HP: Businesses Fear Physical Supply Chains Pose Cyber Risk

Share
The possibility of tampering or the insertion of malicious hardware or firmware during this manufacturing process is a growing concern for businesses
HP Wolf Security revealed 91% of respondents believe nation-state actors will increasingly target physical supply chains to insert malware

A new entry point for malware has opened up, according to HP Wolf Security, who revealed businesses are increasingly fearing that physical supply chains are becoming compromised.

The survey, which included 800 IT and security decision-makers, showed that over a third of organisations believe that they or others they know have been impacted by nation-state actors attempting to insert malicious hardware or firmware into devices. 

Unlike malware planted on a computer via an infected file received over the internet, this represents a gap in physical security that can lead to unprecedented cybersecurity breaches down the line. 

Security gaps in supply chains

The physical supply chain of computing equipment is a complex web, often involving multiple locations for manufacturing and assembly. 

Devices such as PCs, laptops, and printers are frequently built in different regions, with components sourced globally. 

Once assembled, these devices are transported across various checkpoints before reaching their final destination. This intricate journey from point A to B, and sometimes even to C, dilutes control over the devices, making it challenging to ensure their security. 

The possibility of tampering or the insertion of malicious hardware or firmware during this manufacturing process is a growing concern for businesses.

Youtube Placeholder

The fact that nation-state actors may be involved also indicates the severity of the issue. Rogue actors may pose an issue, but the issue is more likely to be isolated - sometimes to a single factory of a single supplier. 

But if the planting of malware into devices are part of a nation-sanctioned operation, then potentially there can be many bad actors spilt out across factories and across suppliers. 

This is exemplified when considering the mass impact individual countries have on the manufacturing of electronics. China, for instance, exported around 44.01 million Laptops in the first quarter of 2024. 

“System security relies on strong supply chain security, starting with the assurance that devices are built with the intended components and haven’t been tampered with during transit” says Alex Holland, Principal Threat Researcher at HP Security Lab.

Difficulties in dealing with at-source issues

Having malware implemented at source is not just an issue because purchasers do not expect, and thus do not check, that their brand-new product already has a virus on it. 

But because the malware has been installed at such a base level, they are very difficult to detect. 

51% of the IT decision-makers surveyed said they were concerned about their inability to verify if hardware and firmware have been tampered with during transit. 

Detection difficulties, but also damage impact are amplified from this issue. Compromising the hardware or firmware layer of a device grants attackers unprecedented access and control. 

These attacks occur below the operating system level, where most security tools are ineffective, making them difficult to remediate. 

This level of infiltration can lead to catastrophic breaches, especially if critical devices such as those used by top executives are compromised.

“If an attacker compromises a device at the firmware or hardware layer, they’ll gain unparalleled visibility and control over everything that happens on that machine,” Alex explains.

It is for reasons like this is why 91% of respondents believe nation-state actors will increasingly target physical supply chains to insert malware. 

Mitigating supply chain risks

Despite the complexity of the issue, there are ways to combat it. 

“In today’s threat landscape, managing security across a distributed hybrid workplace environment must start with the assurance that devices haven’t been tampered with at the lower level,” explains Boris Balacheff, Chief Technologist for Security Research and Innovation at HP.

HP Wolf Security recommends several proactive steps:

Mitigating embedded malware risks
  • Adopt Platform Certificate technology, designed to enable verification of hardware and firmware integrity upon device delivery
  • Securely manage firmware configuration of your devices. These enable administrators to manage firmware remotely using public-key cryptography, eliminating the use of less secure password-based methods
  • Take advantage of vendor factory services to enable hardware and firmware security configurations right from the factory
  • Monitor ongoing compliance of device hardware and firmware configuration across your fleet of devices

Although the complexity and global nature of these supply chains make them susceptible to tampering and malicious attacks, this study highlights the growing need for companies to take it into account and move forward with it as part of their overall security posture.

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

Resilience: Firms Fail to Grasp Cyber Financial Impact

Resilience and YouGov survey reveals 74% of mid to large UK businesses face cybercrime, while ransomware understanding lags behind data breach concerns

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

FS-ISAC CISO JD Denning explains the cyber strategies financial providers need to adopt in order to stay afloat in the wave of cyber attacks

Darktrace Reports 692% Surge in Black Friday Cyber Scams

Cyber Security

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI

Gen Reports 614% Rise in Command Prompt Manipulation Scams

Cyber Security