We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest. Update Here
Stay in the loop with the latest from Microchip. Update your profile while you are at it. Update Here
Complete your profile to access more resources. Update Here
Cross-reference search

Hardware-Rooted Security for Network Infrastructure

Learn how our PolarFire® SoC’s secure boot, cryptographic isolation and lifecycle management protect enterprise routers from firmware tampering, supply chain attacks and botnet threats. Discover best practices for building resilient network infrastructure.

Introduction

Enterprise routers and switches are increasingly targeted by cyber adversaries due to their strategic position in the network. These devices manage traffic, enforce policies and connect users to critical services. A compromise at this layer can lead to data exfiltration, service disruption or persistent backdoor access.

Common Threats to Network Infrastructure

Modern threats to routers and switches include:

  1. Firmware tampering: Malicious actors tamper with router firmware to gain persistent control, bypass security mechanisms and conduct covert surveillance or attacks. Here's a breakdown of how they do it:

    1. Goals of Firmware Tampering
      • Persistence: Malware survives reboots and factory resets.
      • Surveillance: Monitor traffic, steal credentials or spy on users.
      • Network Control: Redirect traffic, launch MITM attacks or spread malware.
      • Botnet Creation: Enlist routers into botnets for DDoS or crypto-mining.
         
    2. Initial Access

      To tamper with firmware, attackers first need access to the router. They can do this by:
      • Exploiting vulnerabilities in outdated firmware.
      • Using default or weak credentials to log in.
      • Phishing or social engineering to trick users into installing malicious updates.
      • Supply chain attacks where firmware is compromised before the device reaches the user.
         
    3. Firmware Modification Techniques

      Once access is gained, attackers may:
      • Install malicious firmware
        1. Replace the legitimate firmware with a custom version that includes backdoors, packet sniffers or command-and-control (C2) capabilities.
      • Use open-source firmware (like OpenWRT or DD-WRT) as a base and inject malicious code.
         
    4. Patch Existing Firmware
      • Modify specific modules or binaries to alter behavior (e.g., disable logging, redirect traffic).
      • Inject persistent scripts that survive reboots and firmware updates.
         
    5. Exploit Firmware Update Mechanisms
      • Abuse unsecured update channels to push rogue firmware.
      • Exploit lack of signature verification during updates
         
  2. Credential theft and misconfiguration: Weak or default credentials allow unauthorized access.

  3. Routing manipulation: Malicious actors can alter routing tables to redirect, intercept or disrupt network traffic. This type of attack is often part of a broader strategy like man-in-the-middle (MITM) attacks, denial-of-service (DoS) or data exfiltration. Here's how they typically do it:

    1. Gaining Access to the Router or Network Device

      To alter routing tables, attackers first need access to the device. This is achieved by:
      • Exploiting vulnerabilities in router firmware or software.
      • Using default or weak credentials to log in.
      • Phishing or social engineering to trick admins into revealing access.
      • Compromising a connected device and pivoting to the router.
         
    2. Modifying Routing Table Entries

      Once inside, attackers can:
      • Add malicious routes that redirect traffic to attacker-controlled systems.
      • Change default gateways to reroute all outbound traffic.
      • Delete legitimate routes, causing network disruptions or forcing fallback paths.
      • Inject bogus routes using routing protocols like RIP, OSPF or BGP.
         
    3. Techniques Used
      • ARP Spoofing/Poisoning: Alters the ARP table to associate the attacker’s MAC address with the IP of a legitimate device.
      • BGP Hijacking: In large-scale attacks, malicious BGP announcements can reroute traffic across the internet.
      • Static Route Manipulation: Directly editing static routes to redirect traffic.
      • DNS Manipulation: Not routing table-specific, but often used in tandem to redirect domain lookups.
         
    4. Consequences
      • Traffic Interception: Sensitive data can be captured or modified.
      • Service Disruption: Legitimate traffic may be blocked or misrouted.
      • Data Theft: Credentials, financial data or intellectual property can be stolen.
      • Network Surveillance: Attackers can monitor traffic patterns and behaviors.
         
  4. Remote Access Trojans (RATs) and botnets: Malicious actors use Remote Access Trojans (RATs) and botnets to hack routers in order to gain control over network infrastructure, spy on users or launch broader cyberattacks. Here's how each is used in this context:

    1. How RATs Target Routers:
      • Infected Admin Devices: A RAT on a network admin’s PC can be used to access router configuration interfaces.
      • Firmware Exploits: Some advanced RATs exploit known vulnerabilities in router firmware to install themselves directly.
      • Credential Theft: RATs can steal router login credentials stored in browsers or config files.
         
    2. What Attackers Do With RATs:
      • Modify router settings (e.g., DNS, port forwarding).
      • Install persistent backdoors or malware on the router.
      • Monitor or redirect traffic for surveillance or phishing.
      • Disable security features like firewalls or logging.
         
    3. How Routers Become Bots:
      • Exploiting default credentials or unpatched vulnerabilities.
      • Scanning the internet for exposed routers (e.g., via Shodan).
      • Using malware like Mirai, Mozi or VPNFilter, which specifically target routers and IoT devices.
         
    4. What Botnets Do With Routers:
      • Launch DDoS attacks using the router’s bandwidth.
      • Spread malware to other devices on the network.
      • Use the router as a proxy to hide the attacker’s identity.
      • Harvest data from network traffic (e.g., credentials, browsing history).
         
  5. Supply chain attacks: A supply chain attack targets the manufacturing, distribution or update process of a product—in this case, routers—to insert malicious components or code.

    1. Firmware Tampering During Manufacturing
      • Attackers infiltrate the vendor or OEM and inject malicious code into the firmware.
      • This code may include backdoors, data exfiltration tools or remote control mechanisms.
      • Devices ship with compromised firmware that appears legitimate.
         
