An organization’s ability to protect its most sensitive data boils down to ensuring that it has all its bases covered. That’s hard to do when there could be cracks in the foundation.
The cybersecurity industry has traditionally focused on identifying and patching software vulnerabilities, but it is easy to forget that software runs on semiconductor chips – and if this “hardware” in a product or system is compromised, the consequences could be equally bad or worse.
Hardware vulnerabilities are almost always serious in nature, and you can’t simply patch hardware. The further into product development you get, the costlier – and riskier – security issues become.
So, why is hardware security often overlooked, and what makes this a recipe for disaster? Why is transparency during the entire chip development cycle more vital than ever, and how will the implementation of a hardware bill of materials (HBOM) not only contribute to that peace of mind but enable you to better secure and maintain electronic products? Let’s discuss.
A deeper understanding of how vulnerable chips are
For years, it was commonly assumed that semiconductor chips could only be compromised through physical manipulation but that belief has been debunked.
In 2017, security researchers discovered the Spectre and Meltdown vulnerabilities – fundamental security flaws that existed in almost every computer chip manufactured in the past two decades. If exploited, hackers could gain access to data on microprocessors that was considered fully secure.
Spectre and Meltdown brought greater attention to security weaknesses at the hardware level, but they also revealed that hardware design flaws can, in fact, be taken advantage of remotely.
At the Graz University of Technology in Austria, a team of researchers developed a Spectre-based attack called NetSpectre. Unlike Spectre, which needs attacker-controlled code to run on the targeted device, NetSpectre can be performed remotely. The research suggests this vulnerability “marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks.”
In the manufacturing world, a bill of materials (BOMs) is a relatively common term. It is a complete inventory of all the raw materials, parts, and components – and their quantities – needed to create a product. Recently, the desire to complement this information with software security details has picked up steam in the form of a software bill of materials (SBOM) – and for good reason.
According to Synopsys’ 2022 Open Source Security and Risk Analysis (OSSRA) report, the average software application relies on 500 open source libraries and components. The report found that 98% of applications use open source, while over 75% of the code in the average software application consists of open-source components. Oftentimes, users are completely unaware of this. That’s where SBOMs factor in.
An SBOM lists all the components in a software application, identifies what version they are, and points out if any parts contain security weaknesses that could expose the entire application to attacks from bad actors.
To create more transparency in the software supply chain, President Biden issued an executive order last year making SBOMs mandatory for software vendors contracting with the federal government. That way, government agencies will not only know the “ingredients” in the software they utilize, but they can quickly respond to new security weaknesses as they arise.
The recently introduced bipartisan bill to strengthen cybersecurity for medical devices also explicitly lists the SBOM as a key requirement for providing transparency into the security posture of all software components of a medical device. Unfortunately, the same “rules” don’t apply to hardware. This is unsettling, as hardware security should be subjected to the same level of scrutiny as software, if not more.
What a hardware bill of materials should feature
These days, chips are everywhere. They’re in the IoT devices littered throughout your house. They’re in phones, computers, cars, medical devices, and more. The U.S. is also becoming more invested in chip manufacturing – as evidenced by the recently passed CHIPS act that includes $52 billion for strengthening the nation’s computer chip industry.
Unlike software, however, hardware can’t be patched and the further you get into chip development, the harder it is to shore up any issues. Once a vulnerability is discovered, it’s oftentimes too late, and organizations are left scrambling to determine the root cause of the problem.
It’s time to get proactive using HBOMs – a detailed list of the hardware components’ security, including security validation – to track and document hardware security vulnerabilities. HBOMs should include:
Documentation of the security intention at the product planning stage based on security feature and verification requirements
The threat model that was considered during the design, as well as possible attack vectors and abilities of would-be attackers
Embedded security design components and protection systems to neutralize attacks
IP blocks developed in-house and by third parties, including their security posture
The security verification methods that were employed and a complete documentation of the outcomes
Security certifications that were used, including their documentation
If you don’t understand the security posture of semiconductor chips and what products currently use them, you’re operating without all the information and potentially opening your organization up to security concerns.
HBOMs are crucial for ensuring the security of all electronic devices. They create transparency, from the chip development lifecycle all the way through the circulation of the electronic device itself. HBOMs tell you what’s in the product – and how secure it is – so you can make an informed decision before purchasing it.
Real product security requires a holistic approach
The only way to sufficiently secure an electronic product is to make sure all components within it are accounted for. Over the past few years, we’ve made significant strides to be transparent about software. The same can’t be said about hardware.
As hackers continue to explore new hardware vulnerabilities and ways to exploit them, we must require the same standards of hardware as we do of software. That starts with enforcing the use of the HBOMs alongside SBOMs to create a holistic view of cybersecurity.
In doing so, you can ensure you have complete transparency during the development and lifecycle of electronic products, giving you the insight to respond quickly and effectively to any incident.