One crucial factor is sometimes missing from our everyday discourse on software security. It is the fact that there can be no secure software without secure hardware. The other important but often unmentioned factor is that security is always a matter of degrees, not a binary system. The expression that something is secure or insecure is just a misleading shorthand for a much more complicated situation.
We may say things like 'that's a secure system' or 'that's an insecure protocol,' but the reality is more complex: systems and protocols are secure or insecure in varying degrees in different contexts, and there are, strictly speaking, no "secure systems" if we take that expression to mean secure in all contexts against all threats all the time. Taken literally, there are no secure systems or at least secure systems that are actually useful.
When it comes to hardware security, that is even more so. Depending on who your adversaries are, how much time they have to attack your hardware, what tools and expertise they have, and so on, the security of your hardware may range from 'pretty damn good' to nil.
In this brief overview, I discuss the main threats to computer hardware and what are some of the countermeasures that can be adopted to address them.
When threat agents have physical possession of computer hardware, the security threats and risks multiply significantly because physical access can bypass many traditional 'logical' security measures designed for remote protection.
Here are some of the primary security threats and risks applicable under these circ*mstances, followed by a discussion of measures to counteract or reduce them.
Data theft or unauthorised copying
Direct access to hardware allows an attacker to extract data from storage devices, such as hard drives and solid-state drives, even if the data is encrypted, given sufficient time and resources.
Hardware tampering
An attacker could physically tamper with the hardware components, implanting malicious devices and probes, or making additions or modifications that could compromise the integrity of the computer's data and operations.
Firmware modification
Firmware on components such as the BIOS or UEFI can be modified to inject malware or create backdoors that remain active regardless of operating system updates or reinstalls. This is one of the most practical attacks and we have seen real-world examples of this in the wild. Standardisation of UEFI, along with vulnerabilities identified, doesn't help.
Bypassing physical security measures
Simple physical security measures, such as locks on chassis or non-standard screws, can often be easily bypassed, allowing for the aforementioned risks to be exploited.
Cold boot attacks
These involve booting a machine from a "cold state" to exploit data remanence properties of RAM to extract sensitive data, such as encryption keys, that remain briefly after power is cut off. They are more challenging to perform and the nature of this threat severely limits its applicability, but when it is applicable it can be very effective, since sensitive data is usually not encrypted while in RAM, unlike the widespread adoption of data storage encryption.
Peripheral device compromise
Malicious devices can be connected to the computer system, such as USB devices designed to act as input devices to inject malicious commands or software, or more specialised devices that may exploit built-in features or vulnerabilities in various device communication protocols or hardware.
So what are the existing countermeasures and risk reduction strategies that can be deployed to reduce the above-discussed threats, usually complicating the threat actor's task so much as to make them give up?
Recommended by LinkedIn
Full Disk Encryption (FDE)
Or more precisely, full storage encryption, involves encrypting the entire storage device which can protect data at rest and ensure that even if the storage medium is accessed, the data remains unreadable without the encryption key. However, this is effective only if the encryption keys are not stored insecurely on the device itself, can be easily guessed or brute-forced. This countermeasure is now widely deployed, addressing one of the most obvious risks. Despite the wide deployment, it is not always well-implemented, as the recent compromise of Microsoft Bitlocker has demonstrated.
Secure Boot and Trusted Platform Module (TPM)
Using Secure Boot is intended to ensure that only trusted software can boot on the device. A TPM can securely generate and store cryptographic keys used for disk encryption, making it harder for an attacker to extract them even with physical access - at least that's the theory. But the practice is complicated and as always the devil is in the detail. One of the details is the data bus, the physical connection between the various components of the computer system which can be tapped, unless the system uses a SOC (System on a Chip).
Bus access between components within a computer system is a fundamental aspect of computer architecture that enables communication between different computer parts, such as the CPU, the RAM, the storage devices, and the peripherals.
If and when the bus can be directly accessed, tapped or modified, the security of the system may be severely or fatally undermined.
Tamper-resistant and tamper-evident techniques
Hardware can be designed to resist tampering or to indicate when tampering has occurred. This can include devices that erase sensitive data if tampering is detected or technologies, such as epoxy filling, which make effective tampering much more challenging.
Epoxy filling and similar measures are part of a broader category of techniques known as Physical Unclonable Functions (PUFs) or anti-tamper technologies, aimed at denying or complicating unauthorised access to device internals, including chipsets, buses, and Printed Circuit Boards (PCBs).
These measures are particularly important in the context of securing sensitive hardware against tampering, reverse engineering, and other forms of physical attacks.
Epoxy filling involves encapsulating the entire device in a solid or gel-like epoxy resin. Once the epoxy has hardened, accessing the encapsulated components without damaging them becomes extremely difficult.
This acts as a deterrent against attempts to reverse engineer the device or tamper with its internals. It is one of the most effective and cheapest ways to increase the physical security of the hardware, but has significant heat dissipation and potential overheating effects, which have to be taken into account.
RAM overwriting
Some systems offer features to mitigate cold boot attacks by overwriting RAM contents upon shutdown or reboot, reducing the window of opportunity for such attacks, but depending on the time available and the precise circ*mstances these countermeasures may or may not be effective.
Peripheral ports and connections such as USB
Finally, physically disabling ports and connections that are not needed is a simple and affordable method of reducing their risks, although their effectiveness would of course depend on the capabilities of the threat actors, and the time and the tools they have at their disposal. Please note this countermeasure is different from the software control of peripheral connections, such as USB, which is provided by operating systems or endpoint security solutions.
To conclude, implementing a combination of these hardware security measures can significantly reduce the risks associated with physical access to computer hardware but cannot completely neutralise them, particularly if the threat actors have time, expertise and specialist tooling. It is therefore crucial to assess the specific risks applicable to the hardware in question, including the range of use scenarios and likely threat actors, and apply a layered defence-in-depth approach based on a detailed threat analysis.
#hardwaresecurity #cybersecurity #securityengineering #hardwarehacking