One of the biggest tech stories in recent days was an investigative piece by Bloomberg called, “The Big Hack.” In a nutshell, the story is about how China used its access to the American supply chain of motherboards to plant a chip the size of a grain of rice. The goal of this chip according to the story was “telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code (Robinson & Riley, 2018)”. This isn’t so different from what a rootkit does, but what makes this story so alarming is the fact these devices were vulnerable out of the box. This isn’t unheard of when counterfeit products are purchased on accident, but these devices were given the stamp of approval from their manufacturer and seller.
What this means going forward is that true security means knowing where your products came from and who has access to them between their conception and you purchasing them. Supply chain manipulation is not a new idea. In 2004, the U.S. Department of Defense (DoD) created the Trusted Foundry Program. The goal of this program is to ensure that production of military and government equipment that uses microelectronics has a hardened method of development and a secure supply chain from external threats (Maymi & Chapman, 2018). There are currently 74 trusted suppliers on the list. Super Micro Computer Inc., not being one of them. This list is widely available to those outside the government. One major way to prevent sophisticated attacks like this would be to consider looking into one of these companies for important infrastructure.
This would be a good idea for new equipment, but what about the equipment that has already been purchased. The chip in “The Big Hack” story was found by a third-party company that examined and discovered the chip. This service was most likely expensive, but it would be something that could be done easily to some degree. Most manufacturers will provide documentation either with the parts/equipment, or make it easily available online. Comparing what the documentation to the physical device/part would be a good first step to determining if the hardware has been tampered with. Reverse engineering hardware is no small task, but simply looking at the physical components can give insight into possible security holes.
Beyond that, either expensive third party services or specialized equipment and expertise would be needed to further determine if the hardware has been tampered with. However, I think it is important to point out that, while this particular attack gives an upper hand that the adversary wouldn’t have otherwise, a good layered security plan would also go a long way to preventing or detecting this. It’s likely that the machine would have no way of detecting or reporting this issue, but there would be footprints on the network that the machine was acting peculiar. If the device was reaching out to the network, there would be logs on routers that should be logging this. Intrusion Detection and Prevention Systems should be analyzing these logs for strange behavior. This is especially true for Server Infrastructure, there should be a good understanding of the expected traffic from a server and it should not be allowed to indiscriminately communicate with unknown internet hosts.
Supply chain manipulation and hardware integrity will continue to be areas of focus as attacks like this become more common and sophisticated. The most important thing that I’ve taken from this story is that these areas will need to be strengthened and must have continued focus to ensure that bad hardware doesn’t get in the network in the first place, but also ensuring that there is a plan in case it does.
References:
Maymi, F. J., & Chapman, B. (2018). CompTIA CSA Cybersecurity Analyst Certification All-in-One Exam Guide (Exam CS0-001). McGraw-Hill Education.
Robertson, J., & Riley, M. (2018, October 04). The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. Retrieved October 08, 2018, from https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies