Hardware Security Concerns Move to the Edge
May 13, 2021 — Bill ConradesDirector of Sales Engineering
Until 2018, cybersecurity was primarily a software issue. Even hardware-related security concerns were limited to the application level. (Exhibit A: hyperconverged systems.) Then came the discovery of the aptly named Meltdown and Spectre hardware design defects, followed by mid-year reports by Bloomberg Businessweek that servers distributed in the U.S. had been sabotaged with Chinese spy chips. Despite the debunking of the hardware sabotage story, hackers’ ability to exploit chip-level flaws suddenly moved to center stage.
No hardware device platform was exempt. IoT and other edge devices, virtual machines, hyperconverged systems, and even personal computers and smartphones using Intel, AMD and ARM processors proved equally vulnerable to firmware anomalies enabling attackers to access “secure” data stored in program memory. Moreover, with the rise of edge computing, the threat was not limited to a particular device but instead to all devices on a connected network.
To make matters worse, patches designed to fix these vulnerabilities reduced system performance because of the additional overhead required to harden security. Initially, for example, Red Hat reported that patched systems suffered performance degradation ranging from 1-20%. Some even suggested that cloud service providers would have to compensate customers for the slower post-mitigation performance of their virtualized infrastructure.
Given these developments, cybersecurity in 2019 will no longer selectively focus on the software layer and is certain to bring to an increased emphasis on various aspects of hardware foundational security from the data center to the edge. That is likely to include:
More signed firmware. Tier 1 suppliers like HPE and Dell began protecting their newer-generation systems with signed firmware several years ago. Board manufacturers followed suit. Wider adoption of this cryptographic signature can now be expected by both board and white box suppliers to verify that non-compromised firmware is present on the system.
Backflash prevention. With rising recognition that firmware can be used as an attack vector, the days of backward firmware compatibility are numbered. Motherboard manufacturers have begun to implement backflash prevention technology to block rollbacks to older BIOS and firmware versions lacking the latest security enhancements. The same strategy will be used by other component suppliers to reduce risk throughout the hardware ecosystem.
More frequent BIOS and BMC firmware updates. New concerns over hardware security will also prompt component manufacturers to shorten the interval between new BIOS updates and firmware releases on the baseboard management controller (BMC) in order to deploy vulnerability fixes. Staying current with patches will be essential to avoiding production interruptions.
Increased supply chain oversight. Technology companies and their customers will increasingly demand proof of supply chain security at every step of the manufacturing process, from the raw component level to fully assembled and delivered systems. This is already happening at MBX Systems, where ISVs and OEMs using MBX’s custom hardware manufacturing services began inquiring about sources of component supply as soon as the now-discredited Chinese “chip spygate” story came to light.
New security assurance programs. Faced with escalating customer anxiety over hardware security, system manufacturers and integrators will begin to offer hardware security services such as hardware threat assessment, vulnerability risk management, and active firmware monitoring services to find gaps in firmware security and ensure that only secured firmware reaches the end user.
Steps like these will help plug potentially critical holes in the hardware ecosystem and restore confidence in hardware integrity that was shattered by the events of 2018. There were no reports of security breaches caused by Meltdown, Spectre or the non-existent Chinese spy chip threat, but all three developments raised awareness of the risks associated with firmware faults and — hopefully – will inspire the industry to take precautions to keep hardware intruders at bay.