Hardware supply chain threats can undermine your endpoint infrastructure

News
By published

Organizations need to address hardware and firmware security threats

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)

Global IT infrastructure has become increasingly interconnected and interdependent. As a result, operational resilience has continued to climb up CISOs’ agendas. While organizations have matured their handling of software threats, many are struggling with poor visibility and inadequate tools to defend against lower-level threats targeting hardware and firmware, which is proving to be a barrier to resilience.

Supply chain attacks can come in many forms, from ransomware groups compromising suppliers’ infrastructure, to tampering with hardware and firmware. Beyond disruption, the reason why these attacks are so damaging is because they undermine the hardware and firmware foundations of devices, often in ways that are difficult to detect and fix, meaning that software and data cannot be trusted to be secure.

Alex Holland

Principal Threat Researcher in the HP Security Lab.

Regulators have begun to move to strengthen supply chain security. The UK has implemented new IOT cybersecurity regulations and is drafting a Cyber Security and Resilience Bill to “expand the remit of regulation to protect more digital services and supply chains”. In the US, Executive Order 14028 accelerated the development of software supply chain security requirements for government procurement, explicitly including firmware. The EU is introducing new cyber security requirements at every stage of the supply chain, starting with software and services with the Network and Information Systems (NIS2) directive, and extending to devices themselves with the Cyber Resilience Act to ensure safer hardware and software.

A survey from HP Wolf Security found that 30% of UK organizations say that they or others they know have been impacted by state-sponsored actors trying to insert malicious hardware or firmware into PCs or printers, highlighting the need to address physical device security risks.

Hardware and firmware attacks have major ramifications

The impact of failing to protect the integrity of endpoint hardware and firmware is high. A successful compromise at these lower layers can hand attackers unparalleled visibility and control over a device. The attack surface exposed by hardware and firmware has been a target for skilled and well-resourced threat actors like nation-states for years, offering a stealthy foothold below the operating system (OS). But as the cost and skill of attacking hardware and firmware falls, this capability is trickling down into the hands of other bad actors.

Given the stealthy nature and complexity of firmware threats, real-world examples are not as frequent as malware targeting the OS. Examples like LoJax, in 2018, targeted PC UEFI firmware to survive OS reinstalls and hard drive replacements on devices lacking protection. More recently, the BlackLotus UEFI bootkit was designed to bypass boot security mechanisms and give attackers full control over the OS boot process. Other UEFI malware such as CosmicStrand can launch before the OS and security defenses, allowing attackers to maintain persistence and facilitate command-and-control over the infected computer.

Firms are also concerned about attempts to tamper with devices in transit, with many reporting being blind and unequipped to detect and stop such threats. 75% of UK organizations say they need a way to verify hardware integrity to mitigate the threat of device tampering.

Maturing the approach to endpoint hardware and firmware security

In recent years, IT teams have gotten better at managing and monitoring the software security configuration of devices, and are improving their ability to track software provenance and supply chain assurance. Now, it’s time to bring the same level of maturity to managing and monitoring hardware and firmware security across the entire lifespan of endpoint devices.

Organizations can start by taking the following steps:

  • Securely manage firmware configuration throughout the lifecycle of a device, using digital certificates and public-key cryptography. By doing so, administrators can begin managing firmware remotely and eliminate weak password-based authentication.
  • Make use of vendor factory services to enable robust hardware and firmware security configurations right from the factory
  • Adopt Platform Certificate technology to verify hardware and firmware integrity once devices have been delivered
  • Monitor ongoing compliance of device hardware and firmware configuration across your fleet of devices – this is a continuous process that should be in place as long as devices are in use.

Ultimately, endpoint security depends on strong supply chain security, which starts with the assurance that devices, whether PCs, printers, or any form of IoT, are built and delivered with the intended components. This is why organizations should increasingly focus on securing the hardware and firmware foundations of their endpoints, by managing, monitoring and remediating hardware and firmware security throughout the lifetime of any device in their fleet.

We've featured the best online cybersecurity course.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Alex Holland

Principal Threat Researcher in the HP Security Lab.
Read more
Closing the cybersecurity skills gap
The critical need for watertight security across the IT supply chain
Security
Removing software supply chain blind spots that put public sector organizations at risk
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
A graphic showing someone on a tablet working through a supply chain.
How phishing attacks are hitting the supply chain – and how to fight back
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Representational image of a hacker
The 10 worst software disasters of 2024: cyberattacks, malicious AI, and silent threats
Latest in Pro
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Adobe Firefly
Adobe launches game-changing GenAI tools for video editing
Adobe AI agents
Adobe launches 10 new AI agents to automate key marketing workflows
Data leak
Top California sperm bank suffers embarrassing leak
Latest in News
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
More about pro
Elecom 9,000mAh sodium-ion battery

This is the world's first sodium-ion mobile battery, a game changer in environmental sustainability, but it's not cheap
Data center server room lit with green lights

Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Comino Grando Server

Puget Systems partners with Comino to bring more affordable liquid cooled dual-CPU, 8-GPU systems to the masses
See more latest
Most Popular
Comino Grando Server
Puget Systems partners with Comino to bring more affordable liquid cooled dual-CPU, 8-GPU systems to the masses
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
Elecom 9,000mAh sodium-ion battery
This is the world's first sodium-ion mobile battery, a game changer in environmental sustainability, but it's not cheap
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
Data center server room lit with green lights
Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Thrustmaster Sol-R flight stick
Thrustmaster announces the Sol-R 1 and Sol-R 2 HOSAS flight sticks designed for space sims like Elite Dangerous
Image of AC Shadows cover art & Steam Deck
It's not perfect, but Assassin's Creed Shadows' performance is impressive - it runs smoothly on the Steam Deck and Asus ROG Ally
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware