Vulnerabilities / Threats

10/31/2018
06:26 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Hardware Cyberattacks: How Worried Should You Be?

How to fit hardware threats into your security model as hardware becomes smaller, faster, cheaper, and more complex.

For most organizations, it's time to put modern hardware threats into perspective.

This year has had its share of hardware scares. We kicked off 2018 with the Spectre and Meltdown attacks; most recently, a Bloomberg BusinessWeek report detailed how Chinese plants implanted network monitoring and control chips on motherboards made for Supermicro.

Hardware technology – and, consequently, hardware attacks – have come a long way as devices have grown smaller, faster, cheaper, and more complex. Attacks that used to cost thousands of dollars can be done for a few hundred bucks or less. Now people panic when a report describes an implant the size of a grain of rice, one which is allegedly everywhere but nobody can find it.

"Reactions are not rational or appropriate to what should be done," says Joe Fitzpatrick, trainer and researcher at SecuringHardware.com. He'll be putting hardware threats into context and explaining how they fit into enterprise threat models during a briefing, titled "A Measured Response to a Grain of Rice," at Black Hat Europe in London this December.

Everything is possible but none of it is reasonable, he continues. The current discourse around hardware attacks is focused on sensationalism. We have reports of devices few people have heard of, doing things few know are possible, happening on a scale fewer understand, he explains in the abstract for his upcoming session. Now, following the Bloomberg report, they want to tear apart their motherboards and send them to be tested for implants, he says. 

Fitzpatrick likens this reaction to a person going to the doctor and requesting chemotherapy. "But I heard on the news someone died, and they had cancer," he says they say, and as a result, they want the treatment intended to prevent the worst. But they don't have cancer, Fitzpatrick says, and they've ignored the steps to stay healthy: sleep well, exercise, don't drink, and don't smoke.

"We see people hearing about the threat, and then reacting to the threat, without protecting themselves from the threat," he explains. The same is true in tech, Fitzpatrick says: Businesses want to be safe but don't take precautions. If your first time thinking about supply chain security is when reading about a malicious implant on someone else's server, then you're missing preventive steps, he says.

"The best you can do is realize the threat model is changing," Fitzpatrick explains. "There are better approaches to securing the supply chain and hardware than getting someone to tear apart old servers."

You don't need to ship out your server to protect against hardware attacks, but you should be taking a closer look at your threat model and how you approach supply chain security, Fitzpatrick advises.

Hardware Attacks: How They Look, What to Do
The hardware threat is real, Fitzpatrick explains, but there are several misconceptions around how they look and work. "People dismiss hardware attacks as too difficult, too expensive," he says. "But they're getting easier, cheaper, and more feasible."

Twenty years ago, building computer hardware cost thousands of dollars. The process has since become less expensive and far faster. These changes have shifted the threat model, but consumers and security experts alike haven't yet begun to acknowledge or prepare for it.

Software security pros, for example, look for flaws in the layers of abstraction that make up systems and applications. But when they get to hardware, they assume it's solid. This isn't the case, Fitzpatrick says. Hardware is also built on layers of abstraction. Spectre and Meltdown are examples of what happens when people poke holes in what they assume is a brick wall.

We can't think of hardware as monolithic, he continues. It has flaws, but they affect consumers and businesses differently. For consumers, he says hardware attacks are a lower priority compared with other security risks they face. They have bigger problems to worry about, like the Internet of Things devices they're plugging into home networks.

For businesses, supply chain security should be a greater priority, Fitzpatrick adds. Each hardware component is programmable, and each could be malicious. That said, he continues, you should also know what's rational. Your threat model may have been developed when hardware cost thousands to develop. Now a $10 card skimmer can compromise hundreds of credit cards. Is that in your threat model?

"I imagine everyone has a software security plan," Fitzpatrick says. "What they need to realize is all of that software runs on hardware, and whoever they purchase their hardware from, they need to have a conversation around supply chain security."

The hardware implant is a special case, he notes. Businesses should be more worried about getting counterfeit or low-grade devices. Make sure you know the hardware you have and where it came from.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:37:36 PM
Harder to detect, too
Moreover, detecting compromised hardware -- particularly backdoors embedded directly into the chipset -- is way more difficult. And, absent full reverse engineering, detection methods may not be foolproof, depending upon how thoroughly and cleverly the attacker hid the backdoor (which may be quite a bit, considering).

Yet another reason why enterprises don't want to think about this. It's easier to take the tack of Ser Janos Slynt in GoT/ASoIaF -- insisting "There's no such thing as giants" while watching actual giants plainly approaching.
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.