theDocumentId => 1341487 4 Future Integrated Circuit Threats to Watch

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

7/16/2021
10:00 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

4 Future Integrated Circuit Threats to Watch

Threats to the supply chains for ICs and other computer components are poised to wreak even more havoc on organizations.

Note: The first part of this two-part article is here

Supply chain attacks are not only increasing in number but also in complexity. In fact, according to the Identity Theft Resource Center (ITRC), the volume of supply chain attacks increased by 42% in the first quarter of 2021 over the previous quarter. As the "ITRC 2020 Data Breach" report states, "Supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor." This increase has produced an explosion of ransomware attacks, virtualization and Extensible Firmware Interface (EFI) hacks, and secure boot jailbreaks.

Related Content:

The US Must Redefine Critical Infrastructure for the Digital Era

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

As defenses within traditional operating systems have improved over the years, hackers have moved into earlier stages of the boot process and, increasingly, even into the hardware itself.

Arguably the most impactful supply chain attack in history took place last year: It targeted SolarWinds, a manufacturer of IT management solutions. It included multiple attacks that ultimately caused companies and government organizations around the world to execute malicious product updates. The attack showed how adversaries can gain access to a privileged network component, hijack the software build process to inject malicious code into each resulting binary, and then identify customers that use products that they could exploit by leveraging the injected code. While most people in the industry knew such an attack could happen, many are still scrambling to determine how susceptible their companies are to an attack they did not think would happen.

Four Supply Chain Threats of the Future
Attacks like this are why proactively thinking through potential supply chain threats is so crucial. As companies attempt to protect themselves from today's attacks, they should also be considering the next attack wave. Let's review four futuristic possibilities.

1. Sophisticated IC Cloning — Sophisticated integrated circuit (IC) components, such as modern CPUs and microcontrollers, have long been considered far too complex to be replicated accurately by a malicious adversary. However, advances in imaging and deprocessing capabilities have enabled researchers with significantly more powerful tools to reverse engineer designs and potentially replicate the technology. Manufacturers will likely still be safe with today's most cutting-edge technology (between 5nm and 10nm in size), but older technology is likely to be susceptible to clone attacks. Today's most advanced processor technology sizes will likely be safe for five to seven years after release, but manufacturers should assume any older technology may already be cloneable.

2. Hardware Trojans — These attacks have thus far been proven only in academic environments. Due to the significant complexity of implementing hardware Trojans, an attacker is unlikely to trigger one at anything less than an absolutely critical moment. As a result, there have been very few real-world examples of these attacks, and it's even caused struggles for researchers trying to obtain funding to identify such circuitry. While the possibility of such attacks is low, the potential implications are massive. As such, it is almost certain that hardware Trojans exist, and the first major event could be just around the corner.

3. Compromised Signing Keys — Signing keys are used more often as part of standard industry best practices for ensuring the integrity and validating the origin of software. Adversaries that can compromise such keys — either by gaining direct access to the key or by utilizing the key in an unauthorized manner — can create malicious versions of software that the original manufacturer perceives as legitimate. This is especially concerning when the key for verifying a signed image is rooted (or stored) directly in hardware or one-time programmable storage. If the signing key is compromised, then the corresponding verification key must be revoked to prevent the malicious software from being loaded. However, the revocation process for a verification key is rarely well-tested and doesn't happen instantaneously. This means that even if everything goes exactly according to plan and a company can immediately identify a key is compromised, it could take anywhere from weeks to years for all products to be patched and the keys revoked. This makes such an attack a huge risk for companies and a very attractive target for attackers.

4. Insider Attacks — Insider attacks are not new, nor are they something many companies would deny exist. Yet few companies or organizations are willing to address this threat. To be fair, it is likely not due to being lazy or in denial, but rather because a company asserting that it does not trust its employees would be devastating to employee morale. The zero-trust model for supply chain hinges around a fundamental change from the trust-but-verify model to a verify-then-trust model. The psychological impact of such a change on inanimate objects like businesses or companies is one thing; applying it to humans is another. The problem is that attackers just don't care. They will leverage any and every opportunity they can. Companies should therefore consider ways to adjust and find proper balance between security and trust within their organizations as nation-state and well-funded criminal organizations will increase their attempts to perform insider attacks.

Combating Supply Chain Threats with Collaboration
Computing systems today are composed of numerous different components, each of which may impact the security of the total system. As such, it is critical for all companies involved in the computing systems and components manufacturing cycle to work together to improve current approaches and provide better validation for exchanged goods.

There are many industry organizations and efforts aimed at these goals, such as the Global Semiconductor Alliance, Trusted Computing Group, SEMI, the IIC's Industrial IoT Security Framework, NIST's Cyber Supply Chain Risk Management program and its Supply Chain Assurance initiative, ISO/IEC SC27 WG4 TR6114, and more.

If the industry is ever going to get ahead of supply chain security risks, manufacturers should stop asking if advanced attacks will happen and start asking when they will.

Dr. Matthew Areno is a Principal Engineer at Intel Corporation in Security Architecture and Engineering group. Areno completed his Bachelor's and Master's degrees at Utah State University in 2007 and took a position with Sandia National Labs. At Sandia, he focused on ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3663
PUBLISHED: 2021-07-25
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
CVE-2021-23413
PUBLISHED: 2021-07-25
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...