Examples of supply chain attacks include the insertion of malicious SW into open-source libraries and the substitution of counterfeit HW components in a receiving department at a lower tier of the supply chain. The former exploits an acquisition process in order to create a design vulnerability (associated with open-source code) and the latter exploits a receiving department process weakness.
While most people are focused on protecting themselves from software-based attacks such as malware and phishing websites, there lurks the very real existence of hardware-based attacks. If you think of hardware-based attacks, you might automatically think of something like an infected USB drive being intentionally plugged into a computer.
This famously happened in 2008, when Russian agents planted infected USB drives at a kiosk near NATO headquarters in Kabul, hoping that American workers would purchase one of the USBs and plug them into network computers. The plan worked.
Another example would be something like juice jacking, an increasingly common hardware-based MITM (man-in-the-middle) attack that plagues public charging ports.
In juice jacking attacks, a public USB charging port (such as at airports) can be compromised with malware, though this is really quite rare and only a few reports have been documented.
Protecting yourself from basic software attacks
While we’re going to focus mainly on hardware attacks for this article, the majority of identity theft cases still occur from software attacks. Protecting yourself from software attacks means following basic cybersecurity protocols, and learning about things like how can the dark web be monitored. This can be useful to check if your personal information is being shared online, and/or how to prevent it from happening.
So before you go tearing apart your office computers looking for embedded microphones, remember things like:
- 2-factor authentication.
- Strong network passwords.
- Firewalls and updated firmware.
- Configuring security on IoT devices like WiFi printers.
How hardware attacks are becoming a serious threat
A serious concern for numerous industries are hardware supply-chain attacks. These attacks take advantage of vulnerabilities in the hardware-manufacturing supply chains, which means that a company could receive hardware that is already infected.
Modern hardware like CPU chips contain billions of transistor components, which can be tampered with during the manufacturing process by malicious agents. Because of the complexity of integrated circuitry, physical modifications to hardware can be rather difficult to detect.
We’re basically talking about some real-life spy novel stuff here, like, CPUs being shipped to a company that are fitted with malicious circuitry that can steal data, and go undetected on the software level. It’s like buying a teddy bear that has a nanny cam pre-installed without your knowledge, and the nanny cam is sending its feed back to whoever stuck it in there, if it helps to visualize things that way.
In fact, while we may wax poetic about high-tech malicious hardware modifications, a lot of it is really quite crude. According to Kaspersky, many common hardware attacks are simple things such as microphones being inserted into ethernet adapters, or keyloggers in USB drives.
The reason this is so threatening is because these kinds of attacks can go undetected for a very long time. A company isn’t going to tear apart a new shipment of CPUs looking for planted bugs buried beneath the transistors, for example, and so a well-designed hardware attack can easily be incorporated into critical infrastructure without anyone’s knowledge.
How the tech security industry is tackling hardware attacks
While you typically hear about data breaches involving software and networking exploits, the tech security industry is highly aware of the growing popularity of hardware attacks. Cybersecurity firm Fortinet for example has been focusing on creating dedicated hardware at the ASIC chip level, which have built-in security protections.
Hardware manufacturers are also seeking to heighten security standards in their supply chain, aided by increasingly stricter government regulations. Security in the hardware industry needs to be approached with cooperation between both the private and public sector, as the public sector sets standards and controls, while the private sector designs and builds to specifications.