We are very used to dividing the concept of IT security into two unequal subcategories, hardware- and software-centric.
The hardware is usually considered relatively safe and clean — as opposed to software which is usually the layer suffering from bugs and malware.
This value system has been functioning for quite a while, however lately it has been showing signs of changing. Certain firmware responsible for managing discrete hardware components has been getting increasingly complex and is subject to vulnerabilities and exploits. The worst thing is, that in many cases existing threat detection systems are impotent. To cast some light onto this alarming trend, let’s review the top 5 dangerous hardware vulnerabilities that have recently been found in today’s PCs.
Our undisputed leader in the hardware threat hit-parade is the DDR DRAM security issue, which isn’t possible to solve via any software patch. The vulnerability dubbed Rowhammer, was provoked by, unexpectedly, the progress in the silicon industry. As IC geometry continues to shrink, the neighboring hardware elements soldered on the chip get closer to each other and start interfering. In today’s memory chips this phenomenon might result in spontaneous switching of the memory cells when getting a random electric pulse from the adjacent cells.
Until recently, it was widely acknowledged that this phenomenon was impossible to use in any real-life PoC exploit, which might help an attacker gain control over the affected PC. However, a team of researchers managed to escalate privileges on 15 out of 29 laptops using this PoC.
This is how the PoC functions: To ensure security, only a designated program or OS process is allowed to change a certain block in RAM. To put it simply, some important process functions are allowed inside of a well protected building, while other untrusted programs are left banging on the front door. However, it turns out that if one stomps loudly in front of this door (i.e. change the contents of memory cells too fast and frequently), the door lock is bound to break down. Who knew locks got so unreliable these days…
A newer standard-based DDR4 and parity-check enabled RAM modules (which are way more expensive) can sustain this kind of attack. That’s the good news. The bad news, is that a very large chunk of modern PC-dom is hackable in the attack referenced above, and there’s no remedy. The only feasible solution is replacement of all RAM modules.
2: Hard drives
While we are on the subject of RAM, let’s cover hard drives. Thanks to the recent Kaspersky-commissioned research of Equation cybercriminal group, we are now aware of the fact that the controller firmware in hard drives might contain a lot of interesting curios.
For example, those include malware modules which hijack control over the affected PC and function, essentially, in the ‘God mode.’ After a hack like this, a hard drive is damaged beyond repair: the controller firmware infected with a malicious code hides the sectors containing malware and blocks any attempt to fix the firmware. Even formatting would be in vain: the most reliable method to get rid of the malware is physical destruction of the hacked hard drive.
The good news here is that the attack is tedious work and a costly piece of hacking. That’s why the absolute majority of users can relax and not even think of the possibility of their HDDs being hacked, except, possibly, those in possession of data so valuable that the exorbitant expenses of the associated attack are justified.
3: the USB interface
The third position in our rating is occupied by a vulnerability (a bit outdated yet still notorious) which affects the USB interface. Recent news wiped the dust off this long-familiar bug. As you know, the latest Apple MacBook and Google Pixel laptops are equipped with the universal USB port which is used, among other things, for plugging in a charger.
Nothing is wrong with that, at first sight, and the newest USB revision presents an elegant approach to interface unification. However, connecting just any device through a USB is not always safe. We have already told you about BadUSB, a critical vulnerability discovered last summer.
This bug allows you to inject malicious code into the USB device controller (whether that of a thumb drive, or a keyboard, or anything else). No antivirus, including the most powerful products, is able to detect it there. Those who are extremely concerned about their data safety should listen to itsec experts who recommend that you stop using USB ports all together, in order to mitigate the risks. As for the newest MacBook laptops, this advice is useless: anyway, the device should be charged!
Skeptics might point out that it is impossible to inject a malicious code into the charger (as it contains no data storage). But this ‘issue’ can be addressed by ‘enhancing’ the charger (a PoC describing the method of infecting an iPhone through the charger was presented over two years ago). Having injected the malware into the charger, the only thing an attacker would have to take care of is placing the ‘Trojanized’ charger in a public area, or otherwise replacing the original charger if the attack is targeted.
4: the Thunderbolt interface
#4 in our chart is another port-specific vulnerability, targeting Thunderbolt. As it happens, connecting a device via Thunderbolt may also be dangerous. A respective PoC which targeted Mac OS X products was demonstrated by a security researcher Tremmel Hudson at the end of last year. Hudson created the first-ever bootkit targeting Apple’s OS, Thunderstrike, which leverages auxiliary modules boot from external devices connected by Thunderbolt. As soon as it is accomplished, the attacker can do anything to the affected PC.
As soon as Hudson’s research went live, Apple mitigated the risk of such an attack in the next OS update (OS X 10.10.2). However, according to Hudson, the patch is a temporary measure. The undermining principle of the vulnerability remains the same, so this is definitely a ‘to-be-continued’ story.
There were times when each PC motherboard BIOS developer used his own heavily guarded secret recipes. It was close to impossible to analyze the firmware, and rarely a hacker would be capable of finding bugs in those microprograms. As UEFI gained traction, a considerable portion of the source code became common for different platforms, which made life a lot easier for PC vendors and BIOS developers alike, as well as to malware engineers.
For instance, the latest UEFI vulnerabilities may be used to overwrite BIOS, regardless of any security measures that might be in place, even if it is a recently marketed hip Windows 8 feature, Secure Boot. It is a vendor-agnostic and deployment-specific issue found in a standard BIOS function. It should be mentioned that LightEater attack infects popular BIOSes.
The majority of the aforementioned threats are still exotic and unbeknownst to the majority of common users, and unlikely to be a frequent case. However, the situation may change very abruptly, and in a very short time we might all be nostalgic about the good old times when hard drive formatting was a fool-proof method of dealing with an infected PC.
110 Reykjavik, Iceland