Hardware Security Considerations — Tristan Silver
Most people who have worked at a school or a library will be familiar with many basic hardware security measures—traditional lock and key or electronic badge systems to prevent unauthorized access to a building’s servers, cable locks to prevent portable devices such as laptops from being carried off, and systems to back up data to multiple locations, including a remote server located off-site, among other things. While hardware has traditionally been considered immune to attacks that software are vulnerable to, this is hardly the case. Failing to go beyond basic measures of protection is foolhardy, as a hardware attack can lead to compromised data and user privacy just as severely as a software attack can.
In the formulation of a university course on hardware security, Yang et al. (2021) sought to teach students how to defend against different types of hardware attacks by first tasking them with executing these attacks on an experimental hardware module designed for the class. In the course series of 10 experiments, this included hardware Trojan attacks in which malicious modifications were made to a computer’s circuitry, side-channel attacks where measurements of a computer’s functioning such as power consumption or electromagnetic leaks are exploited to extract information from a computer’s chip, fault injection attacks that interrupt the functioning of a device to intentionally cause errors and compromise a system’s security, and bus snooping attacks which extract secret information (such as encryption keys) from a system by physical methods such as soldering additional components onto a computer’s circuit board.
It’s important to know what hardware vulnerabilities are out there so that technology coordinators, who may not have IT degrees, can take measures to defend against them. For example, a security factor to consider when selecting hardware products is to look for those designed to have casings that protect against tampering and/or casings that make it obvious when a device has been tampered with. One example Hahn (2017) gives is that of Estimote Beacons, Bluetooth beacons that are fully encased in a shell, a product feature that makes tampering less likely. In a case study Hahn conducted at the University of Illinois Urbana-Champaign, keeping the beacons hidden from the view of users was an additional security measure he took, as the removal of even one Bluetooth beacon from an array can result in service degradation—if enough are removed from a section, system failure could occur as well.
As the use of electronic devices in the classroom increases, so does the potential for security threats to compromise a school’s system. The relative newness of the study of hardware security and the complexity of computer hardware itself is one of many reasons that it is important to include a diverse group of people on technology committees—end users such as teachers who will be using the hardware in their classrooms, administrations who will oversee the implementation of hardware purchases alongside the technology coordinator, and IT professionals who will be aware of security vulnerabilities and countermeasures that laymen may not know about.
References
Hahn, J. (2017). Chapter 4: Security and Privacy for Location Services and the Internet of Things. Library Technology Reports, 53(1), 23–28.
Yang, S., Paul, S. D., & Bhunia, S. (2021). Hands-On Learning of Hardware and Systems Security. Advances in Engineering Education, 9(2).
Comment by Morgan Dorsky
Tristan you definitely left a lot to consider in your post! It definitely is an undertaking for district personnel to consider the potential threats to hardware and the security implications of these types of breaches. In the coming years, as technology in the classroom becomes more prevalent, I imagine that new jobs will need to be formed just around ensuring that systems and hardware are secure!