Hardware security is an often-neglected aspect of cybersecurity that is not allocated the same resources as application and software security
The insufficient funding of this realm of security stems from a general lack of knowledge surrounding hardware security. Today, we hope to debunk some myths so that organizations have a better understanding of hardware security and take appropriate action to protect their hardware assets.
Myth #1: “I haven’t heard about this – the problem does not exist!”
Wrong. Just because some incidents of cyber-attacks make headlines, this does not mean that all of them do. Attacks reported in the news mostly do not concern those attributed to physical devices. Withholding such information is because most entities are reluctant to share that they have fallen victim to a hardware based attack as it negatively reflects their physical security. Alternatively, enterprises themselves might not even know that the attack originated from a physical device. Because of the general lack of awareness regarding hardware security, cyber-attacks are often wrongly assumed to originate through quotidian methods such as phishing or pernicious links. However, cheap and modest hardware tools can cause more damage as they can provide attackers with high levels of accessibility to the target. Many information security standards, such as GDPR, CMMC and NIST, all emphasise the importance of hardware assets and the need for complete device visibility.
“Ok, but that does not mean that these types of attacks actually happen”
Well, there would not be such a concern if the threat were not real, but to give you even more reason t believe that these attacks do occur, and are a genuine threat, let us look at an example of a frequent victim – an ATM. ATMs are both physically and virtually protected as they are deemed a valuable hardware asset by cybercriminals due to the instant pay-out. Despite this dual layer of protection, 2020 saw the largest number of successful black box attacks on ATMs – just in the first half of 2020, ATM black box attacks were up almost 270%. In this MiTM attack, a hardware device – the black box – is attached to the USB ports of an ATM whereby the perpetrator can remotely send cash dispensing commands. If an ATM cannot be sufficiently protected, are you sure that the devices used by your employees at home (thanks,COVID), are?
Myth #2: “We have security measures in place, so we’re safe!”
Sure, you may have several security software solutions in place. You likely also have physical means of security, such as CCTV cameras and a high-tech alarm system. But you have ignored one key fact; attackers are smart and are always seeking ways to adjust their methods to avoid detection. As such, many cybercriminals are turning to hardware attacks due to the limited protection over physical devices.
The simple lack of visibility to all hardware assets within the organization is the first vulnerability. To test how vulnerable you are, how long would it take you to answer these questions – if present, how many LOGITECH wireless computer mice are in your R&D department? How many employees are using IoT devices within the working environment, and which IoT devices are they using? Are there any switches that have not undergone critical security updates? If you need more than 10 seconds to answer this question then, “Houston, we have a problem.”
The inability of security measures to detect manipulated hardware is another, more concerning risk that bad actors are exploiting. Let us think of it in terms of physical security and terrorist actors. Hamas, for example, realized that their attack surface was almost hermetically covered by physical and technological security measures. To avoid these protective measures, the terrorist group made adjustments to their attack methods by moving below the surface; the Iron Dome might intercept rockets flying towards Israel, but it cannot detect Hamas fighters infiltrating via underground tunnels. The same goes for cybersecurity. Cyber criminals exploit the blind spots of security solutions by moving below the surface to Layer 1 – the Physical Layer – which such solutions do not cover. In the world of cybercrime, attackers know exactly which protective measures you have in place, such as EPS, NAC, and IDS. They also know that these means of protection only cover Layer 2 and above; hence the move to Layer 1. So, you might have security measures in place, but that does not mean you are safe – attackers are always one step ahead: or in this case, one Layer below.
Myth #3: “We aren’t interesting enough to be a target.”
You are far more interesting than you think, even if you are not a nuclear reactor or a laboratory developing a vaccine for COVID-19. Of course, organizations within specific industries are higher-value targets, but every enterprise has assets that attract external rivals. Cyber criminals are not solely seeking out intelligence agencies and government entities; a malicious actor might be a competitor interested in stealing your intellectual property to advance their operations. A simple, yet disruptive, ransomware attack can do the job, and a hardware device can carry out the basic attack whilst simultaneously evading detection. And, if you examine the recent ransomware attack trends and statistics, you will see that most
industries have found themselves a victim. So, even if you think that your organization is performing exceedingly dull tasks, there will be a malicious cyber criminal who thinks otherwise.
Myth #4: “We do not use USBs, and everything is blocked!”
If we had a penny for every time we have heard this one.
Organizations rely on their whitelisting capabilities in device control, and EPS/EDR solutions that block storage device, phones, keyboards, and mice with certain VID/PID. But what are the employees using to type? That’s right, a keyboard. And how is that keyboard connected? By USB. The same goes for the mice that the employees are using to control the computer. So, as long are those HIDs are there, so are the devices that impersonate them.
Myth #5: “I don’t need to worry because my employees use a VPN, VDI, or RDP.”
Even with these protective measures in effect, the computer system still requires a human to control the endpoint with a keyboard and mouse. Attack tools that impersonate HID devices perfectly (logically), are
actually impersonating a human who types commands (with randomness in hard keys to prevent detection). Therefore, with employees using keyboards and mice to type and control the cursor, respectively, there will always be an attack surface for hardware attackers. So, despite the endpoint being in the cloud, or on a remote physical station, there is still a surface for a hardware attack to take place.
About the Author
Jessica Amado is Head of Cyber Research at Sepio Systems. Head of Cyber Research, researching and covering multiple aspects of Hardware related Cyber threats. Regent’s University London graduate with First Class Honors in Global Business Management with Leadership and Management. IDC Master’s in Government with Specialization in Homeland Security and Counter-Terrorism.