The Foundation Is Cracking: Why Hardware Security Can’t Be an Afterthought Anymore
I was scrolling through my security feeds this morning when I came across news that MITRE has finally updated their Most Important Hardware Weaknesses List. While this should have been cause for celebration, I found myself feeling more frustrated than relieved. The update was driven by improved data collection methods, including AI assistance, and input from hardware security experts across industry, academia, and government.
But here’s what stunned me: this list hadn’t been updated since October 2021. We’re talking about nearly four years of silence on one of the most critical aspects of cybersecurity in our increasingly connected world.
The Inconvenient Truth About Hardware Security
This glaring gap raises a fundamental question: Why aren’t MITRE, hardware vendors, and IT and security professionals giving hardware security the importance it desperately needs? We live in an era where everything from our cars to our coffee makers connects to the internet, yet we’re treating hardware weaknesses like an afterthought.
The timing of this update couldn’t be more ironic. Just this week, Cisco and the FBI are once again pleading with the community to update and patch Cisco’s end-of-life routers for an ancient 2018 vulnerability that’s being broadly exploited by Russian hackers linked to the country’s FSB intelligence service. A group known as Static Tundra has been abusing a bug tracked as CVE-2018-0171 over the past year to install backdoors on outdated Cisco routers that are still haunting many corporate and government networks.
Think about that for a moment. We’re in 2025, dealing with a vulnerability from 2018, affecting hardware that should have been retired years ago, while our most authoritative source on hardware weaknesses went silent for years. The disconnect is staggering.
The Real-World Impact
Hardware vulnerabilities aren’t abstract theoretical concerns—they’re the foundation upon which all other security measures are built. When hardware is compromised, everything else becomes suspect. The Static Tundra campaign demonstrates this perfectly: once attackers gain persistent access through hardware backdoors, they can maintain presence even through software updates and security tool deployments.
The problem extends far beyond aging Cisco routers. Our supply chains are riddled with hardware components from countless vendors, many with undisclosed vulnerabilities or backdoors. From compromised firmware in enterprise servers to vulnerable chips in IoT devices, hardware weaknesses represent a threat landscape that we’ve largely ignored while focusing on the more visible software vulnerabilities.
Building a Path Forward
So how can the security community actually remediate hardware weaknesses? Traditional solutions like Software Bills of Materials (SBOMs) are a start, providing visibility into the components that make up our systems. But they’re not enough on their own.
Fortunately, innovation is happening in the private sector. A number of specialized startups are focusing directly on understanding and managing firmware and hardware-related security. Companies like Binarly and Eclypsium are using AI and other modern techniques to address firmware and hardware security for enterprises and government agencies, while Exein, Embian, and FirmGuard are more specialized, working to secure IoT, automotive, and medical embedded systems. Trapezoid and others are developing new approaches to hardware security validation and supply chain protection.
These companies represent a recognition that hardware security can’t be an afterthought—it requires dedicated tools, expertise, and continuous monitoring just like any other aspect of cybersecurity.
The Hard Questions
But even with these emerging solutions and MITRE’s belated update, we’re still dancing around the fundamental issue. The Static Tundra campaign shows us what happens when we treat hardware security as someone else’s problem. Organizations are running critical infrastructure on hardware that should have been retired years ago, with vulnerabilities that were disclosed when many current security professionals were still in college.
This brings me to the question that keeps me up at night: What is it going to take to make people take hardware security seriously?
Will it take a catastrophic supply chain attack that brings down critical infrastructure? A nation-state campaign that compromises hardware at the manufacturing level? Or perhaps it will require regulatory mandates that force organizations to account for hardware security with the same rigor they apply to software vulnerabilities.
Whatever it takes, one thing is clear: we can’t afford another nearly four-year gap in addressing hardware weaknesses. The threats are real, they’re happening right now, and they’re only getting more sophisticated. The time for treating hardware security as an optional add-on is over.
