As cybercriminals commonly target software vulnerabilities, the assumption is easily made that cybersecurity threats come in the form of phishing, malware or ransomware. Consequently, corporate cybersecurity strategies can neglect the very foundation of the network, the hardware, leaving the door open to potential cyber-attacks.
The operating system, software and information security systems are all facilitated by the physical hardware technology they reside upon. And it is these physical components that are increasingly likely to form the basis of a cyber-attack, making hardware security, and the protection of the device itself, equally as important.
Whilst gaining access to our IT assets is harder than deploying malicious code through software-based attacks, cybercriminals have discovered advanced methods to exploit hardware vulnerabilities, infiltrating networks, both physically and remotely.
Physical threats to hardware were previously considered too complex and too expensive. However, their feasibility has increased with technological developments, such as machine learning through Artificial Intelligence and the Internet of Things (IoT). Side-stepping robust cybersecurity systems, the threat actors discovered new opportunities to track users, infiltrate networks and steal information – resulting in costly data security issues.
What makes our hardware vulnerable to a cyber-attack?
As coded software updates are regularly released to patch vulnerabilities, our hardware largely remains unchanged through its lifecycle. It would be cost-prohibitive to upgrade a component at the same level of frequency. This provides criminals with a strong incentive to attack common hardware security vulnerabilities.
Default usernames and passwords.
When setting up a new laptop, desktop device or network user, most IT professionals diligently create unique system passwords. Although all too often default credentials for IoT devices and routers continue to be used, posing a significant risk, particularly if these are not required after initial set-up.
The post-pandemic hybrid working norm leads to further concern with cybercriminals circumnavigating the office firewall via inherently insecure home networks. With a greater number of devices than ever connected to the corporate network, the lack of encryption when information is stored or transferred makes our systems vulnerable to attack.
At the core of our hardware is firmware – the ‘software for hardware’ that sends instructions at start-up and performs basic device tasks. Attacks by implanting malware into low-level firmware makes hardware cybersecurity for the core chips and processors essential; once installed, it’s difficult to locate and remove.
Remote installation of malicious code is made possible through Wi-Fi, Bluetooth networks or as above, any connected IoT device. Similarly, over-the-air software conveniently provides wireless security and operational updates to mobile devices – but it also provides threat actors with yet another piggybacking method to misuse.
In 2021, Microsoft reported that 83% of the 1,000 businesses surveyed experienced at least one firmware attack in the past two years.
Unsupported legacy devices.
Whilst it may still ‘do the job’, legacy hardware may still use outdated operating systems or software that is no longer supported by the manufacturers, providing an easy point of entry. Moreover, due to a higher value, some advanced technologies have longer refresh cycles, which can unknowingly increase risk.
Types of hardware security attack.
We know that devices consume the most power when processing information, so a side-channel attack ‘listens in’ to a machines power consumption, calculation time and electromagnetic fields, analysing the patterns for alterations in its usual use. Also known as an implementation or sidebar attack, this builds clues as to when the machine is running cryptography processes and, in doing so, tells the attackers of the optimum time to strike to uncover the vital encryption keys, which protect company data. Assisting the attackers, the recent advances in AI have provided a powerful hacking tool that deciphers this with far greater precision.
Electromagnetic fields are also used to gain access to a computer’s physical Dynamic RAM in a RowHammer fault attack. The memory cells are repeatedly accessed (hammered), this stimulates an electrical charge, changing zeros to ones and ones to zeros. Likened to hammering on a closed door until it opens, by modifying information, cybersecurity programs are avoided, leaving systems exposed and vulnerable.
Internet of Things.
We meticulously protect the core equipment in our organisation’s IT inventory, yet other interconnected smart IoT assets, which have little to no in-built security, remain a substantial risk. Whilst these are rarely the target of the attack itself, they do provide a plethora of easy access points for the cybercriminals – and what’s more, they may not even be inside the office’s four walls, but in remote employee’s homes.
Complex supply chains.
