​China Chip hack shines spotlight on hardware and supply-chain risk

By Jimmy Astle and Paul Drapeau, Carbon Black

Recent media disclosures about implants and supply-chain compromise are troubling and should be seen as an opportunity to assess our current threat model and security approach.This situation is the hardware analogue to the software supply chain compromises we have discovered.

The impacts and risk of supply chain compromise is very different depending on the type of target our organisation represents. Adversaries have a lot to gain by placing very covert back doors on the lowest level system components in a multi-tenant cloud infrastructure for example.

This upside is not present in many enterprises and there are easier ways into most infrastructure. On the flip side, hardware supply-chain compromises have the potential for a lot of 'drive by' collateral damage.

Even if an organisation is not the ultimate target of a supply-chain compromise, there is a chance they may acquire components such as those described. Management should consider: 'How much of this hardware was delivered to other companies?' How much of it is on the secondary market?

Although many believe this would never happen to their company, everyone should consider it in their daily electronics use. The issue is not the fact that they are a target, but rather collateral damage to a much longer term play by an adversary.

Management should know where all of the hardware components in the company's data centre are sourced. Questions to consider: How about the delivery companies that take that hardware from the factories where its manufactured to the company's receiving department? What about the software stack used internally? This has avenues for even easier manipulation.

Also assess the software vendor selling backup software for all the company's servers - does management know where that code is developed? What about the shared libraries utilised in that software? Where did they come from? Where do automation systems powering IoT devices such as refrigeration and home security cameras come from?

All these are very real problems in today's globalised and interconnected economy.

EDR solutions, antivirus and typical endpoint security technologies operate within the OS or at higher levels on the system. Unfortunately this leaves a visibility gap in what may be going on at the hardware level. But all hope is not lost - visibility and data from the OS can be an ally in defending against such attacks.

The case here is for correlation of data from multiple sources, userland API, kernel, network stack, network hardware on the wire, etc. Collecting high fidelity, unfiltered data at multiple levels in the environment leads to correlation opportunities in SIEMs and security data lakes.

When network devices see traffic that is not reported at the OS, something may be amiss. When userland or kernel actions seem devoid of on-system stimulus but correspond to events seen elsewhere in the IT stack, it might be time to take a closer look.

We need to be real about the risk to organisations and where this fits in their threat model as well as control set. There are probably more pressing vulnerabilities to be addressed in most environments, and things we can do to improve supply-chain security and look for activity like this.

Should we be doing that? This problem is larger than any single organisation, and spending internal resources to combat it alone likely has much lower ROI than addressing basic security hygiene.

There are ways to improve our supply-chain risks. We are not going to stop all hardware manufacturing or software development overseas, but there are a number of incremental improvements the IT industry could make.

The first and biggest would be the curation and publishing of a 'Google for hardware' - a database where a consumer can plug-in their hardware/software serial numbers and see where every component in their hardware/software was manufactured.

Investing in better 'anti-tamper' mechanisms in hardware and software is a huge area of growth. Unfortunately much of this research is being performed within government think tanks around the world and its application is very specific to military use.

There is no real incentive for a private company to step in here and make a product out of this. It is not super attractive to investors and the pool of consumers would be small in terms of a 'mass-market' product. After all, why do we care where our internet connected microwave is from?

Supplier diversification in hardware is also a mitigating control that organisations should consider, not just for security but for many other reasons too (contract leverage, insulation from shortages or disasters etc).

If server hardware, baseband management, storage, network gear, OSes, hypervisors and other software (think POS or industrial controls) all come from one vendor, the impact of a supply chain compromise is much higher to an ecosystem. Being the organisation with supermicro servers, firewall hardware, NIDS monitoring boxes and SIEM storage doesn't feel good today. Single vendor solutions have advantages, but they are also single points of failure.

This is another reminder that the security problem is a multi dimensional, ever-changing game of cat and mouse. Determined adversaries with resources and creativity will always find a way. As defenders we need to continue to take these eye-opening opportunities to also think outside the box and find new ways to get visibility and data about what is really going on.