The Meltdown and Spectre vulnerabilities disclosed early this year brought hardware security sharply into focus. In the latest episode of our Cyber Security Sauna podcast, F-Secure’s head of hardware security, Andrea Barisani, discusses the critical vulnerabilities and why we should be grateful, plus his passion of securing cars, airplanes, and embedded devices of all kinds. Here are five quick takes from our interview with the founder of F-Secure-acquired hardware firm Inverse Path.
On the challenges of securing hardware versus software:
“Oversights in hardware security most of the time are not easy to patch,” says Barisani. With software, ideally, security flaws are corrected in an update process. But for a fundamental hardware flaw, sometimes costly hardware changes are necessary, or even a complete product recall. This means making the right decisions early on in the design process is imperative.
On why we should be thankful for Meltdown:
Barisani says we’ve been very lucky with Meltdown, because it could have easily meant the end of cloud computing as we know it.
“We are lucky about the fact that it can be mitigated with operating system changes,” says Barisani. “They are very intrusive changes, they are very important changes, but we should be thankful that they can be made, that we can have mitigation strategies for Meltdown. Because, if that would have not been the case…it would have been impossible to enforce the memory separation between virtual machine instances on shared hardware.”
On speculating whether vulnerabilities have been exploited in the wild:
“There is a tendency in the industry when an issue is found to say ‘we’re not aware of any exploitation in the wild’ and this is a very comforting phrase to say,” Barisani says. “You have to be careful with these statements, because they might be true, but also might not be. The fact that there’s no evidence doesn’t mean that you’re not at risk and it doesn’t mean you have the certainty that this hasn’t happened.”
Barisani advocates the principle of conservative security – assume the worst. “We always have to assume that if we have been able to identify (a vulnerability), we haven’t been the only ones to find it.”
On the relationship between safety and security:
Certain industries, like aviation and automotive, have special safety considerations in addition to security.
“When it comes to safety, failure is not an option,” Barisani says. “Which means there is an extensive process to ensure that safety-critical components behave as intended. However, the understanding of the interaction between security and safety is something which is a fairly new topic.” The big challenge, he says, is to make sure that infosec practitioners correctly respect and interact with safety-related processes, which have been established for a very long time.
“Security should learn a lot from the safety culture. We don’t have the culture of ‘failure is not an option’ in traditional software security.”
On the one piece of advice he would give hardware manufacturers:
Barisani says that when security consultants are involved early on in the product design process, the manufacturer can make sure to make the right design decisions and mitigate any security problems ahead of time.
“When we pentest a device and we find issues, we have to go back and repeat this process. But if we can do this process early on, we’re going to mitigate many classes of issues right away,” he says. “Think of security for your hardware devices when you are designing them and involve a third party. It’s gonna be more cost effective and have greater impact on the design of your product.”
For more on hardware security with Barisani, including the blurry line between hardware and software, carrying out one of the first automotive hacks in history, and why not every aviation security problem is necessarily a safety problem, listen to the full episode jam-packed with great information.