With cyber-attacks growing in both volume and complexity each year, it should come as no surprise to hear 2024 was marked by many significant, often devastating attacks and hacks. For example, a global survey carried out by HP discovered that one in five businesses have now been impacted by attacks targeting hardware supply chains, and this number is set to rise exponentially.

While the industry continues to make great strides towards securing systems and hardware more effectively, these adversaries continue to find new ways to exploit the weak points in organizations’ security make-up. In this blog, we address just some of the attacks we’ve spotted over the last thirteen months, and how the adoption of a trusted computing approach could have made a difference.

UEFI bootkits
In November 2024, the first Unified Extensible Firmware Interface (UEFI) bootkit designed to target Linux systems was unearthed by ESET researchers. Known as ‘bootkitty’, this malware indicates that attackers are beginning to moving away from threats towards Windows systems and widening their horizons when it comes to exploiting vulnerabilities.

Created to infect a device’s boot process and gain access over a system at a very low level, once a bootkit takes root, they can be hard to remove. However, these types of attacks can be mitigated by storing the UEFI’s integrity measurements within a TPM or DICE-based chain (through FIM), as any tampering to the code – malicious or otherwise – is picked up early. The Reference Integrity Manifest (RIM) then detects changes to the firmware to ensure users can take action and the boot process remains secure.

Zero-click attacks
Attacks which require no user interactions in order to exploit devices are known as ‘zero click’, and these have become increasingly commonplace in recent months. In 2024, the SonicWall Capture Labs threat research team became aware of the threat now known as CVE-2024-20017, a critical zero-click vulnerability that affected a number of Wi-Fi chipsets and driver bundles used in products from a variety of major manufacturers. The vulnerability allowed remote code execution without any user input, due to an out-of-bounds write issue.

While patches to mitigate this flaw were released not long after it was discovered, TCG may have been able to secure affected devices as they could have measured the integrity of the device’s boot firmware. By comparing this against a ‘trusted’ state, any updates or changes would have been detected and mitigated before system compromisation.

OTP breakers
Last year saw a number of attacks aiming to manipulate an IoT device in order to modify or steal the sensitive information stored in its one-time programable memory. Critical information pertaining to device security is stored here, including encryption keys which can only be written once before they are rendered unchangeable.

If attackers are able to break the device and read the encryption key stored within, they will be able to encrypt the sensitive data transmitted by the device, They can even create a clone by extracting its unique identifiers and impersonating it to gain unauthorized access to networks. In these instances, DICE can be used to incorporate identity handling within a device’s security processes – this makes it harder for the keys to be read over overridden, ensuring a device’s identity cannot be stolen for nefarious purposes.

Exploiting the TrustZone
A hardware-based security technology sitting in billions of devices worldwide, ARM TrustZone enables the separation of a system into ‘secure’ and ‘non secure’ execution environments, known as ‘worlds’. By doing so, it creates an area within the processor – the ‘secure world’ – for sensitive data and code to be ran separate from the rest of the system – by diving memory and system resources between the two areas, non-secure software cannot gain access to the secured information.

However, if hackers are capable of manipulating the data within the secure world – through attacks such as the ARM TZ Snake – then the entire system can be weaponized against its owner. To avoid this issue, DICE or another TPM-based chain of trust should be implemented within the system. This can ensure the secure world code is verified at each stage of the boot process, enabling users to trust that the information stored within the environment is as it presents itself as.

Ensuring greater device protection
If these attacks have anything in common, it’s that they illustrate the evolving nature of cybersecurity threats, and the importance of having a resilient line of defense against them.

This makes the implementation of trusted computing principles a pivotal step when it comes to mitigating cybercrime, and this can be achieved through the adoption of standards like TPM, DICE, CyRes, Platform Certificate and more. The latest specifications of each of these key solutions can be found across our website.