Hardware is the new software
Hardware hacking has flown under the radar, but a good hardware attack can have serious repercussions.
This is according to international security guru and president of Grand Idea Studio, Joe Grand, who says attention to hardware hacking is 10 years behind the awareness given to software.
During this week's ITWeb Security Summit, in Sandton, Grand explained that in the early days of software attacks, vendors did not like to be told that their products were vulnerable. “They would either brush it off, or blow it out of proportion and try to sue you to prevent the information from being released.”
He noted that hardware vendors are now having the same reaction that software creators had 10 years ago. However, this mindset needs to change, because hardware attacks can have very real consequences, Grand added.
Grand pointed to an example of a high-level incident in India, with electronic voting machines. Indian authorities tried their best to placate the public, saying the machines were secure; however, in only a few minutes the device was implanted with several new circuit boards, which stored information that changed the voting results.
According to Grand, the firmware on these machines can be changed in under 60 seconds, with tools available for purchase on eBay.
Part of the problem with hardware attacks is that most design engineers are not familiar with security at all.Joe Grand, president of Grand Idea Studio
Grand used basic tools to hack the parking meters in San Francisco. He managed to determine how the hardware was talking to the smart cards that the meters use for payment, which allowed him to create a card that essentially gave him free parking.
“Access to information on how to do these things is easier than ever before; the Internet has everything you need. People like to show off what they are doing, which makes it even easier to get the information you want.”
Grand said part of the problem with hardware attacks is that most design engineers are not familiar with security at all. Vendors need to start thinking security when developing hardware and electronic devices, he cautioned.