Cyber Security, Hardware vulnerability, and Raptors

Most people who have worked in IT for any significant length of time are at least familiar with some basic cyber security principles. Likewise, the average consumer is aware on a basic level that a threat exists and incorporating some level of protection is a prudent countermeasure.


When my Dad brought home our first family computer, an Apple IIe in 1985 the idea of a bad actor exploiting it to steal personal or financial information was probably not a consideration. As the years passed, and technology leapt and bounded into the future we have entered a perpetual feedback loop of sophisticated cyber-attacks which prompt more resilient security which in turn motivates more sophisticated attacks and even more resilient security and so on and so forth ad infinitum.


It is digital guerilla warfare on a global scale and the good guys are always on the defense. While we have the advantage of high walls, guard towers, ground radar, and infrared detection systems the adversary will always be the one to choose the battleground and when the traditional field of Firewalls, Operating systems, browsers, and applications no longer favors them then a wily enemy will look elsewhere.



Hardware as an attack vector is hardly a new concept but historically it has not typically been the low hanging fruit especially when physical access is required, but the cybersecurity arms race has changed the landscape somewhat. It doesn’t really matter how high your wall is if somebody can just walk around it and a method that may have been too slow, expensive, or risky before might deserve another look. A full third of the nine initial access methods in the MITRE matrix (https://attack.mitre.org) rely on physical access, and those are Hardware Additions, Replication through removable media, and supply chain compromise.


Hardware additions:


This initial access method relies on the adversary getting some one on one time with the system in question. It may seem overly complicated, but devices exist and are readily available that can be plugged directly into motherboard slots and headers or soldered directly to leads on various components. These can have various functions ranging from installing malware to flashing the BIOS with malicious code to stripping bits from a bus and transmitting them via built in WiFi. Most data centers and colo facilities will probably have adequate physical security to prevent this type of attack but not all and there is always the insider threat.


PowerEdge primarily mitigates this threat through locking bezels and chassis intrusion detection systems that are inaccessible from the outside. PowerEdge chassis hardware intrusion detection and logging continues working even when no AC power is available. Sensors on the chassis detect when anyone opens or tampers with the chassis, even during transit. Servers that have been opened while in transit generate an entry in the iDRAC Lifecycle log after power is supplied. Those logs can generate alerts via iDRAC so that appropriate action can be taken.




Replication through removable media:


This has become a favored method due to it’s ease and speed, the ubiquity of USB ports, and the incredible portability of USB devices. The USB flash drive has been one of the most common methods of storing and transferring files for many years at this point, but it is capable of so much more than its grandfather the floppy disk. There is such a huge variety of different USB devices that are interpreted in so many ways by the host that the possibilities for intrusion are limitless. A Rubber Ducky is a perfect example. It is readily available, very cheap, versatile, extremely effective, and most importantly difficult to trace because it emulates an ordinary USB keyboard. (https://hak5.org/products/usb-rubber-ducky-deluxe)


Any savvy administrator will know better than to stick an unfamiliar USB device into a server but it is very easy nowadays to hide an FPGA designed to install malware or traverse your mounted volumes and strip out data in an otherwise innocuous looking USB drive. The simple solution is to disable USB ports through the BIOS, but now that DVD drives are no longer common the only removable media option remaining is USB. Also shutting down USB ports in the BIOS is typically an all or nothing proposition and would require a reboot to complete. Dell PowerEdge allows administrators to dynamically disable the front and rear facing USB ports through the iDRAC without a system reboot so that they may leverage the convenience of USB if required and eliminate any threat from a bad actor with a Rubber Ducky.


Supply Chain Compromise:

There are few things in the modern world that are made 100% from scratch by one company all in the same place from raw materials. Everyday goods such as automobiles, consumer electronics, and especially PCs and servers contain components sourced from many dozens of international suppliers in an incredibly complex global supply chain. If an attacker could completely compromise a system with only 4 minutes of uninterrupted access (https://www.youtube.com/watch?v=loBX_vEXxVA&t=223s) imagine what one could do with months or years to design counterfeit components that they later inject into the supply chain at any of its dozens of links. Illustrated below is a very simplified diagram of the supply chain. In reality there would be many more separate sub and sub-subcontractors, any of which could inadvertently (or intentionally) insert a batch of compromised components that could indiscriminately affect hundreds or even thousands of downstream products.


The most notable example of this was in 2015 when nearly 30 U.S. companies including Amazon and Apple were compromised by a tiny chip (about the size of a grain of rice) covertly inserted into Supermicro motherboards in China. (https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies)


Dell PowerEdge servers undergo many rigorous controls throughout the supply chain from design and development to delivery. Dell has mapped the most prevalent and consequential supply chain attack vectors, such as counterfeit components, malware, and firmware tampering, and has invested many millions of dollars in recent years to harden processes and practices. The approved vendor list is rigorously vetted and audited by a 3rd party to ensure component integrity, but it doesn’t stop there. Dell is the only server vendor with a cross portfolio solution for crypto-graphically verified hardware integrity with Dell Technologies Secured Component Verification. This process uses asymmetric keys to guarantee that no components have been tampered with prior to delivery to the customer.


Conclusion:

The “Big Hack” of 2015 is a very important lesson on the trap of getting too focused on the raptor in front of you to notice the clever girl attacking from the side. Cyber security has been at the forefront of every prudent IT organization’s focus for many years, but it is all too easy to blindly trust the hardware that it is all built on.


42 views1 comment

Recent Posts

See All