HP Inc. Highlights Growing Concern Over Hardware Supply Chain Attacks in Global Study
HP Inc. released the results of a global study, emphasizing the rising concern over state-sponsored threats targeting physical supply chains and the tampering of device hardware and firmware. The study underscores the importance for companies to focus on hardware and firmware integrity as attacks on hardware supply chains and tampering with devices are expected to increase. The study surveyed 800 IT and security decision-makers responsible for device security.
Key Findings of the Study:
- Nearly one in five (19%) respondents reported that their organization had been affected by state-sponsored actors targeting the supply chains of physical devices such as computers, laptops, or printers. In the U.S., this figure rises to 29%.
- More than a third (35%) of respondents believe their organization, or other organizations they know of, have already been targeted by state actors attempting to insert malicious hardware or firmware into devices through supply chains.
- Overall, 91% believe that state-sponsored actors are targeting the supply chains of physical computers, laptops, or printers to insert malware or malicious components into hardware and/or firmware.
- Nearly two-thirds (63%) believe that the next major state-sponsored attack will involve poisoning hardware supply chains to insert malware.
“System security relies on a secure supply chain, starting with devices built from tamper-proof components and safe transportation. If an attacker accesses a device’s firmware or hardware layer, they gain unparalleled visibility and control over everything happening on the device. Imagine the consequences if this occurred on a CEO’s laptop,” commented Alex Holland, Senior Threat Researcher at HP’s Security Lab.
These Attacks Are Hard to Detect
“These types of attacks are extremely difficult to detect because most security tools operate at the operating system level. Additionally, attacks that penetrate below the OS are tough to remove and fix, exacerbating the challenges faced by IT security teams,” Holland added.
Given the scale of the challenge, it’s no surprise that 78% of respondents are paying more attention to securing their software and hardware supply chains, as attackers increasingly attempt to compromise devices during transport.
Organizations are worried they are blind to supply chain threats affecting their devices. Over half (51%) of the decision-makers surveyed expressed concern that they are unable to verify whether the hardware and firmware of computers, laptops, or printers have been tampered with during transit. Moreover, 77% stated they need a method to ensure hardware integrity to reduce the risk of device tampering.
“In today’s threat landscape, managing security in a distributed hybrid work environment must start with ensuring devices have not been tampered with at the foundational level. This is why HP focuses on delivering PC and print devices with hardware and firmware security designed to be resilient, allowing organizations to manage, monitor, and repair device security throughout the entire lifecycle,” commented Boris Balacheff, Chief Technology Officer for Security Research and Innovation at HP.
HP Wolf Security Recommendations:
In response to these risks, HP Wolf Security advises customers to take the following proactive steps to manage hardware and firmware security from the factory:
- Implement Platform Certificate technology to verify the integrity of hardware and firmware upon delivery.
- Securely manage firmware configurations using technologies such as HP Sure Admin (for PCs) or HP Security Manager (for printers), which enable remote management of firmware using public key cryptography, eliminating the need for less secure password-based methods.
- Leverage factory services to deploy secure hardware and firmware configurations directly from the factory, including features like HP Tamper Lock, Sure Admin, or Sure Recover.
- Monitor the continuous compliance of hardware and firmware configurations across your device fleet.
The study was conducted by Censuswide on behalf of HP Inc. between February 22 and March 5, 2024, and is based on a survey of 803 IT and security decision-makers in the U.S., Canada, the U.K., Japan, Germany, and France. The survey was conducted online.