From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims’ computers.
According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil’s Computer Emergency Response Team, the attack ultimately infected more than 4.5 million DSL modems.
The Brazil incident illustrated that security experts could no longer afford to ignore firmware vulnerabilities. With the frequency of firmware attacks continuing to rise, it’s clear that greater security must be a priority. But has device security meaningfully improved in the past decade?
What was the Brazil DSL modem hack?
According to Assolini, the initial vulnerability appeared to be a chipset driver inside the modems. Chipset drivers enable proper communication with device motherboards. This vulnerability allowed actors to launch a cross-site request forgery (CSRF) attack.
CSRF uses a simple script to steal passwords and remotely log in to take control of devices. Attackers then configured the hijacked modems to link to malicious DNS servers. Anyone using the compromised modems was redirected to fake websites that mimicked legitimate sites. Upon landing on imposter sites, the fake sites lured visitors into downloading banking fraud malware.
This single firmware weakness compromised six hardware manufacturers using 40 malicious DNS servers. The attack eventually reached network devices belonging to millions of individual and business users.
How secure is firmware today?
Since the Brazil DSL modem attack incident, has hardware device security improved? Maybe not.
The NIST National Vulnerability Database shows that attacks on firmware rose by 500% from 2018-2021. Meanwhile, a Microsoft report showed that more than 80% of enterprises experienced at least one firmware attack during the same time period. The Microsoft report also revealed that only 29% of security budgets are allocated to protect firmware.
Then there’s Dell’s BIOS Security – The Next Frontier for Endpoint Protection report, conducted by Forrester. It surveyed more than 300 employees to examine the severity of hardware-level security issues. Nearly two-thirds of organizations surveyed said they have a moderate to high level of exposure to threats due to the hardware supply chain. Only 59% of study participants said they had implemented adequate security strategies.
The larger IoT threat
When it comes to cyber incidents, we often think about software vulnerability or phishing attacks. The Brazil DSL modems incident began with a driver vulnerability. But in the most fundamental sense, drivers are software too. A hardware attack may target firmware or any other software installed on the device. Perhaps the best approach is to evaluate the state of any device out of the box.
One of the biggest hardware-related vulnerability scenarios is Internet of Things (IoT). Internet-connected devices often come with default credentials like “admin” and “password”. Because many device makers don’t require users to set up a new unique username and password, these devices remain with default credentials which are easy to hack.
Even after changing the defaults, there are other ways to break into IoT devices. SSH and telnet communication services let hackers force their way into devices. This is because changing the password on a device’s web app does not always change the password coded into the device itself. What’s more, users cannot feasibly change these passwords hardcoded into the firmware. The web interface may not even be aware that these credentials exist.
In 2016, this was precisely how attackers took down Dyn, a company that managed web traffic for major brands such as Twitter, Spotify, Netflix, Reddit, Etsy and Github. Threat actors inserted Mirai malware to commandeer at least 100,000 devices (webcams, DVRs, etc.) as zombies to launch a massive DDoS attack against Dyn.
Today, IoT has penetrated just about every sector. Attacks can happen on cardiac devices, webcams, baby monitors, cars and even F15 fighter jets. There was also a recent CISA advisory warning about vulnerabilities in the industrial control system (ICS) and data acquisition (SCADA) devices. Given the risk magnitude, it’s clear that hardware and device security cannot be ignored.
Start with zero trust
The enterprise perimeter can no longer be a security gatekeeper. The ubiquity of remote work and connected devices creates even more vulnerabilities. Perhaps the fastest and most comprehensive way to secure your IT ecosystem is through a zero trust approach. In zero trust, two workloads — apps, users, software, devices or any other computing component — benefit from a local protection scheme to enforce security policies.
Zero trust means access is denied by default. Users and devices are continually validated and monitored. And access is granted based on least privilege and identity access management (IAM) principles. Much of this is supported by contextual analytics via artificial intelligence for actionable insights.
Hardware bill of material and patching
For hardware security, experts also recommend hardware bill of material (HBOM) and patching strategies.
Establishing an HBOM begins with cataloging all the hardware and devices connected to your network. From there, you track and document hardware security vulnerabilities. Protection begins with understanding which silicon versions are vulnerable and what products use contaminated chips. This enables business risk assessment which guides patching and security update protocols.
Since you can’t patch all devices at once, proper triage is essential. For example, what vulnerabilities are nearest to mission-critical systems? Remember, devices can be added at any time. So it’s critical to maintain an up-to-date network device inventory. Automated hardware inventory management programs can be a great help here.
Continued collaborative effort is key
While a company’s security measures are important, device manufacturers’ efforts are also part of the solution. In his report on the Brazil DSL modem attack, Assolini criticized manufacturers and regulators for not paying attention to hardware security.
That is beginning to change. The White House recently released its own plans to improve IoT security. The idea is to bring together companies, associations and government partners to discuss the development of a label for IoT devices. The labels would identify which devices meet the highest cybersecurity standards.
Coincidentally, the U.S. Government also recognizes the value of zero trust. A recent presidential memo outlined plans to require agencies to meet specific zero trust cybersecurity standards and objectives by the end of Fiscal Year 2024.
The Brazil DSL modem attacks were a reminder that neglecting firmware security can lead to devastating consequences. Hopefully, industry and government efforts, alongside intelligent security strategies, will improve hardware security for everyone.