OSI Layer 1: The soft underbelly of cybersecurity
As traditional cybersecurity solutions improve, they push cyberattackers toward alternative paths. Layer 1 of the OSI model (i.e., the physical layer) has become a fertile ground for attacks and, effectively, the soft underbelly of cybersecurity.
What forms do attacks on the hardware level take?
Cyberattacks on the physical, hardware level happen when, for instance, a disgruntled employee plants a rogue device within the organization’s infrastructure and runs off with his now-former company’s proprietary information.
There have also been recent cases of industrial espionage wherein compromised hardware has bypassed all authentication measures. Even governments are outsourcing this dirty work to crime syndicates, enabling attacks to be bolder and without any concern about repercussions.
Rogue hardware devices take advantage of the inherent trust that most operating systems have in the USB device ecosystem. Unfortunately, rogue device hardware components are also sold by the millions, with firmware available online, and YouTube hosts tutorial videos on how to spoof a USB peripheral’s ID.
In a way, we’ve set ourselves up for the risk of hardware hacking by being proactive with zero-trust network security and making it necessary for criminals to look elsewhere, but never addressing the hardware security problem. As a result, new vulnerabilities are discovered every year.
In Hollywood espionage blockbusters, the useful idiot is an often-encountered plot device, but unwitting insiders are yet another potential L1 attack vector. The threat posed by the hardware attack vector will only increase as employees who have been working from home return to the workplace. Employees could innocently plug in non-authorized devices that adversely impact the entire network and business operations. For example, juice jacking is type of cyberattack wherein a smartphone charger doubles as a malware platform. There have been several notable real-world examples of this already happening.
Some devices even allow for lateral movement throughout the network, taking advantage of IoT daisy chaining that was included for easier installations.
Even your physical mailbox is not safe: we’ve observed phishing turning from the internet to snail mail with malicious USB dongles being mailed to targeted companies.
ATMs, power plants, and essential manufacturing are all at acute risk. There are many tools in the toolbox for hardware hacking. Security through obscurity just isn’t enough when people’s lives and the overall health of the economy are depending on it.
There is a growing awareness of the extent of the problem in manufacturing and healthcare, as well as in the public sector (President Biden’s software supply chain executive order is just the beginning). Organizations have invested heavily in network and software environment defenses, including air-gapping sensitive SCADA systems, but none of those measures will prevent L1 hardware hacking.
What can you do?
It is essential that zero-trust principles also apply to the hardware level with a multi-layered approach to defenses, otherwise known as “defense in depth.” This can only be achieved through greater visibility provided by solutions that utilize novel approaches, such as fingerprinting devices from the L1/2/3 switch layers and Power over Ethernet (PoE) usage to pinpoint whether an unauthorized device is operating and, if so, what and where it is.
The metadata from a switch can indicate whether a rogue device is present. This can be accomplished without mirroring traffic to respect privacy within sensitive IT environments.
Supply chain exposure is more complex than managing where you order from: It’s a two-fold problem involving both software and hardware. It’s understood that many applications bundle libraries and controls from third parties that are further outside of your purview. Attackers exploit weaknesses and defects from an array of targets, including unsecured source code, outdated network protocols (downgrade attacks), unsecured third-party servers, and update mechanisms.
Software safeguarding software is under your control: deploying least privilege principles, endpoint protection, and due diligence to audit and assess third party partners are essential and reasonable precautions.
Hardware is another story altogether. It’s less obvious when a fully functioning Raspberry Pi has been modified or telecommunications equipment has been compromised by a state actor, as it looks and plays the part without any irregularities. Even off-the-shelf hardware from big box stores can be replaced by rogue devices when cybercriminals target a particular locale. Some devices wait for a trigger to activate.
Due diligence alone won’t prevent a well-conceived hardware-based attack. Monitoring L1 and applying policies and controls to all known and unknown USB devices is the only current solution for plugging the hole in the fence and obtaining full visibility into your environment. There are persistent threats to the supply chain that are now “known unknowns” at L1 for your organization.
Defending against L1 attacks is possible, but many organizations have 20/20 vision about how an attack transpired only after they’re breached. The risk of hardware attacks is growing exponentially: What affects governments and big businesses eventually trickles down to companies of all sizes, so it’s better if you think about countering it sooner rather than later.