11 Ways to Prevent Hardware & Firmware Hacks
by Michael Bowling, on Oct 16, 2018 11:26:02 AM
Photo: Recent reports of supply chain attacks and hardware hacks have the public and private sectors worried about how to protect their computers' hardware and firmware.
Hardware and firmware hacks are becoming increasingly prevalent in the high-performance computing industry and have the potential to wreak havoc on the reputation, finances, and even survival of your business, organization, or agency.
These sophisticated, powerful attacks, usually perpetrated in person or via a covert supply chain attack, can destabilize critical infrastructure, jeopardize national security, and endanger innocent lives.
We believe it's important to be wary of such attacks and take proactive measures to avoid or mitigate their devastating effects.
Here are 11 ways you can help protect your high-performance computer from hardware hacks and firmware hacks:
1. Buy from a cybersecurity-savvy, USA-based, high-performance computer manufacturer.
After recent news of offshored computer hardware getting hacked, it is critical to review your computer supplier and their cybersecurity processes with a fine-tooth comb. Are they simply repackaging a questionable offshore motherboard with suspicious hardware? Do they have a tight grip on their supply chain and manufacture their products in the United States? What's their cybersecurity story? The industry is poised to move toward cybersecure, made-in-USA computing solutions, so this one's becoming more and more essential.
2. Isolate your network.
Most sensitive HPC customers, especially those in the military, ensure that their application has no access to the outside internet. As an example of this threat, note that some Intelligent Platform Management Interface (IPMI) software can actually make remote calls home, which allows the hacker to then backdoor through the Baseboard Management Controller (BMC) hardware, almost like a remote keyboard, video, mouse (KVM).
3. Disable the Baseboard Management Controller (BMC).
The Baseboard Management Controller (BMC) is a great tool you can use to access the motherboard remotely and have absolute control over the entire computer. In fact, you can actually remotely shut down the computer, access the Basic Input Output System (BIOS), access the hard drives, and perform other actions. Unless you have a need for this type of control, we strongly suggest you require that your computer supplier disable this device.
4. Disable the Intelligent Platform Management Interface (IPMI) in the BMC.
You want to be careful here, and this can be difficult to achieve. If you leave the BMC in place and only disable the IPMI layer, that's more practical, but you still want fan control, monitoring, logging, and other processes to occur. More significant than this, as previously mentioned, is disabling the BMC entirely, but this is becoming more challenging as architectures begin to rely on the BMC to function.
5. Take advantage of Intel's Platform Firmware Resilience (PFR).
Intel's Platform Firmware Resilience (PFR) technology protects against unauthorized firmware updates and tampering associated with boot and runtime attacks, and even provides real-time monitoring of interfaces between components. If malware is detected, Intel PFR recovers to a gold image, or a known good firmware state. PFR is truly the future of identifying, isolating, and mitigating malicious activity at the firmware layer.
6. Disable Universal Serial Bus (USB) ports from the BIOS.
Some manufacturers disable Universal Serial Bus (USB) ports as boot sources to protect end customers from a port attack. Disabling the ports at boot time keeps computers from running infected operating systems and malicious executables written to infected flash drives, which may be inserted by hackers looking to access sensitive data. The ports usually become operational again once booting concludes.
7. Protect your firmware with secureFlash & secureBoot.
According to Wired, 80 percent of personal computers (PCs) have firmware vulnerabilities. You can protect against firmware attacks technologies with secureFlash, which protects against unsigned BIOS updates and BMC images, and secureBoot, which protects against unsigned bootloaders, OSes, and other firmware.
8. Buy from a manufacturer with rigorous supply chain and counterfeit protection programs.
Buying from a computer manufacturer with a strict revision control process, rigorous supplier quality surveys, an established Counterfeit Protection Program (CPP) for counterfeit electronic parts, and other supply chain management programs offers you a slew of protection on the hardware and firmware front. The best part about this one is that you barely need to lift a finger: just ask the manufacturer for evidence of these programs and processes.
9. Use Star Lab's Titanium Linux Security Suite.
Star Lab’s Titanium Linux Security Suite offers Linux system-hardening and security capabilities for operationally-deployed Linux systems. It's designed using a threat model that assumes attackers already have unauthorized access to your server or workstation and prevents any malicious modifications of the system BIOS and firmware from taking place.
10. Buy from a manufacturer that will customize the BIOS for you.
A custom BIOS can lock down certain firmware parameters and controls to increase security and prevent unauthorized access. If your manufacturer can't offer additional BIOS security enhancements because they don't have customization capabilities or control over the BIOS, it might be time to look for a manufacturer who can offer these additional tweaks to secure your system.
11. Need all these benefits? Choose Trenton Systems.
At Trenton Systems, we:
- Design, manufacture, assemble, integrate, test, and support our products in the USA and comply with the Trade Agreements Act (TAA)
- Have a Counterfeit Protection Program (CPP)
- Vet our vendors with rigorous, evidence-based supplier quality surveys
- Offer Star Lab's Titanium Linux Security Suite
- Will include Intel's Platform Firmware Resilience (PFR) in our upcoming solutions
- Can assist with BMC and IPMI modifications
- Can assist with secureFlash and secureBoot
- Offer secure FIPS self-encrypting drives, drive management software, encrypted OSes, and secure hypervisors
- Adhere to CSfC, ITAR, and ISO9001
- Are dedicated to achieving CMMC certification
So, yes, if you were wondering whether we could help with or satisfy the requirements of the 10 tips we listed in this blog post, of course we can, because these very tips came straight from the engineers who design our cybersecure, made-in-USA servers and workstations.
We assure you that the tasks listed in this blog post are very easy for a trusted high-performance manufacturer, like Trenton Systems, to do, assuming that they control the board design and manufacturing processes.
If your manufacturer is giving you trouble with any of these, let us know, and we'll take care of you.
If you'd like to read more on the topic of hardware hacking, check out our blog Hacked Hardware, Spy Chips: How to Help Secure Your Servers.
Do you have specific questions about our cybersecure, made-in-USA, high-performance computers? We are a trusted supplier in this arena and are here to help.
Give us a call, chat with us online, or send us an e-mail. One of our engineers will be more than happy to assist.