Cybersecurity Down to the Bare Metal: Manufacturer Places Malware in the Hardware
As described by the New York Times, hackers are in a “race to the bare metal” – to infect computing hardware itself – and two recent developments represent shocking advances in that field: the discovery of the Superfish adware program shipped by Lenovo as default software on its computers and the announcement by security research firm Kaspersky Labs that a sophisticated hacking group it dubbed “Equation Group” has devised a way to hack the firmware of a dozen leading hard-drive manufacturers, called Grayfish.
Superfish is a piece of advertising software that displays browser ads, similar to many other types of adware. However, Superfish differs from normal adware in that it sends encrypted HTTPS browsing data to a non-secure third-party advertising site without notifying the user. As a result, Superfish allows malicious third parties relatively easy access to what should be encrypted traffic data.
Grayfish is loaded onto a special bit of memory – the system registry – that consists of a program that allows a hacker to have root level access – total control – of the computer on which it is installed. Because this program lives in the registry, erasing the hard drive will not delete the program. More alarmingly, on a computer that is hacked by Grayfish, the operating system itself is merely an application run by Grayfish – there is no meaningfully greater level of compromise achievable. (See page 10 of http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf).
Rigorous software security audits alone almost certainly would miss the presence of either of the above malware on any given computer. As a result, it is of consummate importance that any worthwhile cybersecurity policy includes not only regular software audits, but regular reviews of hardware threats, protocols for vendor review during any major IT purchases, as well as insurance policies to guard against increasingly hard-to-detect cyber-threats. It may not be possible to ward off every threat, but a rigorous cybersecurity policy provides a defensible position in the event of a regulatory investigation or litigation, and can mitigate liability and potentially protect against losses.
If you have questions regarding cybersecurity assessments and protocols for hardware as well as software, please contact Kenneth N. Rashbaum or Liberty T. McAteer.