From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims’ computers.

According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil’s Computer Emergency Response Team, the attack ultimately infected more than 4.5 million DSL modems.

The Brazil incident illustrated that security experts could no longer afford to ignore firmware vulnerabilities. With the frequency of firmware attacks continuing to rise, it’s clear that greater security must be a priority. But has device security meaningfully improved in the past decade?

What was the Brazil DSL modem hack?

According to Assolini, the initial vulnerability appeared to be a chipset driver inside the modems. Chipset drivers enable proper communication with device motherboards. This vulnerability allowed actors to launch a cross-site request forgery (CSRF) attack.

CSRF uses a simple script to steal passwords and remotely log in to take control of devices. Attackers then configured the hijacked modems to link to malicious DNS servers. Anyone using the compromised modems was redirected to fake websites that mimicked legitimate sites. Upon landing on imposter sites, the fake sites lured visitors into downloading banking fraud malware.

This single firmware weakness compromised six hardware manufacturers using 40 malicious DNS servers. The attack eventually reached network devices belonging to millions of individual and business users.

How secure is firmware today?

Since the Brazil DSL modem attack incident, has hardware device security improved? Maybe not.

The NIST National Vulnerability Database shows that attacks on firmware rose by 500% from 2018-2021. Meanwhile, a Microsoft report showed that more than 80% of enterprises experienced at least one firmware attack during the same time period. The Microsoft report also revealed that only 29% of security budgets are allocated to protect firmware.

Then there’s Dell’s BIOS Security – The Next Frontier for Endpoint Protection report, conducted by Forrester. It surveyed more than 300 employees to examine the severity of hardware-level security issues. Nearly two-thirds of organizations surveyed said they have a moderate to high level of exposure to threats due to the hardware supply chain. Only 59% of study participants said they had implemented adequate security strategies.

The larger IoT threat

When it comes to cyber incidents, we often think about software vulnerability or phishing attacks. The Brazil DSL modems incident began with a driver vulnerability. But in the most fundamental sense, drivers are software too. A hardware attack may target firmware or any other software installed on the device. Perhaps the best approach is to evaluate the state of any device out of the box.

One of the biggest hardware-related vulnerability scenarios is Internet of Things (IoT). Internet-connected devices often come with default credentials like “admin” and “password”. Because many device makers don’t require users to set up a new unique username and password, these devices remain with default credentials which are easy to hack.

Even after changing the defaults, there are other ways to break into IoT devices. SSH and telnet communication services let hackers force their way into devices. This is because changing the password on a device’s web app does not always change the password coded into the device itself. What’s more, users cannot feasibly change these passwords hardcoded into the firmware. The web interface may not even be aware that these credentials exist.

In 2016, this was precisely how attackers took down Dyn, a company that managed web traffic for major brands such as Twitter, Spotify, Netflix, Reddit, Etsy and Github. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive DDoS attack against Dyn.

Today, IoT has penetrated just about every sector. Attacks can happen on cardiac devices, webcams, baby monitors, cars and even F15 fighter jets. There was also a recent CISA advisory warning about vulnerabilities in the industrial control system (ICS) and data acquisition (SCADA) devices. Given the risk magnitude, it’s clear that hardware and device security cannot be ignored.

Start with zero trust

The enterprise perimeter can no longer be a security gatekeeper. The ubiquity of remote work and connected devices creates even more vulnerabilities. Perhaps the fastest and most comprehensive way to secure your IT ecosystem is through a zero trust approach. In zero trust, two workloads — apps, users, software, devices or any other computing component — benefit from a local protection scheme to enforce security policies.

Zero trust means access is denied by default. Users and devices are continually validated and monitored. And access is granted based on least privilege and identity access management (IAM) principles. Much of this is supported by contextual analytics via artificial intelligence for actionable insights.

Hardware bill of material and patching

For hardware security, experts also recommend hardware bill of material (HBOM) and patching strategies.

Establishing an HBOM begins with cataloging all the hardware and devices connected to your network. From there, you track and document hardware security vulnerabilities. Protection begins with understanding which silicon versions are vulnerable and what products use contaminated chips. This enables business risk assessment which guides patching and security update protocols.

Since you can’t patch all devices at once, proper triage is essential. For example, what vulnerabilities are nearest to mission-critical systems? Remember, devices can be added at any time. So it’s critical to maintain an up-to-date network device inventory. Automated hardware inventory management programs can be a great help here.

Continued collaborative effort is key

While a company’s security measures are important, device manufacturers’ efforts are also part of the solution. In his report on the Brazil DSL modem attack, Assolini criticized manufacturers and regulators for not paying attention to hardware security.

That is beginning to change. The White House recently released its own plans to improve IoT security. The idea is to bring together companies, associations and government partners to discuss the development of a label for IoT devices. The labels would identify which devices meet the highest cybersecurity standards.

Coincidentally, the U.S. Government also recognizes the value of zero trust. A recent presidential memo outlined plans to require agencies to meet specific zero trust cybersecurity standards and objectives by the end of Fiscal Year 2024.

The Brazil DSL modem attacks were a reminder that neglecting firmware security can lead to devastating consequences. Hopefully, industry and government efforts, alongside intelligent security strategies, will improve hardware security for everyone.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…