Sign up for our daily and weekly newsletters, featuring the latest updates and exclusive content on industry-leading AI reporting. Learn more
Today’s businesses are becoming more software-centric and software-driven, and the emphasis on cybersecurity is also shifting more to software.
But the hardware that the software runs on can be just as tempting to attackers. In fact, threat actors are increasingly targeting the physical supply chain to manipulate device hardware and firmware integrity, and that’s raising alarms for business leaders, according to a new report from HP Wolf Security.
Specifically, one in five companies has experienced an attack on their hardware supply chain, and a surprising 91% of IT and security decision makers believe nation-state threat actors will target physical PCs, laptops, printers, and other devices.
“If an attacker can compromise a device at the firmware or hardware layer, they gain unparalleled visibility and control over everything that happens on that machine,” said Alex Holland, senior threat researcher at HP Security Labs. “Imagine if that happened to your CEO’s laptop.”
‘Blind and unequipped’
Ahead of Black Hat, the major cybersecurity conference this week, HP Wolf has released preliminary details of its ongoing research into physical platform security, based on a survey of 800 IT and security decision makers.
Among the findings:
- One in five organizations (19%) has been impacted by nation-state attackers targeting their physical PC, laptop, or printer supply chain.
- More than half of respondents (51%) are unable to determine whether their PC, laptop or printer hardware and firmware have been tampered with in the factory or during transport.
- Nearly a third (35%) believe that they or someone they know has been affected by a state-sponsored attack attempting to insert malicious hardware or firmware into a device.
- 63% believe the next major cross-border attack will involve compromising hardware supply chains to sneak malware into the system.
- 78% said there will be increased focus on software and hardware supply chain security as attackers seek to infect devices in factories or during transport.
- 77% reported needing a way to verify hardware integrity to mitigate device tampering during shipping.
“Organizations seem blind and unprepared,” Holland said. “They don’t have the visibility and capacity to detect when they’ve been manipulated.”
Denial of availability, device tampering
There are several ways that attackers can disrupt the hardware supply chain. The first is denial of availability, Holland explained. In this scenario, a threat actor could launch a ransomware campaign against a factory, preventing the devices from being assembled and delaying shipments, which could have a devastating ripple effect.
In other cases, threat actors target specific devices and infiltrate factory infrastructure to modify hardware components to weaken firmware configurations, for example, by disabling security features. Devices are also intercepted during transit, for example, at shipping ports and other intermediate locations.
“Many leaders are increasingly concerned about the risk of tampering with their devices,” Holland said. “That speaks to a blind spot. You order something from a factory, but you don’t know if it’s made as intended.”
Holland explained that firmware and hardware attacks are particularly difficult because they sit below the operating system, whereas most security tools sit inside the operating system (e.g., Windows).
“If an attacker can compromise firmware, it’s really hard to detect using standard security tools,” Holland said. “It’s really hard for IT security teams to detect low-level threats to hardware and firmware.”
Additionally, firmware vulnerabilities are notoriously difficult to fix. For example, in modern PCs, firmware is stored on separate flash storage on the motherboard rather than on the drive, Holland explained. This means that the injected malware is stored in the firmware memory of a separate chip.
So IT teams can’t simply reimage machines or replace hard drives to remove the infection, Holland noted. They have to manually intervene and re-flash the corrupted firmware with a known good copy, which is “a tedious task.”
“It’s hard to detect, hard to correct,” Holland said. “Visibility is poor.”
Still having password issues?
Password security is one of those things that we all have in mind these days, but when it comes to setting up hardware, it still seems like a mess.
“There’s really bad password hygiene around managing firmware configurations,” Holland said. “It’s one of the few areas of IT where it’s still very prevalent.”
Often organizations do not set a password to change settings, or they use weak passwords or the same password on other systems. As with other scenarios, if there is no password, anyone can break in and change it. Weak passwords are easy to guess, and if the same password is used, “an attacker only needs to compromise one device to access the settings on all devices,” Holland noted.
Holland explained that passwords for firmware configuration have historically been difficult to manage, as administrators have to go into each device and write down all the passwords. One common solution is to store the passwords in an Excel spreadsheet. In other cases, administrators set the password to the device’s serial number.
Holland called hardware configuration management the “last front” for password hygiene, saying “password-based mechanisms to control access to firmware have not performed well.”
Strong Supply Chain Security: Strong Organizational Security
Of course, there are steps organizations can take to protect their critical hardware. One tool in their arsenal, Holland explained, is a platform certificate, which is created on the device during assembly and allows users to verify upon delivery that it was built as intended and “verified for integrity.”
Meanwhile, tools like HP Sure Admin use public key cryptography to enable access to firmware configurations. “That’s a huge advantage for organizations because it completely eliminates the need for passwords,” Holland said.
Likewise, the HP Tamper Lock relies on built-in sensors that activate when the chassis or other components are removed to prevent physical tampering. “The system goes into a secure locked state,” Holland explained. So hackers can’t boot into the operating system or figure out credentials.
Holland noted that physical attacks, where hackers essentially break into a computer, are not as widespread. But he described a scenario where VIPs or executives attending an event simply need to look away from their devices for a moment or two before an attacker can pounce.
Ultimately, “the security of an organization depends on strong supply chain security,” Holland emphasized. “You have to know what’s in your devices, how they were made, and that they haven’t been tampered with, so you can trust them.”
