There are many myths surrounding safety, which claim that hardware is never responsible for anything bad that can happen. They are all untenable and we will try to take them down one by one.
Many computer and network professionals often overlook the issues attacks related to their own installed hardware or being attacked by other hardware and their vital importance in creating a secure workplace.
Especially in cyber security, everyone likes to talk about it software and the risks this entails. This is attributed to a general lack of knowledge regarding hardware security (hardware) and its mode of operation. Let's look at the myths you may have heard about it from time to time:
Myth #1: We never hear about hardware-based attacks, so they don't exist!
Just because you don't hear about the problem often doesn't mean it doesn't exist. Typically, the cyber attacks that make headlines are those involving large companies that have fallen victim to a software-based attack carried out by notorious cyber crime syndicates.
These stories are juicy and scandalous and attract the audience to read the article, generating more clicks to the media's website.
In addition, many enterprises choose to hide information related to hardware-based attacks, as it indicates insufficient physical security, which reflects negatively on business.
Another reason you don't often hear about hardware-based attacks is that the businesses that fall victim to them are unaware of it. When a business is compromised, the most logical assumption is that it was due to a software vulnerability or a phishing scam. Such a misunderstanding, combined with a lack of resources to identify a hardware attack tool, results in the attack method being misinterpreted.
However, this does not mean that hardware-based attacks do not receive media attention. An excellent example that receives public attention is ATMs. These cash dispensers are becoming a target for cybercriminals because of the instant payment.
Instead of using brute force attacks on ATMs, criminals can now simply plug a hardware attack tool, known as a Black Box, into the computer's internals to trick it into handing over cash via a MiTM attack. From 2021, Black Box attacks have increased and have amounted to losses of 1,5 million euros in Europe alone.
Myth #2: We have security measures in place and all our employees use a VPN. We are protected!
Yes, your security measures like NAC, IDS/IDP, firewalls and VPNs certainly provide some level of protection.
However, hackers are constantly evolving and finding new attack methods, which means they are exploiting blind spots, one of which is the hardware domain.
Existing security solutions lack visual oversight at the Physical Layer (layer 1), which leaves them ill-suited to defend against, let alone detect, hardware-based attack tools.
These malicious devices are designed to avoid detection by operating in the Physical Layer and mimic commands and executions that appear to be given by humans, making them extremely dangerous as they can carry out a variety of harmful attacks without any obstacles in their way.
If you can't determine all the information your hardware is sending within 10 seconds, you're not really protected.
Myth #3: We don't use USB, so why should we care?
This is an excuse we've heard many times before, but you really need to protect yourself!
Sure, your company might not use flash drives, and there might be some possibilities authorization to solutions EPS/EDR which exclude phones, keyboards and mice with specific VID/PIDs.
That's all well and good, but what about the keyboards that employees use to type? And the mice they use for navigation? All these are with USB.
They may be authorized, but that doesn't mean they can't be spoofed by a hidden spoofing device. An example is the self-made construction that it was featured in 2019 by Luca Bongiorni and which gave full instructions on how to make a hacked usb plug for any device. And at a cost of just $10.
As long as there are such devices in the work environment, there is a risk that one (or more) may be hacked. And without Physical Layer visibility, there is no mechanism to determine what is legal or not. If the security manager of the online systems does not see daily with a physical presence what is done in the company's typing, then there is a backdoor open.
Myth #4: Why would anyone want to hack us? we are not an interesting target.
That's where you're wrong. In this day and age, almost anything that has data has value, and there is someone out there who wants to access it, no matter how mundane it may be.
Not all hackers target large nuclear facilities or government institutions. The risk of such an attack is usually very high and this deters most cybercriminals.
Your company, however, is a prime target as data exists and is accessible. Either the perpetrator wants to steal information for monetary gain, access it to gain a competitive advantage, or encrypt it in a ransomware attack. Your company if not interested will provide this opportunity to cyber criminals and a hacked hardware things will be very easy.
In short, every business is a target for malicious actors. It can happen to anyone for any number of reasons. The important thing to remember is that you can prepare and strengthen your company's resistance to these attacks for both software and hardware.
