33 hardware and firmware vulnerabilities: A guide to the threats

Meltdown and Spectre raised the alarm over vulnerabilities that attackers can exploit in popular hardware and its firmware. Here's a roundup of the ones that present the most significant threats.

1 2 Page 2
Page 2 of 2

A Rowhammer attack that can be exploited over a network by leveraging the remote direct memory access (RDMA) feature present in fast network cards like those used in servers.

RAMBleed

RAMBleed is the first attack that has shown it is possible to use the Rowhammer effect to steal data from memory cells instead of simply modifying it. Previous Rowhammer attacks compromised memory integrity through bit flips, which could lead to privilege escalation and other conditions. Meanwhile, RAMBleed uses row hammering and a side-channel in order to infer information about and ultimately extract data from adjacent memory cells. In that respect it is similar to the effects of Meltdown and Spectre.

Wide-impact firmware vulnerabilities 

BlueBorne 

A set of vulnerabilities announced in 2017 in the Bluetooth stack implementations of Linux, Android, Windows and macOS. It was estimated these vulnerabilities affected over 5 billion devices and while on computers it was easier to fix through OS updates, Bluetooth-enabled smart watches, TVs, medical devices, car infotainment systems, wearables and other internet-of-things devices required firmware updates. Researchers estimated one year later, in 2018, that over 2 billion devices remained exposed.

KRACK

KRACK, or the Key Reinstallation Attack, is an attack revealed in 2016 that exploited a weakness in the WPA2 wireless security standard, which is used to protect most wireless networks in use today. Because the weakness was in the standard itself, WPA2 implementations in all types of devices, including home routers and other IoT devices, were affected. Fixing the vulnerability required firmware updates, so many out-of-support devices remained vulnerable to this day.

BadUSB

An attack demonstrated in 2014 that allows reprogramming the microcontrollers in USB thumb drives in order to make them spoof other types of devices such as keyboards and used them to take control of computers or to exfiltrate data. Many USB thumb drives remain affected.

Thunderstrike and Thunderstrike 2  

Two attacks that exploited vulnerabilities in the firmware of Apple's Macbook devices in order to install firmware rootkits when malicious devices were connected to the Thunderbolt ports. Thunderstrike 2 also allowed compromising newly inserted Thunderbolt devices, creating the possibility of a worm.

Thunderclap

Another attack revealed this year that can execute privileged code on computers equipped with Thunderbolt ports.

ROCA

The Return of Coppersmith’s Attack (ROCA) is an attack against the Trusted Platform Modules (TPMs) and Secure Elements (SEs) produced by Infineon Technologies. These TPMs and SEs are used in tens of millions of business computers, servers, hardware authentication tokens and various types of smart cards, including national identity cards. The vulnerability allows the RSA keys generated with these components to be significantly more vulnerable to factorization -- attacks designed to recover keys. Researchers estimated the cost of recovering individual 2048-bit RSA keys generated by such devices to be around $20,000 and for 1024-bit RSA keys around $40.

Intel Management Engine 

The Intel Management Engine (ME) is a dedicated coprocessor and subsystem present in many Intel CPUs and is used for out-of-band management tasks. Intel ME runs its own lightweight operating system which is completely separate from the user-installed operating system, which is why it has often been described as a backdoor in the security community. Over the years there have been serious vulnerabilities found in Intel ME and fixing them requires installing firmware updates from computer manufacturers. This means many older, out-of-support systems are unlikely to receive such updates.

Editor's note: This article, originally published in July 2019, has been updated to include the PLATYPUS vulnerability.

 

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a SIEM solution: 11 key features and considerations