What is hardware security?
Hardware security is vulnerability protection that comes in the form of a physical device rather than software that's installed on the hardware of a computer system.
Hardware security can pertain to a device used to scan a system or monitor network traffic. Common examples include hardware firewalls and proxy servers. Less common examples include hardware security modules that provision cryptographic keys for critical functions such as encryption, decryption and authentication for various systems. Hardware systems can provide stronger security than software and can also include an additional layer of security for mission-critical systems.
The term hardware security also refers to the protection of physical systems from harm. Equipment destruction attacks, for example, focus on computing devices and networked noncomputing devices, such as those found in machine-to-machine or internet of things (IoT) environments. These environments provide connectivity and communications to large numbers of hardware devices that must be protected through either hardware- or software-based security.
How to assess the security of a hardware device
Hardware security is just as important as software security. To assess the security of a hardware device, it's necessary to consider vulnerabilities existing from its manufacture as well as other potential sources, such as running code and the device's data input/output, or I/O, on a network. Although any device should be protected if it connects even indirectly to the internet, the stringency of that protection should match the need. For example, a system controlling the color and intensity of lights in Wi-Fi LED for a dwelling might not require much security.
In the case of more significant hardware and more critical functions, the added reliability and lower number of vulnerabilities associated with hardware-based security might make it advisable. Critical infrastructure includes systems, networks and assets whose continuous function is deemed necessary to ensure the security of a given nation, its economy, and the public's health and safety. Critical infrastructure security is a growing area of concern around the world.
Types of hardware attacks
Gaining access to physical devices isn't as easy as conducting software-based attacks -- such as malware, phishing or hacking attacks -- but over time, cybercriminals have found ways to target hardware. While the use of a default password across multiple devices, outdated firmware and a lack of encryption are the biggest threats to hardware security, other tailored attacks are equally as dangerous.
The following are common types of hardware attacks and what they entail:
- Side-channel attack. This attack is notorious for stealing information indirectly, or via side channels. By taking advantage of patterns of information, these attacks analyze the electric emissions from a computer's monitor or hard drive to check for discrepancies in normal emissions. These discrepancies can include the type of information displayed on the monitor or the varying amounts of power that different hardware components use to carry out processes. Typically, the attack will try to exfiltrate sensitive information, such as cryptographic keys, by measuring coincidental hardware emissions. A side-channel attack is also known as a sidebar or an implementation attack.
- Rowhammer attack. This cyber attack exploits a bug inside dynamic RAM (DRAM) modules manufactured in 2010 and later. Repeated accessing or hammering of the memory cells inside the DRAM releases an electrical charge that flips the neighboring bits from zeros to ones and vice versa. This enables untrusted applications to gain full system security privileges and even bypass security sandboxes that are used to mitigate malicious code from entering and infecting the operating system resources.
- Timing attack. This side-channel cybersecurity attack targets cryptosystems. Cybercriminals attempt to compromise a cryptosystem by analyzing the time it takes to respond to different inputs and execute cryptographic functions and algorithms.
- Evil maid attack. The term evil maid was coined by computer researcher Joanna Rutkowska in 2009 to signify the concept of a malicious maid trying to get her hands on electronic devices left behind in a hotel room. This attack entails physical access to unattended hardware devices, which the criminals can alter in a stealthy way to gain access to the victim's sensitive data. For example, a criminal might insert a USB device installed with device modification software into a powered-down computer or install a keylogger to record every keystroke the victim types.
- Modification attack. Cybercriminals invade the normal operations of a hardware device by overriding the restrictions on that device to carry out a man-in-the-middle attack. By either injecting the hardware component with malicious software or exploiting existing vulnerabilities, criminals are able to receive and modify the data packets before sending them to the intended recipients.
- Eavesdropping attack. This subtle data interception attack occurs when sensitive information, such as credit card details and passwords, is transferred from one device to another. Eavesdropping attacks can be successful as no alerts are generated during transactions over unsecured networks. There are many types of eavesdropping attacks; one common type includes a card skimmer inserted into an automated teller machine or a point-of-sale terminal where the attacker accesses the device occasionally to get a copy of its information.
- Triggering fault attack. This attack is normally carried out by attackers who induce faults in the hardware to modify the normal behavior of the device. The main premise behind this attack is to target system-level security.
