As Spectre and Meltdown demonstrated earlier this year, hardware is no less vulnerable to attack than any other system because hardware is an often overlooked piece of the security puzzle.
Security and business professionals can habitually fail to see the importance of the hardware which software runs on. Your organization could develop a perfectly secure piece of software, but if the hardware on which it is run is not secure, all of your work is pointless.
To make matters worse, fixing hardware vulnerabilities is a complex and difficult undertaking as there are numerous moving pieces and a variety of threat actors waiting to pounce. The hardware design, manufacturing, and supply chain is easily attacked by malicious actors, nation states, competitors, and organized crime.
It is time that everyone realizes hardware security is a critical problem that must be addressed as hardware is what makes the world run: without routers, switches, servers, CPU, RAM, IoT devices, industrial control systems, security cameras and other devices, software technology would be useless.
Critical infrastructure depends on hardware, and compromises have the potential to impact millions. Businesses place the future of their products upon their hardware designs, and with hardware being such an essential component to the security puzzle, it should be secure, but the opposite is much more common.
Cyber-criminals are motivated to target hardware because of the potential to: obtain proprietary information, steal or divert the intended service, bypass access controls, or set up backdoors for future use. Intellectual property and designs are stolen on a daily basis.
Last year alone, China stole enough intellectual property from the US to causes losses estimated between $225 billion and $600 billion annually. On the other hand, products and services can be backdoored for later use by malicious groups or exploits sold to the highest bidder.
We have seen hardware hacking as far back as WWII with the Bombe, while DES was cracked by the Electronic Frontier Foundation in 1998 with the $250,000 Deep Crack machine. Then, there was the Rowhammer attack on DRAM. Today, we face Spectre, Meltdown, and millions of insecure IoT devices.
Hardware security is a complex issue, and to some, a risk they are willing to accept. This may be due to the reason that hardware comes with a plethora of attacks to consider: infection through semi-conductor doping, side channel attacks, poor design, backdoors, and trojans. All of these innate dangers with current hardware security make it seem like a nightmare, however, solutions are available.
To attain better hardware security as an industry, we must consider the design, production, transportation, and distribution of hardware.
Hardware is usually designed in-house or by another trusted entity. An organization must design with security in mind and for their design to fail, in order to provide the best chance of lasting security in the future.
Also, hardware must be designed so that it is extremely difficult to alter the design or install a trojan in the first place. Engineers and designers need to come to work with the mentality that “an ounce of prevention is worth a pound of cure.”
Production is the next stage for a piece of hardware in its lifecycle. Hardware is usually produced overseas, and an organization should be careful in trusting the source of their hardware production and the transportation.
Hardware should be tested for digital, analog, and hybrid trojans, using a variety of tests such as evaluating CPU outputs and comparing against a known good piece of hardware. Trojans have the potential to monitor, modify, disable, or control the communication between and the operation of hardware.
Finally, security professionals must prepare for the worst; a vulnerability being discovered post-deployment. Recent vulnerabilities have demonstrated the devastation that can lay in insecure hardware’s path. Proper design must prepare for this occurrence, and as an industry we must not place as much trust into hardware as we have in the past.
Once again, prevention is key. In the event that your hardware is compromised, it is crucial to have a plan. I call it a Hardware Security Continuity Plan (HSCP). It is merely a continuity plan similar to a disaster recovery plan or incident response plan. Including a HSCP in your organization’s business continuity planning, if it applies, is a must.
Overall, organizations and leadership must contribute to the hardware security solution by providing the needed funding for proper design and post-production testing. As with many problems, the best solution will only arise if everyone is working towards the common goal.
Improved hardware security is not something that will happen overnight, but with the correct oversight, it is certainly attainable. No part of the hardware chain can be left unattended; proper design and integrity are the keys to secure hardware.