Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

// // //
10:00 AM
Connect Directly
E-Mail vvv

4 Future Integrated Circuit Threats to Watch

Threats to the supply chains for ICs and other computer components are poised to wreak even more havoc on organizations.

Note: The first part of this two-part article is here

Supply chain attacks are not only increasing in number but also in complexity. In fact, according to the Identity Theft Resource Center (ITRC), the volume of supply chain attacks increased by 42% in the first quarter of 2021 over the previous quarter. As the "ITRC 2020 Data Breach" report states, "Supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor." This increase has produced an explosion of ransomware attacks, virtualization and Extensible Firmware Interface (EFI) hacks, and secure boot jailbreaks.

Related Content:

The US Must Redefine Critical Infrastructure for the Digital Era

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

As defenses within traditional operating systems have improved over the years, hackers have moved into earlier stages of the boot process and, increasingly, even into the hardware itself.

Arguably the most impactful supply chain attack in history took place last year: It targeted SolarWinds, a manufacturer of IT management solutions. It included multiple attacks that ultimately caused companies and government organizations around the world to execute malicious product updates. The attack showed how adversaries can gain access to a privileged network component, hijack the software build process to inject malicious code into each resulting binary, and then identify customers that use products that they could exploit by leveraging the injected code. While most people in the industry knew such an attack could happen, many are still scrambling to determine how susceptible their companies are to an attack they did not think would happen.

Four Supply Chain Threats of the Future
Attacks like this are why proactively thinking through potential supply chain threats is so crucial. As companies attempt to protect themselves from today's attacks, they should also be considering the next attack wave. Let's review four futuristic possibilities.

1. Sophisticated IC Cloning — Sophisticated integrated circuit (IC) components, such as modern CPUs and microcontrollers, have long been considered far too complex to be replicated accurately by a malicious adversary. However, advances in imaging and deprocessing capabilities have enabled researchers with significantly more powerful tools to reverse engineer designs and potentially replicate the technology. Manufacturers will likely still be safe with today's most cutting-edge technology (between 5nm and 10nm in size), but older technology is likely to be susceptible to clone attacks. Today's most advanced processor technology sizes will likely be safe for five to seven years after release, but manufacturers should assume any older technology may already be cloneable.

2. Hardware Trojans — These attacks have thus far been proven only in academic environments. Due to the significant complexity of implementing hardware Trojans, an attacker is unlikely to trigger one at anything less than an absolutely critical moment. As a result, there have been very few real-world examples of these attacks, and it's even caused struggles for researchers trying to obtain funding to identify such circuitry. While the possibility of such attacks is low, the potential implications are massive. As such, it is almost certain that hardware Trojans exist, and the first major event could be just around the corner.

3. Compromised Signing Keys — Signing keys are used more often as part of standard industry best practices for ensuring the integrity and validating the origin of software. Adversaries that can compromise such keys — either by gaining direct access to the key or by utilizing the key in an unauthorized manner — can create malicious versions of software that the original manufacturer perceives as legitimate. This is especially concerning when the key for verifying a signed image is rooted (or stored) directly in hardware or one-time programmable storage. If the signing key is compromised, then the corresponding verification key must be revoked to prevent the malicious software from being loaded. However, the revocation process for a verification key is rarely well-tested and doesn't happen instantaneously. This means that even if everything goes exactly according to plan and a company can immediately identify a key is compromised, it could take anywhere from weeks to years for all products to be patched and the keys revoked. This makes such an attack a huge risk for companies and a very attractive target for attackers.

4. Insider Attacks — Insider attacks are not new, nor are they something many companies would deny exist. Yet few companies or organizations are willing to address this threat. To be fair, it is likely not due to being lazy or in denial, but rather because a company asserting that it does not trust its employees would be devastating to employee morale. The zero-trust model for supply chain hinges around a fundamental change from the trust-but-verify model to a verify-then-trust model. The psychological impact of such a change on inanimate objects like businesses or companies is one thing; applying it to humans is another. The problem is that attackers just don't care. They will leverage any and every opportunity they can. Companies should therefore consider ways to adjust and find proper balance between security and trust within their organizations as nation-state and well-funded criminal organizations will increase their attempts to perform insider attacks.

Combating Supply Chain Threats with Collaboration
Computing systems today are composed of numerous different components, each of which may impact the security of the total system. As such, it is critical for all companies involved in the computing systems and components manufacturing cycle to work together to improve current approaches and provide better validation for exchanged goods.

There are many industry organizations and efforts aimed at these goals, such as the Global Semiconductor Alliance, Trusted Computing Group, SEMI, the IIC's Industrial IoT Security Framework, NIST's Cyber Supply Chain Risk Management program and its Supply Chain Assurance initiative, ISO/IEC SC27 WG4 TR6114, and more.

If the industry is ever going to get ahead of supply chain security risks, manufacturers should stop asking if advanced attacks will happen and start asking when they will.

Dr. Matthew Areno is a Principal Engineer at Intel Corporation in Security Architecture and Engineering group. Areno completed his Bachelor's and Master's degrees at Utah State University in 2007 and took a position with Sandia National Labs. At Sandia, he focused on ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file