'Overlooked' hardware security needs closer scrutiny

Organizations tend to trust manufacturers to ensure hardware in one's IT infrastructure stay safe, but more impetus needed to develop tools to safeguard device integrity, watchers urge.

Hardware components, particularly chipsets, embedded within organizations' critical IT infrastructure are often deemed less important compared to software and network security concerns. This is because the hardware vendors are generally assumed to be trustworthy and the scope for breaches is smaller, but industry watchers called on these organizations to pay attention to all aspects of their IT environments.

Dan Olds, owner of The Gabriel Consulting Group, pointed out that chip, and hardware security in general, is "universally overlooked" because most companies trust hardware more than software. They tend to assume manufacturers product semiconductors and other hardware components in a trustworthy manner, he observed.

Wu Hongjun, assistant professor of cryptography, cryptanalysis and computer security at Nanyang Technological University's School of Physical and Mathematical Sciences, added that there are more software flaws than hardware ones, which explains the differing emphases. He noted that the number of computer processing units (CPUs) in notebooks and desktops are limited, but there are hundreds of thousands of software programs running on these computers.

Furthermore, hardware security for key IT infrastructure is more of a concern for larger organizations and government agencies only since these are entities that need to protect their high-value information and systems, Wu said. They generally also have the budget to purchase their hardware from "trusted" companies to prevent having backdoors for malware to be installed in their equipment, he added.

Both Olds and Wu were responding to a research paper released by Cambridge University in May, which found an unknown backdoor residing within a silicon chip. The vulnerability means anyone with the key could disable the chip, reprogram it and potentially turn it into an advanced cyberweapon to attack other systems, it noted.

"The scale and range of possible attacks has huge implications for national security and public infrastructure," the paper stated.

The researchers also suggested making hardware assurance and hardware defense via the scanning of silicon chips for backdoors and Trojans in real-time a greater priority.

Wu said while there is room for more scanners to be embedded to detect such threats in the hardware stack, it would be impossible to do so if the hardware is designed in a complicated manner or sold as a blackbox which does not allow customers to have insight to its inner workings.

He also said costs may be prohibitively high to ensure manufactured hardware is free of any backdoors, and human error may sometimes lead to unintentional flaws being included in the final product.

Olds, however, put the onus on security vendors to produce tools to rigorously test hardware, and make these widely available. Alternatively, organizations and vendors can partner to create an independent testing organization to check hardware components for any inherent vulnerability, he said.

"We must not wait until high-profile exploits motivate the industry to focus enough attention on hardware and chips security, just like many other security breaches have," Olds stated.

Chipmaker Intel did not respond to ZDNet Asia's questions for this article.