Note: The first part of this two-part article is here.
Supply chain attacks are not only increasing in number but also in complexity. In fact, according to the Identity Theft Resource Center (ITRC), the volume of supply chain attacks increased by 42% in the first quarter of 2021 over the previous quarter. As the "ITRC 2020 Data Breach" report states, "Supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor." This increase has produced an explosion of ransomware attacks, virtualization and Extensible Firmware Interface (EFI) hacks, and secure boot jailbreaks.
As defenses within traditional operating systems have improved over the years, hackers have moved into earlier stages of the boot process and, increasingly, even into the hardware itself.
Arguably the most impactful supply chain attack in history took place last year: It targeted SolarWinds, a manufacturer of IT management solutions. It included multiple attacks that ultimately caused companies and government organizations around the world to execute malicious product updates. The attack showed how adversaries can gain access to a privileged network component, hijack the software build process to inject malicious code into each resulting binary, and then identify customers that use products that they could exploit by leveraging the injected code. While most people in the industry knew such an attack could happen, many are still scrambling to determine how susceptible their companies are to an attack they did not think would happen.
Four Supply Chain Threats of the Future
Attacks like this are why proactively thinking through potential supply chain threats is so crucial. As companies attempt to protect themselves from today's attacks, they should also be considering the next attack wave. Let's review four futuristic possibilities.
1. Sophisticated IC Cloning — Sophisticated integrated circuit (IC) components, such as modern CPUs and microcontrollers, have long been considered far too complex to be replicated accurately by a malicious adversary. However, advances in imaging and deprocessing capabilities have enabled researchers with significantly more powerful tools to reverse engineer designs and potentially replicate the technology. Manufacturers will likely still be safe with today's most cutting-edge technology (between 5nm and 10nm in size), but older technology is likely to be susceptible to clone attacks. Today's most advanced processor technology sizes will likely be safe for five to seven years after release, but manufacturers should assume any older technology may already be cloneable.
2. Hardware Trojans — These attacks have thus far been proven only in academic environments. Due to the significant complexity of implementing hardware Trojans, an attacker is unlikely to trigger one at anything less than an absolutely critical moment. As a result, there have been very few real-world examples of these attacks, and it's even caused struggles for researchers trying to obtain funding to identify such circuitry. While the possibility of such attacks is low, the potential implications are massive. As such, it is almost certain that hardware Trojans exist, and the first major event could be just around the corner.
3. Compromised Signing Keys — Signing keys are used more often as part of standard industry best practices for ensuring the integrity and validating the origin of software. Adversaries that can compromise such keys — either by gaining direct access to the key or by utilizing the key in an unauthorized manner — can create malicious versions of software that the original manufacturer perceives as legitimate. This is especially concerning when the key for verifying a signed image is rooted (or stored) directly in hardware or one-time programmable storage. If the signing key is compromised, then the corresponding verification key must be revoked to prevent the malicious software from being loaded. However, the revocation process for a verification key is rarely well-tested and doesn't happen instantaneously. This means that even if everything goes exactly according to plan and a company can immediately identify a key is compromised, it could take anywhere from weeks to years for all products to be patched and the keys revoked. This makes such an attack a huge risk for companies and a very attractive target for attackers.
4. Insider Attacks — Insider attacks are not new, nor are they something many companies would deny exist. Yet few companies or organizations are willing to address this threat. To be fair, it is likely not due to being lazy or in denial, but rather because a company asserting that it does not trust its employees would be devastating to employee morale. The zero-trust model for supply chain hinges around a fundamental change from the trust-but-verify model to a verify-then-trust model. The psychological impact of such a change on inanimate objects like businesses or companies is one thing; applying it to humans is another. The problem is that attackers just don't care. They will leverage any and every opportunity they can. Companies should therefore consider ways to adjust and find proper balance between security and trust within their organizations as nation-state and well-funded criminal organizations will increase their attempts to perform insider attacks.
Combating Supply Chain Threats with Collaboration
Computing systems today are composed of numerous different components, each of which may impact the security of the total system. As such, it is critical for all companies involved in the computing systems and components manufacturing cycle to work together to improve current approaches and provide better validation for exchanged goods.
There are many industry organizations and efforts aimed at these goals, such as the Global Semiconductor Alliance, Trusted Computing Group, SEMI, the IIC's Industrial IoT Security Framework, NIST's Cyber Supply Chain Risk Management program and its Supply Chain Assurance initiative, ISO/IEC SC27 WG4 TR6114, and more.
If the industry is ever going to get ahead of supply chain security risks, manufacturers should stop asking if advanced attacks will happen and start asking when they will.