- Counterfeit hardware attack. This is a type of supply chain attack where unauthorized or fake devices are sold to organizations, creating opportunities for cybercriminals to infiltrate these devices through the backdoor. For example, Cisco issued a field notice advising customers to upgrade the software on its Catalyst 2960-X and 2960-XR switches to make sure the devices aren't counterfeit.
Hardware security best practices
Any type of hardware -- from outdated computers to modern IoT devices -- can pose grave concerns if organizations don't follow security best practices.
The following are some mitigation techniques and countermeasures to keep in mind when setting up and installing hardware:
- Investigate vendors and suppliers. The risk to hardware security starts from its inception. The production of faulty hardware components can expose vulnerable devices to outside threats. To minimize the risk of counterfeit devices, it's important to thoroughly investigate hardware suppliers before selecting them. This can include checking out the vendor's suppliers and examining the parties responsible for the manufacturing and integration of individual parts. Carrying out detailed inspections regarding the types of security measures being practiced by vendors during all stages of hardware development is also crucial.
- Encrypt all devices. It's important to encrypt all hardware devices, including external flash storage and DRAM interfaces. Hardware encryption is especially important for portable devices -- laptops or USB flash drives -- when protecting sensitive data stored on them. Most modern processors come with built-in components to facilitate hardware encryption and decryption with little overhead on the central processing unit, but it's always best to verify. Since encryption offers multiple layers of security, even if attackers get their hands on encrypted hardware, such as a hard drive, they won't be able to gain access to it without having the credentials.
- Minimize the attack surface. Safe and proper decommissioning of unused hardware can help prevent unwanted hardware attacks. All decommissioned hardware and components, such as debug ports, should be disabled and disposed of properly. This can include disabling any universal asynchronous receiver/transmitters not used in the final hardware design process, unused Ethernet ports, programming and debugging interfaces such as JTAG ports, and unused wireless interfaces; JTAG is an industry standard that was developed by Joint Test Action Group engineers to verify designs and test printed circuit boards after they are manufactured. For those components that can't be removed, companies should consider enforcing restrictions based on media access control, or MAC, address or other challenges to mitigate attacks.
- Enforce strong physical security. Companies should enforce strong access control policies in areas where hardware and physical equipment are housed. Hardware devices and peripherals shouldn't be left unattended in open areas, and employees should take measures to secure their devices. To physically secure movable hardware components, such as laptops, security cables with combination locks can be used, as these cables attach the device to an immovable object. Computers can also be secured through their security cable slots, which enable the attachment of a commercially available anti-theft device. Anti-tamper housing designs that make the device difficult to open without any damage should also be considered.
- Use electronic security. A comprehensive hardware security plan is incomplete without proper electronic security in place. This can include using a secure area for storing the master key to avoid tampering and key extraction. Connected devices should also be protected using authenticator devices that only authorize mutual authentication based on strong cryptography to reduce the risk of counterfeit hardware. Companies should also consider using tamper and trigger switches and environmental monitoring for hardware that's prone to tampering. For example, a master key uploaded to a battery-powered static RAM unit will be wiped if a tamper switch is triggered. Trigger switches can also detect light inside dark units. This helps lock up the device whenever an attempt is made to open it.
- Provide real-time monitoring. Security teams should consider setting up real-time monitoring for hardware and operating systems. This can be conducted using cloud-based real-time monitoring tools that notify the security teams in response to an event almost immediately, thus minimizing the incident response time. Integrated platforms and IoT automation can also help provide an extensive overview of where a company stands in terms of hardware security.
- Update firmware and upgrade old hardware. Hardware devices should be upgraded to the latest firmware so that they can receive the newest security patches. Companies should also invest in new hardware, as older hardware doesn't always have the ability to run modern software optimally and can run into compatibility issues, leaving a door open for security intrusions.
- Audit regularly. Regular hardware inspections can monitor any new changes across the network and spot operational risks. Companies should conduct regular vulnerability assessments and system monitoring. For example, if a company observes a suspicious module, it should conduct an electrical analysis of the inputs and outputs after consulting with the manufacturer and in-house security experts.
IoT hardware security should be taken just as seriously as other threats in the network. Learn about various security measures to bolster IoT hardware.