Hardware With Built-In Security Could Be More Secure Than Software, Experts Say
- Kingston has launched the industry-first USB drive with top-of-the-line military-grade security.
- Some cybersecurity experts believe hardware-based security products can help supplement software-only security.
- Others think such hardware security products are much harder to patch than software running on computers.
If one of the leading reasons that help facilitate cyberattacks is weak, unpatched, outdated software, could a strong hardware-based security product eliminate that risk? The answer is slightly more nuanced, suggest security experts.
Kickstarting the discussion was the launch of the IronKey Keypad 200 USB drive, which Kingston claims is the industry’s first drive that delivers military-grade protection for our data. The drive contains several protection mechanisms to ensure stored data can’t be accessed by unscrupulous users and cybercriminals, thanks to a couple of different read-only modes. This could help it combat malware, like the one discovered earlier this year, which spreads via infected USB drives.
“The Kingston IronKey Keypad 200 is an encouraging development in secure removable storage,” Sami Elhini, senior product manager at Cerberus Sentinel, told Lifewire over email. “The strong encryption algorithm, pin lockout feature, self-destruct functionality, and epoxy tamper protection make this device suitable for protecting sensitive information.”
You can think of hardware-based security as a means of protection against attacks that take the form of a physical device rather than using software installed on a computer. Common examples include smart cards that work along with passwords to further strengthen all kinds of online and offline user accounts.
“As we continue to see an increase in the number of software vulnerabilities, adding additional security controls through hardware could certainly be an added benefit for regular users on the consumer side,” Tonia Dudley, VP and CISO at Cofense, told Lifewire over email.
Dudley argues including additional layers of protection and security controls at the hardware level is definitely worth the effort. For instance, she points to Yubico’s Yubikey, which is popularly used for strengthening multi-factor authentication (MFA).
But Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4, isn’t so easily sold on the benefits of hardware security products.
Pointing to the IronKey Keypad 200 USB drive as a useful mobile storage solution, Grimes told Lifewire via email that it’ll attract people looking for the “best and strongest.” However, he argued that most hacking attempts don’t consider whether the target uses encryption or not, let alone the strength of the encryption algorithm.
“Have you heard of a real-world exploit where the defender said, ‘If only I had military-grade encryption, that attack wouldn’t have happened,’?” Grimes asked rhetorically. “No. No one has. Because it isn’t what is being attacked these days.”
Barking up the Wrong Tree
Grimes believes that hardware-based security isn’t going to be any better at preventing most of the attacks prevalent today.
“Most attacks occur because of three reasons: social engineering, unpatched software, and password reuse,” said Grimes. “Hardware, by itself, doesn’t solve any of those problems.” In fact, he said as far as unpatched software is concerned, hardware can be thought of as software that’s just a lot harder to patch.
Pointing to the Known Exploited Vulnerability Catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA), Grimes said the list is full of hardware devices and firmware currently under attack by cybercriminals.
Hammering on his point further, Grimes said that back in the day, it was mostly Microsoft Windows, Google, and Apple software in the attacker’s crosshairs. While attackers still go after these popular pieces of software, their primary targets now are hardware products like routers, hardware-attached storage devices, VPNs, DVRs, and more.
The reason for this ties back to his argument, which is that most people don’t patch hardware with the same sense of urgency that they patch software, a fact that attackers are well aware of.
“I guarantee you that if this [IronKey Keypad 200 USB drive] ends up with a bug, it will take [people] far longer to patch and fix than to update Windows or some other OS component,” said Grimes.
So while hardware-based security solutions can, in some instances, make up for the shortcomings of software-based security solutions, don’t mistake them for a panacea.
Thanks for letting us know!
Tell us why!