2.3.3 Hardware Vulnerabilities
Firmware, EoL, legacy.
Hardware vulnerabilities are physical or low-level firmware weaknesses that expose an organization’s assets to exploitation, often stemming from aging equipment or supply chain issues.
Legacy Systems and Lifecycle Risks As organizations grow, they often retain older equipment that remains functional but poses significant security risks. These systems are "internal vulnerabilities" because they operate inside the perimeter but lack modern defenses.
- Legacy Systems: Older hardware or software (e.g., a Windows 7 machine) that is no longer receiving security updates. These often lack the processing power for modern encryption or security agents.
- End of Life (EOL): The point at which a vendor stops marketing or selling a product. While the product is no longer for sale, the vendor may still provide limited patches or support for a period.
- End of Service Life (EOSL): A critical security milestone where the vendor officially ceases all support, including security updates and technical assistance. Systems in EOSL are highly vulnerable to new exploits.
- Licensing and Compliance: Using hardware or software that is out of compliance or unlicensed creates financial and legal vulnerabilities, often discovered during audits.
Firmware and Embedded Vulnerabilities Firmware is the permanent software programmed into a hardware device's Read-Only Memory (ROM). Because it sits "below" the operating system, its vulnerabilities are harder to detect and remediate.
- Firmware Vulnerabilities: Weaknesses in the low-level code that controls hardware (e.g., BIOS/UEFI, routers, or IoT devices). Attackers target these to gain persistent, high-privilege access.
- Insecure Defaults: Hardware often ships with factory-set "admin/admin" credentials or open ports that users forget to change.
- Lack of Updates: Many embedded systems lack an easy mechanism for patching, meaning a discovered vulnerability may remain for the life of the device.
Supply Chain and Physical Environments The security of hardware depends on its origin and where it is physically housed.
- Supply Chain Concerns: Risks associated with the manufacturing and distribution of hardware. This includes the potential for "backdoors" installed during manufacturing or the use of counterfeit components.
- Environmental Monitoring: Hardware can fail or become vulnerable if physical conditions aren't managed. This includes temperature and humidity controls to prevent hardware degradation.
- Hot and Cold Aisles: Physical layouts in data centers designed to manage airflow and prevent hardware overheating, which can lead to availability issues (Denial of Service).
Quick Recall - EOL vs. EOSL: EOL means "no longer sold"; EOSL means "no longer supported/patched." - Legacy Risk: The primary risk is the lack of security updates for newly discovered threats. - Firmware: Always check the vendor website directly for firmware updates and security advisories. - Supply Chain: Includes hardware, software, and services; verified through supply chain assessments.