured Response to a Grain of Rice," at Black Hat Europe in London this December.

Everything is possible but none of it is reasonable, he continues. The current discourse around hardware attacks is focused on sensationalism. We have reports of devices few people have heard of, doing things few know are possible, happening on a scale fewer understand, he explains in the abstract for his upcoming session. Now, following the Bloomberg report, they want to tear apart their motherboards and send them to be tested for implants, he says. 

Fitzpatrick likens this reaction to a person going to the doctor and requesting chemotherapy. "But I heard on the news someone died, and they had cancer," he says they say, and as a result, they want the treatment intended to prevent the worst. But they don't have cancer, Fitzpatrick says, and they've ignored the steps to stay healthy: sleep well, exercise, don't drink, and don't smoke.

"We see people hearing about the threat, and then reacting to the threat, without protecting themselves from the threat," he explains. The same is true in tech, Fitzpatrick says: Businesses want to be safe but don't take precautions. If your first time thinking about supply chain security is when reading about a malicious implant on someone else's server, then you're missing preventive steps, he says.

"The best you can do is realize the threat model is changing," Fitzpatrick explains. "There are better approaches to securing the supply chain and hardware than getting someone to tear apart old servers."

You don't need to ship out your server to protect against hardware attacks, but you should be taking a closer look at your threat model and how you approach supply chain security, Fitzpatrick advises.

Hardware Attacks: How They Look, What to Do
The hardware threat is real, Fitzpatrick explains, but there are several misconceptions around how they look and work. "People dismiss hardware attacks as too difficult, too expensive," he says. "But they're getting easier, cheaper, and more feasible."

Twenty years ago, building computer hardware cost thousands of dollars. The process has since become less expensive and far faster. These changes have shifted the threat model, but consumers and security experts alike haven't yet begun to acknowledge or prepare for it.

Software security pros, for example, look for flaws in the layers of abstraction that make up systems and applications. But when they get to hardware, they assume it's solid. This isn't the case, Fitzpatrick says. Hardware is also built on layers of abstraction. Spectre and Meltdown are examples of what happens when people poke holes in what they assume is a brick wall.

We can't think of hardware as monolithic, he continues. It has flaws, but they affect consumers and businesses differently. For consumers, he says hardware attacks are a lower priority compared with other security risks they face. They have bigger problems to worry about, like the Internet of Things devices they're plugging into home networks.

For businesses, supply chain security should be a greater priority, Fitzpatrick adds. Each hardware component is programmable, and each could be malicious. That said, he continues, you should also know what's rational. Your threat model may have been developed when hardware cost thousands to develop. Now a $10 card skimmer can compromise hundreds of credit cards. Is that in your threat model?

"I imagine everyone has a software security plan," Fitzpatrick says. "What they need to realize is all of that software runs on hardware, and whoever they purchase their hardware from, they need to have a conversation around supply chain security."

The hardware implant is a special case, he notes. Businesses should be more worried about getting counterfeit or low-grade devices. Make sure you know the hardware you have and where it came from.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:37:36 PM
Harder to detect, too
Moreover, detecting compromised hardware -- particularly backdoors embedded directly into the chipset -- is way more difficult. And, absent full reverse engineering, detection methods may not be foolproof, depending upon how thoroughly and cleverly the attacker hid the backdoor (which may be quite a bit, considering).

Yet another reason why enterprises don't want to think about this. It's easier to take the tack of Ser Janos Slynt in GoT/ASoIaF -- insisting "There's no such thing as giants" while watching actual giants plainly approaching.
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12919
PUBLISHED: 2019-06-20
On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices, an attacker on the local network has unauthenticated access to the internal SD card via the HTTP service on port 8000. The HTTP web server on the camera allows anyone to view or download the video archive recorded and saved on t...
CVE-2019-12920
PUBLISHED: 2019-06-20
On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices, an attacker on the network can login remotely to the camera and gain root access. The device ships with a hardcoded 12345678 password for the root account, accessible from a TELNET login prompt.
CVE-2018-15878
PUBLISHED: 2019-06-20
The GD Graphics Library (aka libgd) through 2.2.5 has a Double Free Vulnerability in the gdImageBmpPtr function.
CVE-2018-15879
PUBLISHED: 2019-06-20
The GD Graphics Library (aka libgd) through 2.2.5 has a Double Free Vulnerability in the gdImageBmpPt function.
CVE-2018-15913
PUBLISHED: 2019-06-20
An issue was discovered in Cloudera Manager 5.x through 5.15.0. One type of page in Cloudera Manager uses a 'returnUrl' parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automa...