Hardware supply-chain threats can undermine endpoint infrastructure

Operational resilience is becoming a watchword of IT and business leaders, and for good reason. Global IT infrastructure is now highly interconnected and interdependent and must be resilient to all manner of threats. But one of the most overlooked cybersecurity risks — and a blind spot highlighted in a recent HP Wolf Security survey — is the challenge of mitigating hardware and firmware threats. Hardware supply chain security does not end with devices being delivered. It extends through the entire lifetime of devices being used in the infrastructure and even beyond, when repurposed from one owner to the next. 

Disruptions to the hardware supply chain can take many forms: from physical supply chain disruptions by ransomware groups to tampering with hardware or firmware to deploy stealthy and persistent malicious implants at any stage of the device’s lifetime. These attacks undermine the hardware and firmware foundations of devices upon which all software runs, making it critical that organizations are equipped with endpoints designed from the ground up to be resilient to such threats.

Governments have started to act to strengthen supply chain security. In 2021, US Executive Order 14028 accelerated the development of software supply chain security requirements for government procurement, with firmware explicitly in scope. The European Union (EU) is introducing new cybersecurity requirements at every stage of the supply chain, starting with software and services, with the Network and Information Systems (NIS2) directive, and extending to devices themselves with the Cyber Resilience Act to ensure safer hardware and software. Many other countries are active in this space, such as the UK with its new Internet of Things (IoT) cybersecurity regulations, and the Cyber Security and Resilience Bill to “expand the remit of regulation to protect more digital services and supply chains.”

Meanwhile, organizations are grappling with hardware and firmware threats. Thirty-five percent of organizations say that they or others they know have been affected by state-sponsored actors trying to insert malicious hardware or firmware into PCs or printers. Amid this regulatory backdrop and growing concerns over supply chain attacks, organizations must consider a new approach to physical device security.

The Impact of Attacks on Hardware and Firmware Integrity

The consequences of failing to protect endpoint hardware and firmware integrity are severe. Attackers who successfully compromise devices at the firmware or hardware layer can gain unparalleled visibility and control. The attack surface exposed by lower layers of the technology stack have been a target for some time for skilled and well-resourced threat actors, like nation-states, because they enable a stealthy foothold below the operating system. These offensive capabilities can quickly find their way into the hands of other bad actors. Compromises at the hardware or firmware level are persistent, providing attackers with a high level of control over everything on the system. They’re hard to detect and remediate with current security tools that typically focus on OS and software layers. 

Given the stealthy nature and sophistication of firmware threats, real-world examples are not as frequent as malware targeting the OS. Examples like LoJax, in 2018, targeted PC UEFI firmware to survive OS reinstalls and hard drive replacements on most devices, which didn’t have state-of-the-art protection. More recently, the BlackLotus UEFI bootkit was designed to bypass boot security mechanisms and give attackers full control over the OS boot process. Other UEFI malware, such as CosmicStrand, can launch before the OS and security defenses, allowing attackers to maintain persistence and facilitate command-and-control over the infected computer.

Organizations are also concerned about attempts to tamper with devices in transit, with many reporting being blind and unequipped to detect and stop such threats. Seventy-seven percent of organizations say they need a way to verify hardware integrity to mitigate the threat of device tampering.

To read the complete article, visit Dark Reading.