WEBVTT 1 00:00:00.090 --> 00:00:01.320 In this lesson, 2 00:00:01.320 --> 00:00:05.100 we will learn about hardware and firmware attacks. 3 00:00:05.100 --> 00:00:09.000 Hardware and firmware attacks exploit vulnerabilities 4 00:00:09.000 --> 00:00:13.470 in the physical components or embedded software of a system. 5 00:00:13.470 --> 00:00:15.990 Firmware attacks could allow attackers 6 00:00:15.990 --> 00:00:20.400 to gain deep access, control, or disrupt operations 7 00:00:20.400 --> 00:00:23.280 at a fundamental machine level. 8 00:00:23.280 --> 00:00:26.460 Hardware and firmware attacks may be recognized 9 00:00:26.460 --> 00:00:29.220 by threat actor tactics, techniques, 10 00:00:29.220 --> 00:00:32.700 and procedures such as firmware tampering, 11 00:00:32.700 --> 00:00:37.020 BIOS or UEFI attacks, and a USB-based attacks. 12 00:00:37.020 --> 00:00:39.300 Firmware tampering attacks involve 13 00:00:39.300 --> 00:00:42.870 modifying the embedded software called firmware 14 00:00:42.870 --> 00:00:45.510 that controls hardware devices. 15 00:00:45.510 --> 00:00:49.050 Next, BIOS and UEFI attacks specifically 16 00:00:49.050 --> 00:00:51.240 target the low-level firmware 17 00:00:51.240 --> 00:00:54.150 responsible for booting up a system. 18 00:00:54.150 --> 00:00:57.990 Finally, USB-based attacks are compromised 19 00:00:57.990 --> 00:01:00.390 or malicious USB devices 20 00:01:00.390 --> 00:01:04.830 that deliver harmful code directly to a system's hardware. 21 00:01:04.830 --> 00:01:07.740 Let's learn more about firmware tampering, 22 00:01:07.740 --> 00:01:12.240 BIOS and UEFI attacks, and USB-based attacks. 23 00:01:12.240 --> 00:01:14.940 First, we have firmware tampering. 24 00:01:14.940 --> 00:01:17.550 Firmware tampering is a type of hardware 25 00:01:17.550 --> 00:01:19.110 and firmware attack 26 00:01:19.110 --> 00:01:22.110 where an attacker modifies the embedded firmware 27 00:01:22.110 --> 00:01:25.920 on a device to control or alter its behavior. 28 00:01:25.920 --> 00:01:28.500 Firmware is the low-level software 29 00:01:28.500 --> 00:01:30.690 that runs on hardware components, 30 00:01:30.690 --> 00:01:35.280 such as hard drives, network cards, or even smart devices, 31 00:01:35.280 --> 00:01:39.030 and governs the essential functions of that hardware. 32 00:01:39.030 --> 00:01:42.030 So when attackers tamper with firmware, 33 00:01:42.030 --> 00:01:45.450 they gain persistent control over the hardware, 34 00:01:45.450 --> 00:01:48.360 which is challenging to detect and remove, 35 00:01:48.360 --> 00:01:51.750 because traditional antivirus software typically 36 00:01:51.750 --> 00:01:55.380 doesn't scan the specific sections of hardware memory 37 00:01:55.380 --> 00:01:57.660 where firmware code resides. 38 00:01:57.660 --> 00:02:02.310 Firmware code is often stored in non-volatile memory chips, 39 00:02:02.310 --> 00:02:06.570 like electrically erasable programmable read-only memory, 40 00:02:06.570 --> 00:02:11.570 (EEPROM), or flash memory, embedded within devices. 41 00:02:11.880 --> 00:02:13.740 Tampered firmware can then act 42 00:02:13.740 --> 00:02:17.940 as a backdoor providing attackers with ongoing access 43 00:02:17.940 --> 00:02:19.560 to an IT system 44 00:02:19.560 --> 00:02:22.650 and allowing them to bypass security measures 45 00:02:22.650 --> 00:02:26.250 at a very low and difficult-to-detect level. 46 00:02:26.250 --> 00:02:28.470 An example of firmware tampering 47 00:02:28.470 --> 00:02:31.770 is modifying the firmware on a network card 48 00:02:31.770 --> 00:02:34.560 to monitor and intercept data packets 49 00:02:34.560 --> 00:02:37.260 passing through the network interface. 50 00:02:37.260 --> 00:02:41.250 In practice, attackers might use tools like Bus Pirate, 51 00:02:41.250 --> 00:02:45.660 which helps communicate with and analyze hardware protocols 52 00:02:45.660 --> 00:02:49.800 or Flashrom, which can reprogram firmware directly 53 00:02:49.800 --> 00:02:52.260 to conduct this type of attack. 