From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims’ computers.

According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil’s Computer Emergency Response Team, the attack ultimately infected more than 4.5 million DSL modems.

The Brazil incident illustrated that security experts could no longer afford to ignore firmware vulnerabilities. With the frequency of firmware attacks continuing to rise, it’s clear that greater security must be a priority. But has device security meaningfully improved in the past decade?

What Was the Brazil DSL Modem Hack?

According to Assolini, the initial vulnerability appeared to be a chipset driver inside the modems. Chipset drivers enable proper communication with device motherboards. This vulnerability allowed actors to launch a cross-site request forgery (CSRF) attack.

CSRF uses a simple script to steal passwords and remotely log in to take control of devices. Attackers then configured the hijacked modems to link to malicious DNS servers. Anyone using the compromised modems was redirected to fake websites that mimicked legitimate sites. Upon landing on imposter sites, the fake sites lured visitors into downloading banking fraud malware.

This single firmware weakness compromised six hardware manufacturers using 40 malicious DNS servers. The attack eventually reached network devices belonging to millions of individual and business users.

How Secure is Firmware Today?

Since the Brazil DSL modem attack incident, has hardware device security improved? Maybe not.

The NIST National Vulnerability Database shows that attacks on firmware rose by 500% from 2018-2021. Meanwhile, a Microsoft report showed that more than 80% of enterprises experienced at least one firmware attack during the same time period. The Microsoft report also revealed that only 29% of security budgets are allocated to protect firmware.

Then there’s Dell’s BIOS Security – The Next Frontier for Endpoint Protection report, conducted by Forrester. It surveyed more than 300 employees to examine the severity of hardware-level security issues. Nearly two-thirds of organizations surveyed said they have a moderate to high level of exposure to threats due to the hardware supply chain. Only 59% of study participants said they had implemented adequate security strategies.

The Larger IoT Threat

When it comes to cyber incidents, we often think about software vulnerability or phishing attacks. The Brazil DSL modems incident began with a driver vulnerability. But in the most fundamental sense, drivers are software too. A hardware attack may target firmware or any other software installed on the device. Perhaps the best approach is to evaluate the state of any device out of the box.

One of the biggest hardware-related vulnerability scenarios is Internet of Things (IoT). Internet-connected devices often come with default credentials like “admin” and “password”. Because many device makers don’t require users to set up a new unique username and password, these devices remain with default credentials which are easy to hack.

Even after changing the defaults, there are other ways to break into IoT devices. SSH and telnet communication services let hackers force their way into devices. This is because changing the password on a device’s web app does not always change the password coded into the device itself. What’s more, users cannot feasibly change these passwords hardcoded into the firmware. The web interface may not even be aware that these credentials exist.

In 2016, this was precisely how attackers took down Dyn, a company that managed web traffic for major brands such as Twitter, Spotify, Netflix, Reddit, Etsy and Github. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive DDoS attack against Dyn.

Today, IoT has penetrated just about every sector. Attacks can happen on cardiac devices, webcams, baby monitors, cars and even F15 fighter jets. There was also a recent CISA advisory warning about vulnerabilities in the industrial control system (ICS) and data acquisition (SCADA) devices. Given the risk magnitude, it’s clear that hardware and device security cannot be ignored.

Start with Zero Trust

The enterprise perimeter can no longer be a security gatekeeper. The ubiquity of remote work and connected devices creates even more vulnerabilities. Perhaps the fastest and most comprehensive way to secure your IT ecosystem is through a zero trust approach. In zero trust, two workloads — apps, users, software, devices or any other computing component — benefit from a local protection scheme to enforce security policies.

Zero trust means access is denied by default. Users and devices are continually validated and monitored. And access is granted based on least privilege and identity access management (IAM) principles. Much of this is supported by contextual analytics via artificial intelligence for actionable insights.

Hardware Bill of Material and Patching

For hardware security, experts also recommend hardware bill of material (HBOM) and patching strategies.

Establishing an HBOM begins with cataloging all the hardware and devices connected to your network. From there, you track and document hardware security vulnerabilities. Protection begins with understanding which silicon versions are vulnerable and what products use contaminated chips. This enables business risk assessment which guides patching and security update protocols.

Since you can’t patch all devices at once, proper triage is essential. For example, what vulnerabilities are nearest to mission-critical systems? Remember, devices can be added at any time. So it’s critical to maintain an up-to-date network device inventory. Automated hardware inventory management programs can be a great help here.

Continued Collaborative Effort is Key

While a company’s security measures are important, device manufacturers’ efforts are also part of the solution. In his report on the Brazil DSL modem attack, Assolini criticized manufacturers and regulators for not paying attention to hardware security.

That is beginning to change. The White House recently released its own plans to improve IoT security. The idea is to bring together companies, associations and government partners to discuss the development of a label for IoT devices. The labels would identify which devices meet the highest cybersecurity standards.

Coincidentally, the U.S. Government also recognizes the value of zero trust. A recent presidential memo outlined plans to require agencies to meet specific zero trust cybersecurity standards and objectives by the end of Fiscal Year 2024.

The Brazil DSL modem attacks were a reminder that neglecting firmware security can lead to devastating consequences. Hopefully, industry and government efforts, alongside intelligent security strategies, will improve hardware security for everyone.

More from Risk Management

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…