China Chip Hack Shines Spotlight on Hardware and Supply-Chain Risk
By Jimmy Astle, Senior Threat Reseracher, and Paul Drapeau, Enterprise Architect – Security Efficacy at Carbon Black,
Recent revelations in the press from Bloomberg regarding Chinese hardware implants and supply-chain compromise are troubling and should be seen as an opportunity to assess our current threat model and security approach. This recently revealed situation is the hardware analogue to the software supply-chain compromises we have discovered and written about in the past.
In truth, we’re not all companies like Apple or Amazon and the impact and risk of supply-chain compromise is very different depending on the type of target our organisation represents. Adversaries have a lot to gain by placing very covert back doors on the lowest level system components in a multi-tenant cloud infrastructure for example.
This upside is not present in many enterprises and, frankly, there are easier ways in to most infrastructure. On the flip side, hardware supply-chain compromises have the potential for a lot of “drive by” collateral damage. Even if an organisation wasn’t the ultimate target of a supply-chain compromise, like the one described by Bloomberg, there is a chance they may acquire components such as those described. Ask yourself: “How much of this hardware was delivered to other companies?” and “How much of it is on the secondary market?”.
You may think, “This would never happen to me” but this is something we should all consider in our daily electronics use. It’s not the fact that you are a target but rather collateral damage to a much longer-term play by an adversary. Do you know where all of the hardware components in your data centre are sourced? How about the delivery companies that take that hardware from the factories where its manufactured to your receiving department? What about your software stack that you use internally? This has avenues for even easier manipulation. That software vendor that is selling you backup software for all of your servers. Do you know where that code is developed? What about the shared libraries that are utilised in that software – do you know where that comes from? Where do automation systems powering IoT devices, such as refrigeration and home security cameras come from? This is a very real problem in our globalised and interconnected economy.
EDR solutions, antivirus, and typical endpoint security technologies operate within the OS or at higher levels on the system. Unfortunately this leaves a visibility gap in what may be going on at the hardware level. All hope is not lost. Visibility and data from the OS can be an ally in defending against such attacks.
The case here is for correlation of data from multiple sources, user land API, kernel, network stack, network hardware on the wire, etc. Collecting high fidelity, unfiltered data at multiple levels in the environment leads to correlation opportunities in SIEMs and security data lakes. When network devices see traffic not reported at the OS something may be amiss. When userland or kernel actions seem devoid of on system stimulus but correspond to events seen elsewhere in the IT stack, it might be time to take a closer look.
Be real about the risk to your organisation and where this fits in your threat model as well as control set. There are probably more pressing vulnerabilities to be addressed in most environments. While there are things you can do to improve supply-chain security and look for activity like this. Should you be doing that? This problem is larger than any one organisation and spending internal resources to combat it alone likely has much lower ROI thas addressing basic security hygiene.
What are some ways to improve our supply-chain risks you might ask? Well, we are certainly not going to stop all hardware manufacturing or software development overseas. There are a number of incremental improvements we could make in our industry. The first and biggest would be the curation and publishing of a “Google for hardware” – a database where a consumer can plugin their hardware/software serial numbers and see where every component in their hardware/software was manufactured.
Investing in better “anti-tamper” mechanisms in hardware and software is a huge area of growth. Unfortunately much of this research is being performed within government think tanks around the world and its application is very specific to military use. There is no real incentive for a private company to step in here and make a product out of this. It is not super attractive to investors and the pool of consumers would be small in terms of a “mass-market” product. After all why do I care where my internet connected microwave is from?
Supplier diversification in hardware is also a mitigating control organisations should consider, not just for security but for many other reasons as well (contract leverage, insulation from shortages or disasters etc). If your server hardware, baseband management, storage, network gear, OSes, hypervisors, other software (think POS or industrial controls) all come from one vendor the impact of a supply-chain compromise is much higher to your ecosystem. Being the organisation with supermicro servers, firewall hardware, NIDS monitoring boxes, and SIEM storage doesn’t feel good today. Single vendor solutions have advantages, they are also single points of failure.
This is another reminder that the security problem is multi-dimensional, ever-changing game of cat and mouse. Determined adversaries with resources and creativity will always find a way. As defenders we need to continue to take these eye opening opportunities to also think outside the box and find new ways to get visibility and data about what is really going on.