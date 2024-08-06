Hardware supply chains under siege from hackers

HP Inc has released the findings of a global survey highlighting the growing concern over nation-state threat actors targeting physical supply chains and tampering with device hardware and firmware integrity.

The study of 800 IT and security decision-makers (ITSDMs) responsible for device security highlights the need for businesses to focus on device hardware and firmware integrity – with attacks on hardware supply chains and device tampering expected to increase.

Key findings from the new survey include:

• Almost one-in-five (19%) organisations surveyed say they have been impacted by nation-state threat actors targeting physical PC, laptop, or printer supply chains. In the US, this figure rises to 29%.

• Over a third (35%) of organisations surveyed believe that they or others they know have already been impacted by nation-state threat actors targeting supply chains to try and insert malicious hardware or firmware into devices.

• Overall, 91% believe nation-state threat actors will target physical PC, laptop, or printer supply chains to insert malware or malicious components into hardware and/or firmware.

• Almost two-thirds (63%) believe the next major nation-state attack will involve poisoning hardware supply chains to sneak in malware.

“System security relies on strong supply chain security, starting with the assurance that devices are built with the intended components and haven’t been tampered with during transit,” says Alex Holland, principal threat researcher in the HP Security Lab. “If an attacker compromises a device at the firmware or hardware layer, they’ll gain unparalleled visibility and control over everything that happens on that machine. Just imagine what that could look like if it happens to the CEO’s laptop.

“Such attacks are incredibly hard to detect as most security tools sit within the operating system,” says Holland. “Moreover, attacks that successfully establish a foothold below the OS are very difficult to remove and remediate, adding to the challenge for IT security teams.”

Considering the scale of the challenge, it’s unsurprising that 78% of ITSDMs say their attention to software and hardware supply chain security will grow as attackers try to infect devices during transit.

Organisations are concerned that they are blind and unequipped to mitigate device supply chain threats like tampering. Over half (51%) of ITSDMs are concerned that they cannot verify if PC, laptop, or printer hardware and firmware have been tampered with during transit. A further 77% say they need a way to verify hardware integrity to mitigate the risk of device tampering.

“In today’s threat landscape, managing security across a distributed hybrid workplace environment must start with the assurance that devices haven’t been tampered with at the lower level,” says Boris Balacheff, chief technologist for Security Research and Innovation, HP Inc Security Lab. “This is why HP is focused on delivering PCs and printers with industry-leading hardware and firmware security foundations designed for resilience – to allow organisations to manage, monitor, and remediate device hardware and firmware security throughout the lifetime of devices and across the fleet.”