54 00:02:52.260 --> 00:02:56.190 Flashrom in particular allows for reading, writing, 55 00:02:56.190 --> 00:02:58.980 and erasing firmware on various chips, 56 00:02:58.980 --> 00:03:02.850 making it possible for attackers to inject malicious code 57 00:03:02.850 --> 00:03:05.910 into the target hardware's firmware. 58 00:03:05.910 --> 00:03:08.190 Firmware tampering like this can 59 00:03:08.190 --> 00:03:11.790 give attackers long-term access to sensitive data 60 00:03:11.790 --> 00:03:13.380 on the network. 61 00:03:13.380 --> 00:03:17.730 For the exam, it is not necessary to know the names of tools 62 00:03:17.730 --> 00:03:20.220 that could be used in this type of attack 63 00:03:20.220 --> 00:03:22.770 or any of them in this lesson. 64 00:03:22.770 --> 00:03:25.230 This information, the names of tools, 65 00:03:25.230 --> 00:03:28.680 is provided for context and example only. 66 00:03:28.680 --> 00:03:31.230 So to prevent firmware tampering, 67 00:03:31.230 --> 00:03:34.560 organizations should apply firmware updates 68 00:03:34.560 --> 00:03:36.930 from verified sources only 69 00:03:36.930 --> 00:03:40.710 and limit physical access to sensitive devices. 70 00:03:40.710 --> 00:03:44.310 Additionally, implementing firmware integrity checks 71 00:03:44.310 --> 00:03:48.330 and using cryptographic signatures on firmware updates 72 00:03:48.330 --> 00:03:51.690 can help detect unauthorized changes. 73 00:03:51.690 --> 00:03:55.200 Second, we have BIOS and UEFI attacks. 74 00:03:55.200 --> 00:03:58.710 A basic input output system or BIOS 75 00:03:58.710 --> 00:04:02.070 and unified extensible firmware interface 76 00:04:02.070 --> 00:04:03.930 or UEFI attacks, 77 00:04:03.930 --> 00:04:06.150 target the low level firmware 78 00:04:06.150 --> 00:04:09.210 that controls a system's boot process. 79 00:04:09.210 --> 00:04:12.960 The BIOS or UEFI is responsible for initializing 80 00:04:12.960 --> 00:04:15.150 and loading an operating system, 81 00:04:15.150 --> 00:04:18.870 making it a critical component of device security. 82 00:04:18.870 --> 00:04:22.770 BIOS and UEFI attacks are particularly dangerous 83 00:04:22.770 --> 00:04:25.170 because they take control of a system 84 00:04:25.170 --> 00:04:28.140 before the operating system even loads, 85 00:04:28.140 --> 00:04:30.930 which means the attacker can maintain control 86 00:04:30.930 --> 00:04:33.960 over the device at a fundamental level, 87 00:04:33.960 --> 00:04:36.600 even persisting through system reboots 88 00:04:36.600 --> 00:04:39.960 and operating system re-installations. 89 00:04:39.960 --> 00:04:42.390 To conduct an attack, an attacker could 90 00:04:42.390 --> 00:04:45.300 exploit BIOS or UEFI vulnerabilities 91 00:04:45.300 --> 00:04:49.590 using tools like the CH341A programmer, 92 00:04:49.590 --> 00:04:52.920 which provides direct access to firmware chips 93 00:04:52.920 --> 00:04:55.740 to facilitate the dumping, modifying, 94 00:04:55.740 --> 00:04:58.170 and rewriting of firmware. 95 00:04:58.170 --> 00:05:01.890 Attackers could also use tools like PCILeech 96 00:05:01.890 --> 00:05:05.130 to gain low level access to system memory, 97 00:05:05.130 --> 00:05:08.100 potentially bypassing security controls 98 00:05:08.100 --> 00:05:10.980 and enabling further exploitation. 99 00:05:10.980 --> 00:05:14.310 In any case, by injecting malicious code 100 00:05:14.310 --> 00:05:17.220 into the BIOS or UEFI firmware, 101 00:05:17.220 --> 00:05:21.420 an attacker may gain stealthy control over the system, 102 00:05:21.420 --> 00:05:24.030 allowing them to intercept data 103 00:05:24.030 --> 00:05:26.550 or disable security mechanisms 104 00:05:26.550 --> 00:05:29.580 as soon as the device powers on. 105 00:05:29.580 --> 00:05:33.060 So to prevent BIOS and UEFI attacks, 106 00:05:33.060 --> 00:05:36.090 organizations should enable Secure Boot, 107 00:05:36.090 --> 00:05:38.070 which ensures only signed 108 00:05:38.070 --> 00:05:41.100 and trusted firmware can be loaded. 109 00:05:41.100 --> 00:05:45.150 Next, regularly updating BIOS and UEFI with patches 110 00:05:45.150 --> 00:05:49.770 from official manufacturers addresses known vulnerabilities. 