    2. Compromised Third-Party Components
      • Routers often use third-party chips, modules or software libraries.
      • If these components are compromised, the entire device can be vulnerable.
      • Example: A malicious chip with hidden capabilities embedded in the hardware.
         
    3. Interception During Distribution
      • Devices are intercepted during shipping and "hardware trojaned"—physically modified or reflashed with malicious firmware.
      • This is more common in targeted attacks (e.g., espionage).
         
    4. Malicious Updates
      • Attackers compromise the firmware update server or process.
      • Users unknowingly install malicious updates that appear official.
      • This can be done via DNS hijacking, man-in-the-middle attacks or server compromise.

These threats are difficult to detect and mitigate using software-only solutions. Hardware-based security, such as that provided by PolarFire® SoC, is essential for defense-in-depth.

Notable Real-World Attacks

  1. VPNFilter Malware (2018)
    • Target: Routers from Linksys, MikroTik, Netgear and TP-Link
    • Impact: Over 500,000 devices infected globally
    • Capabilities:
      • Packet sniffing for credentials
      • Device bricking
      • Command-and-control via encrypted channels
    • Attribution: Believed to be linked to a nation-state actor
    • Lesson: Routers with default credentials and outdated firmware are highly vulnerable to modular malware.
       
  2. Cisco IOS Rootkits (2015–2020)
    • Target: Enterprise-grade routers running Cisco IOS
    • Technique: Attackers installed custom implants that survived reboots and firmware upgrades.
    • Impact: Persistent backdoors and traffic manipulation
    • Discovery: Publicized by FireEye and Cisco Talos
    • Lesson: Even hardened enterprise devices can be compromised if firmware integrity is not verified.
       
  3. Sea Turtle DNS Hijacking Campaign (2017–2019)
    • Target: Core routers and DNS infrastructure in the Middle East and North Africa
    • Technique: Attackers gained access to routers and switches to redirect DNS queries to malicious servers.
    • Impact: Credential theft and surveillance
    • Attribution: Suspected state-sponsored group
    • Lesson: DNS hijacking at the router level can compromise entire organizations without endpoint detection.
       
  4. Mandiant APT41 Router Exploits (2022)
    • Target: SOHO and enterprise routers
    • Technique: Exploited known vulnerabilities in outdated firmware
    • Impact: Used as staging points for lateral movement and data exfiltration
    • Lesson: Unpatched routers are often the weakest link in hybrid enterprise environments.

Programmable Security for Low-Power Edge Compute Applications

Securing the edge requires robust security. The PolarFire family of FPGAs and SoC FPGAs is built upon the three fundamental security principles of confidentiality, integrity and authenticity. We offer a cryptographically secured supply chain, side-channel-resistant crypto accelerators, state-of-the-art Physically Unclonable Function (PUF)-based key storage and industry-leading anti-tamper features to protect your design and enable you to deploy edge applications securely.

PolarFire SoC Security Architecture

Secure Boot and Firmware Integrity

PolarFire SoC devices implement a robust secure boot process:

  • Immutable boot ROM confirms that the first code executed is trusted.
  • Signed firmware images are verified before execution, preventing unauthorized updates.
  • Anti-rollback protection affirms that older, vulnerable firmware cannot be reinstalled.

This prevents attackers from injecting malicious firmware or persisting through reboots.

Hardware Root of Trust

Each PolarFire SoC device includes:

  • Factory-programmed cryptographic keys and device-unique identifiers.
  • X.509 certificates for device authentication and supply chain validation.
  • Secure key storage in tamper-resistant memory, isolated from software access.

These features establish a hardware root of trust, enabling secure provisioning, attestation and identity verification.

Cryptographic Acceleration and Isolation

PolarFire SoC integrates a dedicated cryptographic subsystem that supports:

  • Public key algorithms (e.g., AES-256, SHA-384, ECC).
  • Side-channel resistant implementations to protect against power and timing attacks.
  • Hardware-isolated key usage, preventing keys from being extracted or misused by compromised software.

Mitigating Specific Threats With PolarFire SoC

Preventing Remote Access and Botnet Infiltration

PolarFire SoC can prevent RATs and botnet enrollment by:

  • Locking down debug interfaces (e.g., JTAG) with secure fuses.
  • Monitoring for tamper events using voltage, temperature and frequency sensors.
  • Zeroizing sensitive data upon detection of physical intrusion or policy violation.

This certifies that even if physical access is gained, attackers cannot persist or extract secrets.

Securing Routing and Management Traffic

To prevent routing manipulation and credential theft:

  • Secure boot and signed firmware prevent routing logic from being altered.
  • User Provisioning – Rich OS and HSM based with user keys and passcodes.

These features reduce the risk of unauthorized changes and man-in-the-middle attacks.

Supply Chain and Lifecycle Protection

PolarFire SoC supports secure lifecycle management:

  • Device identity attestation confirms authenticity during provisioning.
  • Authenticated firmware updates prevent tampering during deployment or maintenance.
  • Secure debug lockdown certifies that post-deployment access is tightly controlled.
  • Secure Factory Pre-programming

This aligns with best practices for zero-trust architectures and NIST SP 800-193 platform resilience.

Conclusion

PolarFire SoC provides a comprehensive, hardware-rooted security foundation for enterprise routers and switches. By integrating secure boot, cryptographic isolation, tamper detection and lifecycle controls, it mitigates the most critical threats facing modern network infrastructure. For engineers designing next-generation secure networking equipment, PolarFire SoC offers the performance, flexibility and reliability needed to protect the enterprise edge.

For more information, visit our PolarFire SoC web page.

Rich Ford, Jan 6, 2026
Tags/Keywords: Security
Page link copied to clipboard

Live Chat

Need Help?

Privacy Policy