For years, software, not hardware, has dominated the cybersecurity industry’s efforts to develop a coordinated way of disclosing technology flaws. Software bugs are reported in much greater numbers, and there are far fewer researchers who specialize in hardware security.
But hardware was thrust into the limelight in January 2018, when Spectre and Meltdown, two vulnerabilities that affected virtually all modern computer chips, were made public. The flaws could have allowed hackers to infiltrate a computer’s memory and steal sensitive data, or trick applications into spilling information without a user’s knowledge. While there’s no evidence either has been exploited, the revelation that they exist, and the complex patching process that followed, sparked industry-wide awareness about serious security flaws that might come embedded in otherwise trusted technology.
Now, more than a year later, the vendors, researchers, and manufacturers involved are still trying to cut down on the time it takes to get hardware-related patches deployed.
“What we hope we can do is, over time, reduce the time from which…Intel is providing a microcode fix to something to when it’s actually getting delivered,” Audrey Plonk, Intel’s senior director for security policy, said in an interview.
Intel was one of multiple vendors in the eye of the Spectre and Meltdown storm, along with AMD, ARM and Qualcomm, and the remediation and communication process was at times rocky. For example, in the weeks after the vulnerabilities were made public, Intel told customers to skip a firmware update after complaints that the fix was causing systems to reboot.
The bruising experience has shaken up the way the chip giant handles hardware patching, according to Plonk. Hardware-related updates that were previously haphazard and uncoordinated are now bundled together to make it easier on users, she said.
One of the next steps in improving the remediation process is to better measure the rate of patching.
“We don’t have great data about patching uptake,” she said. “If you’re this far removed from the end user, you have the challenge of, ‘Have people patched?’”
That is starting to change, Plonk said, because Intel microcode updates are now deliverable through operating-system vendors like Microsoft and Apple. “As they continue to do that, as they’ve done with Spectre Variant 2, they will start to get data back as to patch uptake,” she added.
Intel’s Product Assurance and Security unit has a 60-person red team that focuses on chips, firmware, and other gear, Plonk said. The chip vendor also has a bug bounty program that pays four times as much for critical hardware bugs than those in software, according to HackerOne, the company that manages the program.
“It’s small, but it’s increasing,” Plonk said of the hardware-security research pipeline. “We have a lot more inbound research than we’ve ever had.”
Advocates of improving the vulnerability-disclosure want to capitalize on that momentum.
More practice needed
Hardware remediation can mean intervening at multiple layers of a computer system – with rigorous testing needed to ensure those interventions don’t disrupt the system.
“It can take months to find a solution to a hardware vulnerability that doesn’t impact the stability or performance of the system,” Yuriy Bulygin, CEO of hardware-security company Eclypsium, told CyberScoop. “Typically it can’t be fixed by a vendor working alone – the whole ecosystem may need to be involved, including OS [operating system] and software vendors.”
One way of simplifying the often-elaborate hardware patching process is through practice, according to Ari Schwartz, a former National Security Council official in the Obama administration.
“If we iterate and continue to improve the [disclosure process], we should be able to get the time down” that it takes to patch hardware, said Schwartz, now executive director of the Center for Cybersecurity Policy and Law.
The nonprofit this week published several recommendations for improving the process for fixing hardware flaws, including that vendors make patching “as seamless an experience as possible.” That point is crucial, according to Jessica Wilkerson, a former House Energy and Commerce Committee staffer who has focused on vulnerability disclosure policy.
“If you have made it difficult for the user to patch, you have failed at deploying your security,” Wilkerson said. “We need to figure out how to build better systems.”
Security researchers are poised to help improve hardware.
Spectre and Meltdown generated greater interest in hardware security research, and the ubiquity of lower-power inexpensive devices is helping the cause, according to Joe FitzPatrick, an instructor and researcher at SecuringHardware.com, a training site.
“Hardware hacking is easier than it ever has been,” FitzPatrick told CyberScoop, “because the tools to inspect, analyze, and subvert these devices are even more accessible.