HP Wolf: Not just software attacks; hackers are coming for enterprise hardware, too

Today’s enterprises are software-focused and software-driven, meaning that much of the emphasis of cybersecurity is on software, too. 

But the hardware on which that software runs can be just as enticing to attackers. In fact, threat actors are increasingly targeting physical supply chains and tampering with device hardware and firmware integrity, drawing alarm from enterprise leaders, according to a new report from HP Wolf Security.

Notably, one in five businesses have been impacted by attacks on hardware supply chains, and an alarming 91% of IT and security decision makers believe that nation-state threat actors will target physical PCs, laptops, printers and other devices. 

“If an attacker compromises a device at the firmware or hardware layer, they’ll gain unparalleled visibility and control over everything that happens on that machine,” said Alex Holland, principal threat researcher at HP Security Lab. “Just imagine what that could look like if it happens to the CEO’s laptop.”

‘Blind and unequipped’

HP Wolf released the preliminary details of its ongoing research into physical platform security — based on a survey of 800 IT and security decision-makers — ahead of leading cybersecurity conference Black Hat this week. 

Among the findings: 

• Nearly one in five (19%) organizations have been impacted by nation-state actors targeting physical PC, laptop or printer supply chains.
• More than half (51%) of respondents aren’t able to verify whether or not PCs, laptops or printer hardware and firmware have been tampered with while in the factory or in transit.
• Roughly one-third (35%) believe that they or others they know have been impacted by nation-state actors attempting to insert malicious hardware or firmware into devices.
• 63% think the next major nation-state attack will involve poisoning hardware supply chains to sneak in malware.
• 78% say the attention on software and hardware supply chain security will grow as attackers try to infect devices in the factory or in transit. 
• 77% report that they need a way to verify hardware integrity to mitigate device tampering during delivery.

“Organizations feel blind and unequipped,” said Holland. “They don’t have the visibility and capability to be able to detect whether they’ve been tampered with.”

Denial of availability, device tampering

There are many ways attackers can disrupt the hardware supply chain — the first being denial of availability, Holland explained. In this scenario, threat actors will launch ransomware campaigns against a factory to prevent devices from being assembled and delay delivery, which can have damaging ripple effects. 

In other instances, threat actors will infiltrate factory infrastructure to target specific devices and modify hardware components, thus weakening firmware configurations. For instance, they may turn off security features. Devices are also intercepted while in transit, say at shipping ports and other intermediary locations.

“A lot of leaders are increasingly concerned about the risk of device tampering,” said Holland. “This speaks to this blind spot: You’ve ordered something from the factory but can’t tell whether it was built as intended.”

Firmware and hardware attacks are particularly challenging because they sit below the operating system — whereas most security tools sit within operating systems (such as Windows), Holland explained. 

“If an attacker is able to compromise firmware, it’s really difficult to detect using standard security tools,” said Holland. “It poses a real challenge for IT security teams to be able to detect low-level threats against hardware and firmware.”

Further, firmware vulnerabilities are notoriously difficult to fix. With modern PCs, for instance, firmware is stored on a separate flash storage on a motherboard, not on the drive, Holland explained. This means that inserted malware rests in firmware memory in a separate chip. 

So, IT teams can’t simply re-image a machine or replace a hard drive to remove infection, Holland noted. They have to manually intervene, reflashing the compromised firmware with a known good copy, which is “cumbersome to do.” 

“It’s difficult to detect, difficult to remediate,” said Holland. “Visibility is poor.”

Still with the password problem?

Password hygiene is one of those things hammered into all of our heads these days — but apparently it’s still messy when it comes to setting up hardware. 

“There’s really bad password hygiene around managing firmware configurations,” said Holland. “It’s one of the few areas of IT where it’s still widespread.” 

Often, organizations don’t set a password to change settings, or they use weak passwords or the same passwords across different systems. As with any other scenario, no password means anyone can get in and tamper; weak passwords can be easily guessed, and with identical passwords, “an attacker only needs to compromise one device and can access the settings of all devices,” Holland pointed out.

Passwords in firmware configuration are historically difficult to manage, Holland explained, because admins have to go into every device and record all passwords. One common workaround is to store passwords in Excel spreadsheets; in other instances, admins will set the password as the serial number of the device. 

“Password-based mechanisms controlling access to firmware are not well done,” said Holland, calling hardware config management the “last frontier” of password hygiene. 

Strong supply chain security: Strong organization security

There are measures organizations can take, of course, to protect their important hardware. One tool in the arsenal is a platform certificate, Holland explained. This is generated on a device during assembly, and upon delivery, allows users to verify that it has been built as intended and that “its integrity is in check.”

Meanwhile, tools such as HP Sure Admin use public key cryptography to enable access to firmware configurations. “It removes the need for passwords entirely, which is a big win for organizations,” said Holland. 

Similarly, HP Tamper Lock helps prevent physical tampering, relying on built-in sensors that are tripped when a chassis or other component is removed. “The system goes into a secure lockdown state,” Holland explained, so hackers aren’t able to boot into the operating system or sniff out credentials. 

Such physical attacks — when hackers essentially break into a computer — aren’t all that widespread, Holland pointed out. However, he outlined the scenario of a VIP or exec onsite at an event — all it takes is them turning away from their device for a moment or two for an attacker to pounce. 

Ultimately, “organizational security depends on strong supply chain security,” Holland emphasized. “You need to know what’s in devices and how they’ve been built, that they haven’t been tampered with so you can trust them.”