October 9, 2018
In the past week, media reporting1 2 on alleged Chinese backdoors via one or more types of hardware implants which compromised American products and companies has raised the public’s awareness of the risk of security compromise via hardware.
For those of us who deal with hardware security daily, such allegations are not a big surprise. Our team has worked on designing, securing, and hacking hardware used in places ranging from tiny startups to security-critical government applications, and one item that is in almost every assessment that we do is a circuit board tear-down and detailed parts identification.
Why do we spend the time identifying components at customer has already purchased and specified? It depends. For some assessments, it provides us crucial information about how to break into a system. We can then tell the designer or owner of the system how a bad actor could compromise it and design better defenses. But in others assessments, as is more relevant here, it serves to answer the crucial question which often arises in complex supply chains: is what I think I bought what I actually got?
Although it’s too early to know for sure, based on our team’s experience, we believe there are likely both we believe that there are valid questions about some of the technical details in the recent media reporting – but regardless of those details – the fact remains that an outsourced supply chain, with multiple levels, poses risks of attacks. We’d suggest noting two points which may not be apparent on first read of the articles:
Supply chain security isn’t limited to hardware implantation: In fact, we’ve seen numerous times when a compromise happens via a firmware modification, either during manufacturing or via a later update. (One case is semi-related to the recent articles 3 4)
Trust in your suppliers alone is not enough: In the case discussed in the Bloomberg article, presumed Chinese agents allegedly used bribes or coercion to get subcontractors to modify designs.
Although it is extremely difficult to be assured that something you purchase from a source you do not fully and totally control is trustworthy, there are a number of steps companies can do to make them a more difficult target. These include having a supply chain security program, including obfuscating end users of purchases from manufacturers, ensuring you are buying directly from authorized vendors, verifying parts, doing randomized in-depth inspections, and more. It also can be aided by designing systems which can tolerate, contain, or detect compromise.
We have been fortunate to work with some excellent companies recently who we have worked with to build supply chain risks into their product design, and designing mitigations in design, development, and manufacturing processes to try and reduce risk – while it is impossible to eliminate all risk from a system, thoughtful planning and awareness of these fast evolving threats can go a long way in preventing the types of common compromises we see.
If you have questions about your supply chain security in general or in response to specific risks, consider contacting our team of experienced hardware security experts to learn more about what you can do.
Keep an eye out for us sharing more thoughts in a subsequent post, specifically around why hardware implants rarely exist in a vacuum and why firmware security – independently or in tandem with a hardware attack – is crucial.
NOTE: We have selected a stock image not of any specific item for use on this blog post, and nothing is intended to indicate any suspicion of compromise in anything depicted in the stock image.
- https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies [return]
- https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom [return]
- https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/ [return]
- https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/ [return]