By Sean Arrowmith
Over the last week or so I have been working with colleagues and some of our specialist partners on putting together a presentation to an industry special interest group. One of the aforementioned presentations looked at hardware security and the potential for hidden threats at the hardware layer. Security threats from hardware and relatively new trends in today’s malware targeting attacks at hardware, rather than software, was something I had not looked at in detail before. As a result, I read several articles relating to this and for me it looks like a big unknown to the overall IT and Information Security world.
We all use devices on a daily basis – laptops, PDAs, smart phones etc. on the tacit assumption that these devices are secure. We take measures to ensure this by deploying security software and the usual forms of protection but only at the operating system and application layers. The thing is – what is happening in the chips and circuitry that the device runs on? I can’t help but think this is unchartered territory from a security perspective. So the first question for me is – will people move to attacking and exploiting security flaws at the hardware level?
Over the last decade there has been a clear shift in the threat landscape from infrastructure onto web applications. We also see focus on new technologies as they appear with lots of attention on mobile these days. So what’s next and is it hardware? It goes without saying that we need to care about these potential new threats from hardware, as they are difficult to detect, and no effective detection mechanism currently exists.
The sophistication of looking at security flaws at that level is high, but the cost of the equipment is less prohibitive than it once was. To use a microscope with suitable magnification capabilities 10 years ago would have cost tens if not hundreds of thousands of dollars. These days it is less than a thousand and the cost continues to decrease.
There is also the question of what lurks beneath? Within the circuits and chips what potential hidden threats might there be? It is well documented that when hardware is manufactured it is the ideal time to embed something nasty in the device before it is even built and shipped. It is clearly on the radar of governments – with DARPA having launched their VET programme in November to look for backdoors in hardware.
For me this is an area to watch closely over the next few years…
Sean Arrowmith is IRM’s Commercial Director. He is responsible for agreeing, achieving and maintaining all of IRM’s commercial relationships. He has over ten years’ experience in the Information Security industry – meeting the requirements of various industry sectors, such as retail, banking, gaming and gambling, healthcare and the public sector. His expertise lies in understanding C-level individuals concerns and desire to transform their company’s information security function.