October 9, 2018
In the past few months, media reporting1 2 on alleged Chinese backdoors via one or more types of hardware implants which compromised American products and companies has raised the public’s awareness of the risk of security compromise via hardware.
For those of us who deal with hardware security daily, such allegations are not a big surprise. Our team has worked on designing, securing, and hacking hardware used in places ranging from startups to security-critical government applications, and one item that is in almost every assessment that we do is a circuit board tear-down and detailed parts identification.
Why do we spend the time identifying components that a customer has already purchased and specified? It depends. For some assessments, it provides us crucial information about how to break into a system. We can then tell the designer or owner of the system how a bad actor could compromise it, so that they may design better defenses. In others assessments, as is more relevant here, it serves to answer the crucial question which often arises in complex supply chains: is what I think I bought what I actually got?
Although it’s too early to know for sure, based on our team’s experience, we believe that there are valid questions about some of the technical details in the recent media reporting – but regardless of those details – the fact remains that an outsourced supply chain, with multiple levels, poses risks of attacks. We suggest noting two points which may not be apparent on first read of the articles:
Supply chain security isn’t limited to hardware implantation: In fact, we’ve seen numerous compromises via a firmware modification, either during manufacturing or during a later update. (One case is semi-related to the recent articles 3 4)
Trust in your suppliers alone is not enough: In the case discussed in the Bloomberg article, presumed Chinese agents allegedly used bribes or coercion to get subcontractors to modify designs.
Although it is extremely difficult to be assured that something you purchase from a source you do not fully and totally control is trustworthy, there are a number of steps companies can take to make them more difficult to target. These include implementing a supply chain security program, which can involve obfuscating end users of purchases from manufacturers, buying directly from authorized vendors, verifying parts, doing randomized in-depth inspections, and more. It also can be aided by designing systems which can tolerate, contain, or detect compromise.
We have been fortunate to work with some excellent companies who build supply chain risk mitigations into their product design, development, and manufacturing processes. While it is impossible to eliminate all risk from a system, thoughtful planning and awareness of these fast evolving threats can go a long way in preventing the types of common compromises we see.
If you have questions about your supply chain security in general or in response to specific risks, consider contacting our team of experienced hardware security experts to learn more about what you can do.
Keep an eye out for us sharing more thoughts in a subsequent post, specifically around why hardware implants rarely exist in a vacuum and why firmware security – independently or in tandem with a hardware attack – is crucial.
NOTE: For this blog post we used stock images which are in no way intended to indicate any suspicion of compromise in anything depicted in these images.
- https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies [return]
- https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom [return]
- https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/ [return]
- https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/ [return]