Enterprise-wide IoT deployments are leading to a surge in hardware security threats, with hackers attacking vulnerabilities in physical device hardware, firmware and the Unified Extensible Firmware Interface/BIOS software that interfaces with the hardware.
As enterprises begin to install the various autonomous sensors, controllers and monitors found in smart building, IoT and industrial IoT (IIoT) projects, they must understand the biggest threats to hardware security.
Organizations' quest to automate manual tasks has led to a flurry of hardware security incidents. Today, everything from surveillance cameras and HVAC systems to physical door controller platforms is becoming IP-connected. As a result, some businesses try to cut costs by purchasing and installing low-cost IoT and smart building hardware. Yet, the hardware of these devices is often compromised -- threatening the overall security of the entire corporate network.
Common hardware security threats
IoT devices are especially risky because they run independently. Pinpointing the time an attack occurred on an IoT component is more challenging than it is to make the same determination for servers, desktops/laptops or smart devices. That doesn't mean there aren't hardware security threats for these devices as well. Common hardware security flaws include the following:
Default passwords. This is primarily an issue for low-cost IoT devices and hardware that use out-of-the-box, default passwords. These passwords are then commonly added to business networks with little thought put into the potential risk of doing so.
Unprotected local access. In many cases IoT, IIoT and smart building hardware can be accessed locally though a managed Ethernet or serial interface. If these connections aren't locked down -- from both a configuration and physical sense -- a bad actor may be able to compromise a company's infrastructure by tampering with these devices while visiting the office, warehouse or manufacturing plant.
Outdated device firmware/BIOS/Unified Extensible Firmware Interface. Companies that build and sell smart HVAC systems, manufacturing plant robotics and other IP-connected IoT/IIoT components aren't necessarily IT security experts. Firmware is often riddled with bugs and security flaws. This vulnerability is compounded by sloppy patch management, as many IT departments don't regularly update firmware on these devices when security patches are released.
Purpose-built/custom chipsets. Custom chipsets continue to anchor a great deal of the hardware within corporate data centers or in high-end desktops. Because these purpose-built chips are tailored for niche purposes, manufacturer security reviews are not nearly as intense as those conducted for chips that are to be installed in much larger groups of devices. Over time, hackers find vulnerabilities in these chips, causing the manufacturer to scramble to find a patch.
Lack of encryption. Encryption, either at rest or in motion, is often lacking in operational technology devices that are rapidly becoming IP-connected. Unencrypted data can either be collected via the network or from stolen devices that contain unencrypted data saved directly to them.
Real-world hardware vulnerabilities
The news is peppered with details about hardware security threats and vulnerabilities. Early in 2020, security researchers warned of a security flaw found within certain Intel processors that allowed hackers to install malware at the hardware level, thus rendering OS-based malware protection ineffective.
More recently, Nvidia released a patch to plug a vulnerability that could have allowed hackers to remotely take control of the company's high-end line of DGX servers. These types of servers are common in enterprises performing advanced AI and machine learning, putting sensitive data at risk.
One final example -- and a potential threat in the boardroom -- is a hardware vulnerability that was recently identified in Comcast's intelligent, XR11 voice-controlled remote control. If a user updated the remote with a compromised version of firmware, it could effectively be turned into a listening device. Fortunately, security researchers found the flaw and notified Comcast, which promptly developed and automatically pushed a security patch.
Hardware security strategy
Hardware security issues are different from software-centric security flaws. For one, hardware issues usually affect niche products that IT security staff aren't overly familiar with. To help protect your organization, first inventory the entire network to identify the various hardware devices connected. Next, verify that the manufacturer has adequate documentation and a process for downloading and updating security and firmware patches. Ideally, these patches should be applied automatically.
This is also a great time to reevaluate the devices connecting to your network and to determine whether you trust them or not. In some cases, you may find the hardware to be at end of life or end of support. In others, the hardware may come from a questionable manufacturer. Either way, decisions must be made about the level of risk the business is willing to take regarding existing hardware, including whether it's more prudent to buy newer hardware that's more likely to be secured and patched on a regular basis.
Finally, be sure to monitor your networked devices. Tools such as network detection and response use AI to baseline normal behavior and trigger an alert when that behavior goes beyond a defined threshold. Hardware that abruptly alters from "the norm" is a telltale sign that a compromise may have occurred.