Chapter5
Hardware infection: firmware attacks, supply chain attacks, hardware Trojans
Hardware infection involves malicious manipulation of the physical components of a computer system, such as the motherboard, BIOS, storage devices and peripherals. This type of attack is highly sophisticated and it operates at a much deeper level than conventional malware. Its consequences can be serious for security and system integrity, as it can allow the attacker to maintain persistent access and perform malicious actions that are difficult to detect.
Examples of hardware attacks include:
Malicious firmware: Firmware is designed to provide instructions and control over the hardware of the device in which it is installed. It is often stored on non-volatile memory chips within the device, such as ROM, EEPROM or flash memory. This software is critical for the proper operation and performance of the device, as it controls its basic operation and provides the necessary interfaces for communication with other devices and systems. Figure 3 shows the malicious firmware distribution process.
Attackers can manipulate the firmware of hardware devices, such as the BIOS or the firmware of a network card, to introduce malicious code. This can allow them to maintain persistent access to the system, even after operating system reinstallations.
By directly attacking hardware components, a virus can achieve an extremely high level of persistence on a system. Even formatting or reinstalling the operating system will not eliminate the infection, as the virus resides at a deeper level, in the device's firmware, and it executes before the operating system is loaded.
+
Fig. 3. Malicious firmware distribution process
Fig. 3. Malicious firmware distribution process
However, Secure Boot and UEFI provide an additional layer of protection by verifying the digital signature of firmware components during the boot process. This helps to prevent the execution of unauthorized or modified firmware, making more difficult to viruses to infect these components. Although these security measures have reduced the effectiveness of attacks targeting the BIOS, UEFI (Unified Extensible Firmware Interface) and the boot sector, rootkits (malicious software) remain as the main form of infection that exploits these vulnerabilities.
An attacker can manipulate the firmware of hardware devices, such as the BIOS or the firmware of a network card, to introduce malicious code. This can allow the attacker to maintain persistent access to the system, even after operating system reinstallations.
Compromised USB devices: When connecting infected USB devices, there is the risk that they contain viruses that automatically install on the system. These viruses can perform malicious activities, such as stealing confidential information or compromising system security. Figure 4 shows the possible harms that a compromised USB device can cause.
+
Fig. 4. Types of harms that a compromised USB device can cause.
Fig. 4. Types of harms that a compromised USB device can cause.
Attacks on microcontrollers and microprocessors: These components can be vulnerable to physical attacks or reverse engineering, which aim to modify their behaviour to perform malicious actions.
Hardware tampering during manufacturing: Throughout the hardware supply chain, from component manufacturing, assembly, quality testing, to hardware packaging and distribution, there is a risk that devices can be compromised or maliciously tampered with during some stage of this process. This potential risk includes the possibility of modifying the hardware to introduce potential vulnerabilities.
To mitigate hardware attacks, it is essential to implement the following key preventive measures:
  1. Firmware maintenance: It is essential to keep the firmware of all devices and hardware components up to date to protect against known vulnerabilities. Implementing strong authentication mechanisms and adequate encryption techniques will strengthen data integrity and confidentiality, especially in devices that handle sensitive information.
  1. EDR solutions: It is essential to detect suspicious activities, investigate incidents, and respond to cyber threats targeting any device connected to the network, including computers, mobile devices, servers, and IoT devices.
  1. USB device authentication and physical access protection: It is crucial to use USB device authentication and to establish protective measures to restrict physical access to critical components. This helps to prevent unauthorized intrusions.
  1. Server physical security and monitoring: Implementing security measures to control physical access to servers and performing continuous monitoring to detect and prevent any unauthorized changes to the hardware is critical to ensure system integrity.
  1. Supply chain management: Working exclusively with reliable hardware suppliers and conducting good security practices is essential in supply chain management. This involves verifying the authenticity and integrity of hardware components and devices to avoid potential security commitments.
  1. Advanced security technologies: Using technologies such as Secure Boot and UEFI to protect the system boot process is crucial. These technologies ensure the authenticity and integrity of firmware and critical components during system startup, thus mitigating potential threats.
  1. Regular security audits: Performing regular security audits is critical to identify potential vulnerabilities in hardware devices and security infrastructures. This includes penetration testing, vulnerability analysis and system configuration reviews to ensure maximum protection against potential attacks.