Research by HP Wolf Security published in August 2024 lifts the lid on the security threat nobody is talking about: Malicious nation states and cybercriminals tampering with hardware supply chains to insert malicious hardware or firmware onto devices such as PCs, laptops and printers.

“Hardware and firmware attacks that establish a foothold below the operating system are difficult to detect, remove and remediate,” says Alex Holland, Principal Threat Researcher, HP Inc. Security Lab.

In short, device tampering and physical supply chain attacks represent a potential weak link in the cybersecurity of organisations, especially given the fact that software and applications have come to dominate thinking about what constitutes the digital ecosystem, and its security. It’s all too easy to forget how device firmware and hardware are integral parts of the world’s technology infrastructure.

Together, they provide the foundation that all software runs upon, making it crucial to secure hardware and firmware. The HP Wolf Security research highlights growing concerns over the activities of well-funded bad actors, such as nation states, targeting physical supply chains as a way to gain access to organisations’ ICT systems. Without protections in place, attacks against hardware and firmware can hand threat actors stealthy and powerful control over devices.

Key research findings from the HP Wolf Security survey paint a troubling picture of a looming threat that few organisations in either the public or private sectors have fully recognised, let alone planned for. They include:

35% of respondents believe that they or people they know have already been impacted by nation-state threat actors targeting supply chains to insert malicious hardware or firmware into devices.

91% believe nation-state threat actors will target physical PC, laptop or printer supply chains to insert malware or malicious components into hardware and/ or firmware.

63% believe the next major nation-state attack will involve poisoning hardware supply chains to sneak in malware.

Given these findings, it is unsurprising that a majority (78%) of IT and security decision-makers say their focus on hardware and firmware supply chain security will grow as more attackers try to infect devices during transit. 

Yet the lack of tools to detect and stop tampering attacks is proving to be an obstacle for organisations. Seventy seven percent of respondents say they need a way to verify hardware integrity to tackle device tampering.

Successful firmware and hardware attacks are hard to detect and remediate with current security tools which typically focus on OS and software layers. By targeting below the OS, hackers can gain an inconspicuous back door into systems that can be used for long periods of time.

HP Wolf Security advises organisations to manage the security of the hardware and firmware of their devices proactively, following these steps:

Adopt Platform Certificate technology, which is designed to enable the integrity of both hardware and firmware to be verified upon delivery. The HP Platform Certificate allows IT administrators to assess the integrity and authenticity of a PC and its components, helping uncover any unauthorised changes.

Securely manage the firmware configuration of devices throughout their lifecycle, using solutions such as HP Sure Admin for PCs or HP Security Manager for printers. Such technologies enable IT administrators to manage firmware remotely using public-key cryptography rather than less secure passwords.

Take advantage of vendor factory services to enable hardware and firmware security configurations right from the beginning of the manufacturing process, such as HP Tamper Lock, Sure Admin and Sure Recover technologies. Monitor hardware and firmware configurations across all devices continuously to ensure the security of the ICT estate. The research findings highlight the little recognised fact that endpoint security is critical to the security of the entire digital ecosystem and that, in turn, endpoint security rests on strong supply chain security. Ultimately, cybersecurity depends on the assurance that the lowest hardware and firmware foundations of devices are secure.

HP is focused on delivering PCs, laptops and printers that incorporate industry-leading hardware and firmware security, allowing organisations to manage, monitor and remediate the security of their devices throughout their lifecycles.

HP will be sharing further findings from this survey going forward, alongside further announcements about new measures for ensuring the security of hardware and firmware on devices.