Anyone who follows the tech world knows that information system security is now a big thing; to the point that companies like IBM are putting a lot of effort to promote their security services, and start-ups are getting lots of funding and growing.
Information system security is really nothing new, its just that no one has paid much attention to it until recently; and the focus seem to mostly be on securing the application.
My question is: who will make sure that the attack vector will not come from the hardware layer? I feel that it's a matter of time that someone will formulate a way to send data packet where the network device driver will cause some sort of buffer overflow.
Device drivers have the same privileges as the OS itself; get in that way and you already got all the privileges you can ever want. You are free to do whatever you want to do at that end.
Maybe I just haven't seen it yet, so I thought I'd ask: Who is reviewing the device drivers and making sure that it's not vulnerable to the same vulnerabilities that browsers, PDF readers, web servers, and any other applications are plagued with?
I feel at that point the target will be the hardware itself. To be honest, we've seen it with the Stuxnet virus. This virus didn't only search for specific industrial hardware, it modifies the PLC of its target hardware.
A common thief will break into a home that they can break into easily; however, a sophisticated cat burglar will break into a museum.
Currently, the easiest way to break into a system is through the software layer; however, I feel that sooner or later someone will figure out a way to formulate an attack using the hardware layer.
I hope that the information security industry has a way to mitigate this when it happens.
Cross-posted from Home+Power