Demand for technology has grown exponentially. Many tech manufacturers no longer make these themselves but buy them from large-scale semiconductor chip factories. Supply chain attacks range from criminals selling counterfeit or compromised equipment directly to businesses or exploiting the security loopholes presented by this third-party supplier system. Allegedly, in 2018, Chinese agents breached several US tech firms by compromising their technology supply chain, installing covert microchips during production. ^
How can you prevent hardware cyber-attacks?
Change default credentials.
The increased attack surface that comes with the Internet of Things amplifies the importance of password security and the need to modify default settings. By educating your remote workforce, you will most likely find that with guidance many will willingly change their home routers. In addition, when not in use, IoT devices can be turned off, preventing easy access for criminals.
Although most of us know password best practices, we continue to use some of the most common keystrokes when asked to create any new account. Make your new credentials strong, unique and over 12 characters of varying types. Secure, encrypted Password Manager software, such as LastPass, can help to avoid the use of duplicates, also.
Replace or update outdated hardware.
According to a recent survey by Microsoft Security Signals, almost 90% of security decision-makers say outdated hardware leaves organisations more open to attack, compared to using modern hardware. *
When it comes to the importance of data governance, a lifecycle management ITAD partner can help you identify and respond to potential vulnerabilities by proactively auditing your IT inventory hardware; particularly worthwhile for assets that have a longer refresh cycle. Secure IT asset disposal services can also advise of any additional hardware security measures that might be included to ensure it can withstand any attack attempt.
Upgrades will also increase functionality and may mean the machine can support newer versions of your software. Furthermore, sustainable lifecycle management will extend lifetime value, increase ROI and prevent e-waste.
When your redundant IT equipment can no longer be upgraded securely, your ITAD supplier will ensure that those end-of-life IT assets are recycled responsibly – the residual value for the components are then be returned to your organisation.
Much like your hardware operating system, firmware updates will usually include patches to protect against vulnerabilities that have emerged since release. Additional operating instructions within the update will boost performance, functionality and consequently user experience; all extending the asset’s lifespan.
Know your suppliers.
It is important to exercise due diligence when using third-party supply chains for technology procurement to validate the components. As the circular IT model gathers pace, when acquiring refurbished devices through resale vendors, ensure that you receive a full ITAD chain of custody. An IT asset disposal accreditation certificate provides vital data protection evidence that remarketed devices have not only undergone the secure data erasure you’d expect, but have also been thoroughly inspected for traces of malicious code or malware.
An organisation’s cybersecurity protocol and its software are only as good as the hardware that those systems run on. Therefore, from their manufacture to their disposition, the physical protection of our IT infrastructure is vital to mitigate cybersecurity attacks due to hardware vulnerabilities.
Through advancing and highly sophisticated attack techniques, supported by the advent of machine-learning technologies, these lesser-known hardware attacks are increasingly likely.
Cybersecurity IT audits will highlight prevention methods, such as firmware updates, component upgrades or legacy device replacements for redundant IT assets. By regularly reviewing procurement supply chains and ensuring that all accessing the network follow password best practices, CISOs can reduce the security threat, build a more robust hardware foundation and strengthen their cybersecurity defences.
*Research by Microsoft Security Signals, September 2021, ^ EC-MSP.
In addition to our environmentally friendly ITAD services, tier1’s lifecycle management solutions help to build our client’s cybersecurity defences through IT inventory audits, system updates and component upgrades. Improving productivity, device longevity and boosting ROI, we help to mitigate potential hardware vulnerabilities that could lead to future data governance issues – providing confidence and peace of mind for busy CISOs.
When the time comes for legacy hardware to be responsibly recycled and replaced, our sustainable IT team will be happy to answer any questions you may have about professionally refurbished device procurement.
To find out more about our supportive lifecycle management solutions, device upgrades or our secure data wiping services – contact our friendly teams on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com
CNRS News, LinkedIn, BDC Video, ECM-SP, Tech Target, Cyber Talk, Lepide, Fortinet, INSOC, Tech Advisory, UL Solutions, Acer, Science Direct, Microsoft Security Signals, September 2021.