We are seeing interesting changes in how researchers and attackers are exploring methods to undermine systems and devices. Increasingly, the focus is on the hardware.
Vulnerability and exploit research is accelerating across the board with better tools, greater funding, and improved methods. As a result, more potential avenues of attack are being discovered and developed for hardware and the firmware that controls it.
Although it is difficult to exploit hardware, the interest in doing so continues to increase. The reason is simple: It is about control.
As security of software becomes more robust, attackers are looking in other areas for more powerful means to control systems. Hardware and firmware have a distinct advantage over software.
Modern computers are like a layered cake. Data is at the top, resting on software, virtual environments, operating systems, and finally firmware and hardware at the foundation. The lower you can access this technology stack, the more control you achieve over the system.
There is an adage in cybersecurity: physical access trumps all. If attackers can get their hands on a computer and its components, they have an excellent chance of compromising the system. With control of hardware and firmware, attackers can mirror the system, install tools, swap elements, copy raw data, and test the system in a variety of ways. Such fundamental control can undermine the core trust of the device.
In theory, hacking hardware remotely can give similar advantages to attackers. Hardware attacks are incredibly difficult but ultimately very powerful if successful. They can bypass almost all security controls and detection capabilities rooted in software as well as remain persistent, resisting actions to evict and restore normal trust. Most modern security resides in software. Nowadays, applications and operating systems are the heavyweights and do most of the work to protect systems. Off-the-shelf security software is really just an application; many have special hooks to bind closer with the operating system. But they have limitations because they reside in the same layer as most of the attacks. Hardware and virtual environments residing underneath have a greater understanding of what is occurring above them and can significantly affect the visibility and capabilities of such protective software.
Controlling the hardware is a key advantage. For this reason, researchers and attackers will continue to accelerate their investment in undermining hardware and devices. Controlling hardware is difficult, however. It takes very particular expertise, patience, and time. Many attackers lack such characteristics, but a growing community of professional researchers, academia, nation-states, and organized criminals are willing to commit to the investment, driven by a variety of motivations.
In 2016 we will see more research, with some vulnerabilities discovered, but largely hardware hacking will remain outside the reach of most attackers. Hardware and device hacking will become even more prevalent with the growth of the Internet of Things—devices, sensors, appliances, and vehicles—but will also occur across the traditional landscape of PCs, networking equipment, and servers.
Hardware is the final frontier for those seeking to undermine security, and is the root of trust for those wishing to defend it. This is a battle for a prize that we, in the technology security industry, will be talking about for years to come.