Supply Chain Security: "If I were a Nation State ..."

Have you ever wondered how many different organizations, companies, services, people took part in creating and transporting your computer, router and any other device that you use in your daily life or at work? And why is this dangerous? If not, welcome under the cat for food for thought from Andrew 'bunnie' Huang .

At the beginning of 2019, Andrew Huang presented the Supply Chain Security report at the BlueHat IL conference from Microsoft : “If I were a Nation State ...” . But first, let's get acquainted with the speaker to understand why it is worth listening to his opinion as a specialist in this matter.

Andrew Huang is a security researcher who has a degree in electrical engineering. Known for his research on the safety of Xbox and hardware components of different devices, he participated in the creation of a fully integrated silicon photon chip, an activist of the open-life community. Author of several books on hacking and security: Hacking the Xbox , Hardware Hacker and blogging about its activities in the field of hardware.

In his report Supply Chain Security: "If I were a Nation State ..." he describes the problems of supply chain insecurity in terms of backdoors in the hardware component of many electronic devices.

We made a short review of the report, and for those who want to get acquainted with this topic in more detail, you can watch the original video of the report.

In his report, the author cites the following examples:

• There are cases of delivery and sale of test samples (with appropriate security flaws) of device components instead of final ones. The author came across FPGAs that had erased marks that this was a test sample;

  
  

• An additional element may be added to the device, extending its functionality, for example, for exfiltration of the data stored on it. There have already been unrest associated with the Chinese chips and the internal developments of the special services;

  
  

• At the design or creation stage, “extra” elements may be added to the chip, or under the same chip there may be a second one, exactly the same size, but with quite a different functionality - this can be done for a man-in-the-middle attack;

• another chip may be attached to the chip used in the device, the purpose of which is known only to the person who did it.

The figure below presents a diagram illustrating both the degree of complexity of implementing backdoors and their detection. It is not difficult to trace the dependence - the more complex the implementation process, the more difficult the detection.

The introduction of one chip under another one or changes right inside the chip is difficult to notice even using X-rays and an electron microscope. But sometimes a visual inspection is enough to understand that something is definitely wrong, for example, if the backdoor was embedded in an already finished device and looks like a detached chip.

All of the above may appear in your device at any of the links in the supply chain, to trace which is not always possible. In most cases, serious structures are implicated in the appearance of such backdoors and bookmarks in the imported iron. Because of this, the problem is difficult to fight, and the only way out is independent development and design.

The figure shows several options for the supply chain from the time the chip was developed until the user already had it in the device. Dangers "await" him at each of the links in the chain, and sometimes outside it. There is an option when devices are bought by attackers, backdoors are built into them, and then the attacker returns them to the seller under some pretext. After that, the seller can sell this device again, and thereby put the new owner in danger.

This is a big security issue worth knowing and remembering. And even buying a device or its parts from well-known vendors that one would seem to trust, you can get not only what you want, but also an unpleasant surprise in the form of surveillance and access to personal data.

In the Russian-speaking community of security researchers, not so long ago, the issue of backdoors in hardware was also raised. We suggest listening to the podcast “Fiction and reality: backdoors in hardware and firmware” from the Noise Security Bit and read an article about protecting circuits from reverse engineering from amartology .

And in your opinion, how acute is the problem today?