HP Wolf: Not just software attacks; hackers also come for corporate hardware

Today’s enterprises are software-centric and software-driven, which means that much of the emphasis in cybersecurity is also on software.

But the hardware that runs that software can be just as attractive to attackers. In fact, threat actors are increasingly targeting physical supply chains and tampering with the hardware and firmware integrity of devices, causing alarm among business leaders, according to a new report from HP Wolf Security.

One in five companies has been hit by attacks on hardware supply chains, and an alarming 91% of IT and security decision makers believe national threat actors will target physical PCs, laptops, printers and other devices.

“If an attacker compromises a device at the firmware or hardware layer, they gain unprecedented visibility and control over everything that happens on that machine,” said Alex Holland, principal threat researcher at HP Security Lab. “Imagine what that could look like if it happened with the CEO’s laptop.”

‘Blind and unequipped’

HP Wolf has released preliminary details of its ongoing physical platform security research – based on a survey of 800 IT and security decision makers – ahead of the leading cybersecurity conference Black hat this week.

Among the findings:

• Nearly one in five (19%) organizations have encountered national actors targeting the supply chains of physical PCs, laptops or printers.
• More than half (51%) of respondents cannot verify whether PCs, laptops or printer hardware and firmware have been tampered with at the factory or in transit.
• About a third (35%) believe that they or others they know have been affected by nation-state actors attempting to insert malicious hardware or firmware into devices.
• 63% believe the next major national attack will involve poisoning hardware supply chains to sneak in malware.
• 78% say the focus on software and hardware supply chain security will increase as attackers seek to infect devices in the factory or in transit.
• 77% say they need a way to verify hardware integrity to prevent device tampering during delivery.

“Organizations feel blind and unequipped,” says Holland. “They don’t have the visibility and ability to detect if they have been tampered with.”

Denial of availability, device tampering

There are many ways that attackers can disrupt the hardware supply chain. The first is to deny availability, Holland explains. In this scenario, threat actors launch ransomware campaigns against a factory to prevent devices from being assembled and delay delivery, which can have damaging ripple effects.

In other cases, threat actors will infiltrate factory infrastructure to target specific devices and modify hardware components, weakening firmware configurations. For example, they can disable security features. Devices are also intercepted while in transit, for example at shipping ports and other intermediate locations.

“Many leaders are increasingly concerned about the risk of device tampering,” Holland said. “This speaks to this blind spot: you ordered something from the factory, but you don’t know if it was built as intended.”

Firmware and hardware attacks are particularly challenging because they reside under the operating system – while most security tools reside within operating systems (such as Windows), Holland explains.

“If an attacker can compromise the firmware, it would be very difficult to detect with standard security tools,” Holland said. “Being able to detect low-level threats against hardware and firmware poses a real challenge for IT security teams.”

Additionally, firmware vulnerabilities are notoriously difficult to fix. For example, in modern PCs, firmware is stored on separate flash storage on a motherboard, rather than on the drive, Holland explains. This means that inserted malware remains in the firmware memory on a separate chip.

So IT teams can’t simply reimagine a machine or replace a hard drive to remove the infection, Holland noted. They have to manually intervene and re-flash the compromised firmware with a known good copy, which is ‘cumbersome to do’.

“It’s hard to detect, hard to fix,” Holland said. “Visibility is poor.”

Still having the password problem?

Password hygiene is one of those things that gets hammered into our heads these days, but apparently it’s still a mess when it comes to setting up hardware.

“There is very poor password hygiene around managing firmware configurations,” says Holland. “It is one of the few IT areas where it is still widespread.”

Often organizations do not set a password to change settings, or they use weak passwords or the same passwords on different systems. Like any other scenario, the lack of a password means anyone can come in and tamper; Weak passwords can be easily guessed, and with identical passwords “an attacker only needs to compromise one device and can access the settings of all devices,” Holland said.

Passwords in firmware configuration have historically been difficult to manage, Holland explains, because administrators must go into each device and record all passwords. A common solution is to store passwords in Excel spreadsheets; in other cases, administrators will set the password as the device’s serial number.

“Password-based mechanisms that control access to firmware are not properly implemented,” says Holland, who calls managing hardware configurations the “last frontier” of password hygiene.

Strong supply chain security: Strong organizational security

There are of course measures that organizations can take to protect their important hardware. One tool in the arsenal is a platform certificate, Holland explains. This is generated during assembly on a device and allows users to verify upon delivery that it has been built as intended and that “its integrity is under control.”

Meanwhile, tools such as HP Sure Admin use public key cryptography to enable access to firmware configurations. “It completely eliminates the need for passwords, which is a big win for organizations,” Holland said.

In the same way, HP Tamper Lock helps prevent physical tampering, which relies on built-in sensors that activate when a chassis or other component is removed. “The system goes into a secure lockdown state,” Holland explains, so hackers cannot boot the operating system or track login credentials.

Such physical attacks – where hackers actually break into a computer – are not that widespread, Holland points out. However, he outlined the scenario of a VIP or executive on-site at an event: All it takes is for them to turn away from their device for a moment before an attacker strikes.

Ultimately, “the security of the organization depends on strong supply chain security,” Holland emphasized. “You need to know what’s inside devices and how they’re built so they haven’t been tampered with so you can trust them.”