We are so used to divide the concept of IT security into two unequal subcategories, hardware- and software-centric. The hardware is usually considered relatively safe and clean — as opposed to the software which is usually the layer stuffed with bugs and malware.
This value system has been functioning for quite a while, but lately it has been showing signs of degrading. Certain firmware responsible for managing discrete hardware components has been getting increasingly complex and a subject to vulnerabilities and exploits. The worst thing is, in fact, that in many cases existing threat detection systems are impotent.
To cast some light onto this alarming trend, let’s review top 5 dangerous hardware vulnerabilities which have been recently found in today’s PCs.
Our undisputed leader in the hardware threat hit-parade is the DDR DRAM security issue which is not possible to solve via any software patch. The vulnerability dubbed Rowhammer, was provoked by, unexpectedly, the progress in the silicon industry.
As IC geometry continues to shrink, the neighboring hardware elements soldered on the chip get closer to each other and start interfering. In today’s memory chips this phenomenon might result in spontaneous switching of the memory cells when getting a random electric pulse from the adjacent cells.
Until recently, it was widely acknowledged that this phenomenon is impossible to use in any real-life PoC exploit which might help an attacker gain control over the affected PC. However, a team of researchers managed to escalate privileges on 15 out of 29 laptops using this PoC.
Rowhammer hardware exploit poses threat to DRAM memory in many laptops, PCs: https://t.co/z3Sr8L8SVy
— Eugene Kaspersky (@e_kaspersky) March 10, 2015
This is how the PoC functions: To ensure security, only a designated program or OS process is allowed to change a certain block in RAM. To put it simply, some important process functions inside of a well protected building, while some untrusted program is left banging on the front door.
However, it turned out that if one stomps loudly in front of this door (i.e. change the contents of memory cells too fast and frequently), the door lock is bound to break down. Well, locks got so unreliable these days…
A newer standard-based DDR4 and parity-check enabled RAM modules (which are way more expensive, though) can sustain this kind of attack. That’s the good news. The bad news is that a very large chunk of modern PC-dom is hackable in the attack referenced above, and there’s no remedy. The only feasible solution is replacement of all RAM modules.
#2: Hard drives
While are on the RAM subject, let’s cover hard drives. Thanks to the recent Kaspersky-commissioned research of Equation cybercriminal group, now we are aware of the fact that the controller firmware in hard drives might contain a lot of interesting curios.
— Kaspersky Lab (@kaspersky) February 17, 2015
For instance, those include malware modules which hijack control over the affected PC and function, essentially, in the ‘God mode’. After a hack as this, a hard drive is damaged beyond repair: the controller firmware infected with a malicious code hides the sectors containing malware and blocks any attempt to fix the firmware. Even formatting would be in vain: the most reliable method to get rid of the malware is physical destruction of the hacked hard drive.
— Mikhail Vasin (@mikhailvasin) February 18, 2015
The good news here is that the attack is tedious work and a costly piece of hacking. That’s why the absolute majority of users can relax and not even think of the possibility of their HDDs being hacked, except, probably, those in possession of the data so valuable that the exorbitant expenses of the associated attack are justified.
#3: the USB interface
The third position in our rating is occupied by a vulnerability (a bit outdated yet still notorious) which affects the USB interface. Recent news wiped the dust off this long-familiar bug. As you know, the latest Apple MacBook and Google Pixel laptops are equipped with the universal USB port which is used, among other things, for plugging in a charger.
Nothing is wrong with that, at the first sight, and the newest USB revision presents an elegant approach to interface unification. But connecting any device through USB is not safe. We have already told you about BadUSB, a critical vulnerability discovered last summer.
— Kaspersky Lab (@kaspersky) October 3, 2014
This bug allows to inject malicious code into the USB device controller (whether that of a thumb drive, or a keyboard, or anything else). No antivirus, including the most powerful products, is able to detect it there. Those who are extremely concerned about their data safety, should listen to itsec experts who recommend to stop using USB ports at all in order to mitigate the risks. But for the newest MacBook laptops, this advice is useless: anyway, the device should be charged!
— Eugene Kaspersky (@e_kaspersky) November 18, 2014
Sceptics might point out that it is impossible to inject a malicious code into the charger (as it contains no data storage). But this ‘issue’ can be addressed by ‘enhancing’ the charger (a PoC describing the method of infecting an iPhone through the charger was presented over two years ago).
— The Verge (@verge) March 16, 2015
Having injected the malware into the charger, the only thing an attacker would have to take care of is placing the ‘Trojanized’ charger in a public area, or otherwise replacing the original charger if the attack is targeted.
#4: the Thunderbolt interface
#4 in our chart is another port-specific vulnerability, targeting Thunderbolt. As it happens, connecting a device via Thunderbolt may be as well dangerous. A respective PoC which targeted Mac OS X products was demonstrated by a security researcher Tremmel Hudson at the end of last year.
— Kaspersky Lab (@kaspersky) January 15, 2015
Hudson created the first-ever bootkit targeting Apple’s OS, Thunderstrike, which leverages auxiliary modules boot from external devices connected by Thunderbolt. As soon as it is accomplished, the attacker can do anything to the affected PC.
As soon as Hudson’s research went live, Apple mitigated the risk of such attack in the next OS update (OS X 10.10.2). However, according to Hudson, the patch is a temporary measure. The undermining principle of the vulnerability remains the same, so this is definitely a ‘to-be-continued’ story.
There were times when each PC motherboard BIOS developer used his own heavily guarded secret recipes. It was close to impossible to analyze the firmware, and a rare hacker would be capable of finding bugs in those microprograms.
As UEFI gained traction, a considerable portion of the source code became common for different platforms, which made life a lot easier for PC vendors and BIOS developers alike, as well as tomalware engineers.
For instance, of the latest UEFI vulnerabilities may be used to overwrite BIOS, regardless of any security measures that might be in place, even if it is a recently marketed hip Windows 8 feature, Secure Boot. It is a vendor-agnostic and deployment-specific issue found in a standard BIOS function.
New BIOS Implant, Vulnerability Discovery Tool to Debut at CanSecWest https://t.co/EuJc9bv6Tt
— Eugene Kaspersky (@e_kaspersky) March 20, 2015
The majority of the aforementioned threats are yet exotic and unbeknownst to the majority of common users, and unlikely to be a frequent case. But the situation may change very abruptly, and in a very short time we might be all nostalgic about good old times when hard drive formatting was a fool-proof method of dealing with an infected PC.