When it comes to cybersecurity, so much regard has been given to the software side of information technology. In a way, this makes sense. After all, it is software that runs the hardware, and without the former, the latter is likely to become an overly expensive paperweight.
However, just like with any other system, cybersecurity is only as strong as its weakest link. With hardware security not being given much attention, it is no surprise that cybercriminals have begun taking advantage of hardware vulnerabilities.
Default manufacturers’ access credentials
Just a few short years ago, mass producers of Internet of Things (IoT) devices, such as security cameras and thermostats, did not require users to change the default username and password for their devices. This meant that each stock keeping unit for a model — if not an entire product line — had the same access credentials with one another.
This led to hackers being able to hijack countless IoT devices and turn these into their own bot army for launching distributed denial-of-service campaigns (DDoS). That is, they’d have countless enslaved devices making requests to a particular server, thereby overwhelming that server and making it incapable of functioning properly. Employees can’t get apps to work, which leads to costly downtime. Online shoppers get frustrated waiting for pages to load, so they abandon carts and shop at other websites instead.
DDoS attacks can be so far-reaching and devastating that states such as California and Oregon have passed laws that require connected device manufacturers to implement “reasonable security measures.” One such measure is to force users to change the default credentials of a device during its initial set-up.
Vulnerable local access
TV shows and movies that portray tech-savvy criminals splicing wires or plugging into systems consoles aren’t so farfetched after all. When constructing physical spaces, care must be taken so that wires and wireless connection devices aren’t so easily accessible by unauthorized persons. And even if such connections are breached, systems must be configured to detect tampering and alert security personnel of the attempted systems breach.
Buggy firmware
Device manufacturers are always torn between releasing products on time or holding these back to ensure that these are as secure as they can be. Often, timely product delivery wins out, especially since patches can be made to follow at a later date, anyway.
Because of this, firmware — the data that contains instructions on how a device must operate — can be chock-full of bugs that make a device vulnerable to being hacked. And even when a device manufacturer disseminates patches, many IT departments are too slow to implement them.
Stolen devices
If a device was stolen and unlocked, the files that were saved locally there can easily be retrieved by the thief. They can also take over logged-in account sessions and easily pose as the device owner.
For very sensitive operations such as mobile payments, require users to always submit biometric scans to authenticate their identity. Furthermore, you need to teach your staff to report device theft immediately so that IT administrators can prevent the misuse of stolen devices. You’ll also want to implement automatic idle time logouts. This means that if a stolen device still needs to be unlocked before it can be used, the time spent trying to unlock it may be long enough to breach accounts’ idle time thresholds. When the device is finally unlocked, accounts that should have been open would be shut.
Flawed chips
Not all computer chips are created equal. Purpose-built ones like those found in high-end desktops don’t go through as much security testing as the more mass-produced chips. This makes them extra-vulnerable to hackers, though that’s not to say that more widely distributed ones are flawless. Early in 2020, cybersecurity researchers discovered a flaw in particular Intel processors that permitted hackers to install malware directly onto those processors. This allowed the cybercriminals to avoid anti-malware software that only works on operating systems.
There’s so much ground to cover when it comes to implementing comprehensive cybersecurity for your business. You need a partner like Founders Technology Group to help you out. Schedule a FREE consultation with our IT experts to learn more.