111 00:05:49.770 --> 00:05:52.800 Finally, using tamper-evident hardware 112 00:05:52.800 --> 00:05:54.870 and physical security measures 113 00:05:54.870 --> 00:05:58.950 can prevent unauthorized access to the hardware. 114 00:05:58.950 --> 00:06:03.374 Third and last, we have USB-based attacks. 115 00:06:03.374 --> 00:06:08.070 USB-based attacks exploit the physical USB connection 116 00:06:08.070 --> 00:06:10.680 between a device and a system 117 00:06:10.680 --> 00:06:15.150 to introduce malicious code directly into the hardware. 118 00:06:15.150 --> 00:06:17.670 Attackers may use a compromised 119 00:06:17.670 --> 00:06:22.410 or specially crafted USB device to launch these attacks, 120 00:06:22.410 --> 00:06:26.340 allowing them to bypass traditional security defenses 121 00:06:26.340 --> 00:06:29.430 like antivirus software, firewalls, 122 00:06:29.430 --> 00:06:33.240 and network-based intrusion detection systems. 123 00:06:33.240 --> 00:06:36.270 USB-based attacks are highly effective, 124 00:06:36.270 --> 00:06:39.300 because they leverage direct physical access, 125 00:06:39.300 --> 00:06:42.390 enabling code execution at a level 126 00:06:42.390 --> 00:06:46.050 that can interact directly with the system's firmware 127 00:06:46.050 --> 00:06:47.610 or operating system. 128 00:06:47.610 --> 00:06:51.270 An example of a USB-based attack 129 00:06:51.270 --> 00:06:55.080 utilizes a Rubber Ducky or BadUSB. 130 00:06:55.080 --> 00:06:58.620 These tools look like standard USB drives, 131 00:06:58.620 --> 00:07:01.350 but contain hidden scripts or commands 132 00:07:01.350 --> 00:07:04.860 that execute immediately upon connection. 133 00:07:04.860 --> 00:07:09.180 Attackers may use these devices to install key loggers, 134 00:07:09.180 --> 00:07:11.160 modify system settings, 135 00:07:11.160 --> 00:07:13.260 or even initiate downloads 136 00:07:13.260 --> 00:07:16.710 of additional malware from remote servers. 137 00:07:16.710 --> 00:07:20.100 So to prevent USB-based attacks, 138 00:07:20.100 --> 00:07:23.520 organizations should implement strict policies, 139 00:07:23.520 --> 00:07:27.960 prohibiting the use of unauthorized USB devices. 140 00:07:27.960 --> 00:07:32.400 Next disabling autorun features on USB ports 141 00:07:32.400 --> 00:07:35.340 and using USB security software 142 00:07:35.340 --> 00:07:39.000 to scan and authenticate USB devices 143 00:07:39.000 --> 00:07:43.230 before allowing access can mitigate these risks. 144 00:07:43.230 --> 00:07:46.650 And finally, in high security environments 145 00:07:46.650 --> 00:07:49.560 using data-only USB cables, 146 00:07:49.560 --> 00:07:53.250 and physically blocking unused USB ports 147 00:07:53.250 --> 00:07:56.190 can prevent unauthorized access. 148 00:07:56.190 --> 00:08:00.720 So remember, hardware and firmware attacks 149 00:08:00.720 --> 00:08:02.760 target the physical components 150 00:08:02.760 --> 00:08:07.440 and embedded software of systems to gain deep control, 151 00:08:07.440 --> 00:08:11.550 often at levels beyond traditional security measures. 152 00:08:11.550 --> 00:08:15.090 These attacks include firmware tampering, 153 00:08:15.090 --> 00:08:17.040 BIOS and UEFI attacks, 154 00:08:17.040 --> 00:08:19.620 and USB-based attacks, 155 00:08:19.620 --> 00:08:22.110 each leveraging different entry points 156 00:08:22.110 --> 00:08:24.420 to exploit vulnerabilities. 157 00:08:24.420 --> 00:08:27.750 Firmware tampering involves altering the firmware 158 00:08:27.750 --> 00:08:29.940 that controls hardware components, 159 00:08:29.940 --> 00:08:33.810 granting attackers persistent access to a system. 160 00:08:33.810 --> 00:08:36.600 Next BIOS and UEFI attacks 161 00:08:36.600 --> 00:08:39.720 target the low-level firmware responsible 162 00:08:39.720 --> 00:08:41.670 for booting up a device, 163 00:08:41.670 --> 00:08:44.490 allowing attackers to control the system 164 00:08:44.490 --> 00:08:47.820 before the operating system even loads. 165 00:08:47.820 --> 00:08:52.820 Finally, USB-based attacks are compromised USB devices 166 00:08:53.730 --> 00:08:57.990 that inject malicious code directly into a system, 167 00:08:57.990 --> 00:09:02.373 bypassing many conventional security defenses.