Hardware security – a lost case?

What if a security threat does not come from software, but from the device itself?

Author: Eija Paajanen
Date: 15.06.2015
Read Time: 3 Minutes

We all are used to hearing about security breaches and attacks against software, such as Adobe Flash or Microsoft and Android. But what if the security threat does not come from software, but from the device itself? Preinstalled and running the moment you switch it on…

The idea is not totally new. In 2006, McDonald’s promotion campaign turned into a PR nightmare instead of boosting sales. The marketing campaign, clever as it was, gave Coca Cola buyers a cup with a code that allowed them to win a free MP3 player with 10 downloaded songs. There was just one downside – the music players contained QQPass malware. The moment winners plugged their players into a computer, this Trojan horse slipped undetected into their system and began logging keystrokes, collecting passwords, and gathering personal data for later transmission.
For the security industry, this was one of the first cases that provided a view into a terrifying future.
Coming back to the present, we have recently heard of two cases where hardware itself is the security problem.

Lenovo laptops, a top-selling brand in 2014, came preinstalled with adware, called Superfish. But rather than just update your search results, as it is supposed to do, it opens up your communication to a man-in-the-middle attack, exposing all your confidential communication to the attacker. Timo Hirvonen from our labs says: “This threat allows the hacker to spy on users’ Internet traffic and infiltrate their computer, and poses a serious risk to consumers”. No connection on Lenovo laptops is secure – none at all! Not even the ones that look legitimate.

So why did Lenovo preinstall such adware on its computers?

The idea is to serve targeted ads to Lenovo users; to follow the user’s web browsing habits and serve ads that would likely interest them based on browsed images. Lenovo’s main reason for pre-loading Superfish is to make some extra cash. However, rather than making extra cash, which they did for a while, they may have ended up damaging their reputation for good. And the first law suit against them has already been filed.
The other recent case is Gemalto, the world’s largest manufacturer of SIM cards. American and British spies stole the encryption keys that are used to protect the privacy of cellphone communications across the globe. With these stolen keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecommunications companies and foreign governments. The best way to avoid this surveillance is to add an encryption layer of your own (e.g. F-Secure Freedome) to any device that you use to communicate.
Any connected device could, at the end of the day, be used as a cyber-weapon. General Michael Hayden, a retired Air Force four-star general who headed both the CIA and NSA, comments on hardware hacking: “It’s the problem from hell.”

So why should you and your company care?

If nothing else, the examples above should be a warning to any company to make sure, and to double-check, that their PR and other actions do not turn against them. Consumers are more aware about security and privacy than ever, and much more willing to judge companies that violate that privacy.

And as a basic rule, don’t fall into the trap of purchasing inexpensive consumer laptops or other hardware. They are inexpensive for a reason – software and advertising partners pay the hardware producer to preinstall their solutions. Jarno Niemelä from F-Secure labs advises:

“To stay secure, and to protect your customers’ privacy, install all software yourself, or let only a trusted IT partner handle the installation. Do not use any preinstalled software.”

Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s