Why Hidden Hardware Vulnerabilities Are Your Next Big Security Problem

Given enough time and motivation, hackers can — and do — keep finding new and more creative ways to access data or usurp control over devices and networks to commit next-level-type cybercrime.

Whether it’s an elaborate phishing scam designed to con people out of log-in and password information to bank accounts or customer data rolls or a piece of malware or ransomware that summarily shuts down the computer or destroys the data within, there’s no end to threats impacting everyone who uses a phone, computer or peripheral device.

The bad guys have yet again raised their game, focusing on a what Gartner calls an entirely new class of vulnerabilities – attacks targeting an underlying and “highly exploitable design implementation” inside the majority of computer chips manufactured over the past couple decades.

Whether we’re talking about laptops or printers or routers, these threats strike at the literal heart of any organization’s (or individual’s) IT network. Directly targeting and extracting all kinds of data from the firmware embedded in the hardware of these devices is particularly insidious because the exploitation can go on for years virtually undetected and, frankly, most users’ attention and vigilance is focused on cloud, network or application-specific threats.

The rise of IoT devices, connecting everything from washing machines and refrigerators to sensors on freeways or smart devices to monitor our health, makes these newly identified threats even more terrifying.

Last month, Ars Technica detailed a disturbing case involving more than 20,000 Linksys wireless routers that were “leaking” all kinds of data including the devices’ unique identifiers, names and the operating systems they use.

According to independent researchers familiar with this vulnerability, this exploit makes it possible for hackers – or maybe someone or some organization interested in spying – to gather these disparate pieces of information to track the movements of people they want to track or infect the devices with especially virulent strains of malware.

Worse, this router vulnerability also made it possible for the bad guys to discern when and how default administrative passwords were changed. All of this can be done remotely because, security experts said, the routers must be remote-access enabled in order to function with the accompanying Linksys app.

Subsequent scans found that these routers remained vulnerable to intrusion and surveillance even when the firewall was activated and they still leak all kinds of information even after installing a firmware patch Linksys issued in 2014.

“Not all processors and software are vulnerable to (these variants) in the same way, and the risk will vary based on the system’s exposure to running unknown and untrusted code,” said Neil MacDonald, a vice president and distinguished analyst at Gartner. “The risk is real, but with a clear and pragmatic risk-based remediation plan, security and risk management leaders can provide business leaders with confidence that the marginal risk to the enterprise is manageable and is being addressed.”

A lot of this “remediation” comes down to implementing and exhaustively following best security practices throughout the organization. Turning on firewalls, monitoring and auditing logs, encryption, using secure passwords, etc.

But in many cases, it falls on the chip manufacturer to write airtight firmware code that can stand up to the creativity and prowess of the modern hacker. Firmware – the software that’s permanently etched into the hardware device and programmed to give instructions to communicate with other devices – is repeatedly popping up lately as a weak link in the IT security ecosystem.

Cisco Systems is in the middle of what will be a months-long series of firmware updates to patch vulnerabilities in its Secure Boot implementation found in its routers and switches. In this case, there’s a flaw in the logic that handles access control to one of the hardware components that could allow a hacker to write a modified firmware image to the component.

While device and chipmakers obviously need to religiously update their firmware, it’s incumbent on IT administrators, security vendors and, yes, end users to consistently monitor the security-threat landscape and apply these patches and updates as they’re pushed out.

According to Solid State Systems LLC, a New York-based IT security and optimization consultancy, along with updating firmware, companies should also beware of untrusted USBs. Malware can be quickly and effectively embedded into the firmware of most USB drives and transferred onto the computer or device. Some companies are flatly banning USBs altogether.

It also recommends buying hardware with built-in firmware security installed such as Dell’s BIOS verification method which compares the BIOS image against the official hash generated and stored on the server.

These are the types of conversations IT security administrators need to have with all stakeholders throughout the organization. Relying solely on the manufacturers to keep your data and your company safe may not be the best strategy.

After the vulnerabilities were brought to its attention, Linksys put out a security advisory saying, essentially, there’s nothing to see here:

“We quickly tested the router models flagged … using the latest publicly available firmware (with default settings) and have not been able to reproduce (the threat),” it said. “Meaning that it is not possible for a remote hacker to retrieve sensitive information via this technique.”

Maybe that’s the case. Maybe not. Maybe just not yet.

is president and senior analyst for BPO Media, which publishes The Imaging Channel and Workflow magazines. As a market analyst and industry consultant, Ames has worked for prominent consulting firms including KPMG and has more than 15 years experience in the imaging industry covering technology and business sectors. Ames has lived and worked in the United States, Southeast Asia and Europe and enjoys being a part of a global industry and community.