If hackers can interfere with network transmission of data, they can hierarchically gain control of complete computer systems
Information security is typically dominated by discussions of software, be it the tools hackers use to compromise computer systems, or the products employed by businesses to keep those hackers out.
But, while somewhat neglected in the general discourse, the underlying hardware systems on which all software must reside, present a significant opportunity for compromise.
That’s the view of Michael Ossman, a security researcher and founder of Great Scott Gadgets, which makes tools for ‘white hat’ hackers working in the security industry.
Presenting at the recent 31c0n cyber security conference, the American security specialist highlights a trend in information security research: “Attention is increasingly being focused on the physical layer and the potential for exploits that target weaknesses at this fundamental level,” he states.
The classic model of ‘how the internet works’, explains Ossman, is Open Systems Interconnection.
The OSI model is defined by seven consecutive layers, with the higher ones resting on the lowers. The base level, Layer 1, is the physical hardware, itself is divided into two distinct devices: ‘PHY’ (the chips that transmit and receive electronic signals) and ‘MAC’ (Media Access Control). Layer 2 is the Data Link Layer; Layer 3 the Network Layer; Layer 4 the Transport Layer; Layer 5 the Session Layer; Layer 6 the Presentation Layer; and Layer 7 is the Application Layer.
The crucial concept pertaining to the OSI layers that can be exploited by attackers, says Ossman, is that by intercepting and taking control of a lower layer, it is possible to gain control of the higher ones.
Or, as he puts it: “In general, the lower the layer the attacker controls, the higher the privilege they attain, because the lower layers encapsulate the upper layers.”
In simple terms, if a hacker can interfere with network transmission of data, which Ossman says is easily accomplished through several methods that can compromise wired or wireless networks, they can hierarchically gain control of complete computer systems.
“It is an elevation of privilege by breaking the boundaries between the layers of a communications system,” he says.
Hackers can do that, explains Ossman, by synthesising a signal at one layer – typically the MAC at Layer 1 – to cause a crash at another. As someone who makes hardware-based hacking tools, he says hacking into wireless networks has been shown to be easy, using inexpensive wireless transceiver Integrated Circuits.
This problem, he continues, isn’t widely recognised because in the computer networking environment, it is generally assumed that the network layers provide a security boundary.
“This research breaks assumptions about layers; we learn that the boundaries between are not security boundaries, but are instead ‘boundaries of competence’,” Ossman adds.
In general, the lower the layer the attacker controls, the higher the privilege they attain, because the lower layers encapsulate the upper layers
‘Boundaries of competence’ refers to the fact that the skills required to become an expert on any one layer do not transfer to other layers – giving rise to gaps that can be exploited by hackers.
While he is speaking specifically in terms of network hardware, Ossman points out that physical hardware layers exist elsewhere, including in server and data storage systems, which also operate on the OSI model. Therefore, he says, the risks presented by the hardware layer – and the ability for an attacker to exploit those risks – are widespread.
“In the world of computation, the concept of layers applies. You have an application layer on top of an operating system layer, which sits on top of a hardware layer. Once again, go a layer down to control the layers on top. Get to the bottom layer and you can attack any layer above because of the elevation of privilege.”
Ossman’s contribution demonstrates the necessity for information security professionals to take a rigorous and holistic view of the risk faced by any organisation.
Software is widely understood to be the most commonly targeted aspect of security – but as Ossman has made clear, if the underlying hardware can be compromised, all the software in the world won’t stop a determined attacker.
Peter Bailey is general manager at Aura Information Security.
Send news tips and comments to email@example.com
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.