Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

// // //
10:00 AM
Connect Directly
E-Mail vvv

4 Future Integrated Circuit Threats to Watch

Threats to the supply chains for ICs and other computer components are poised to wreak even more havoc on organizations.

Note: The first part of this two-part article is here

Supply chain attacks are not only increasing in number but also in complexity. In fact, according to the Identity Theft Resource Center (ITRC), the volume of supply chain attacks increased by 42% in the first quarter of 2021 over the previous quarter. As the "ITRC 2020 Data Breach" report states, "Supply chain attacks are increasingly popular with attackers since they can access the information of larger organizations or multiple organizations through a single, third-party vendor." This increase has produced an explosion of ransomware attacks, virtualization and Extensible Firmware Interface (EFI) hacks, and secure boot jailbreaks.

Related Content:

The US Must Redefine Critical Infrastructure for the Digital Era

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

As defenses within traditional operating systems have improved over the years, hackers have moved into earlier stages of the boot process and, increasingly, even into the hardware itself.

Arguably the most impactful supply chain attack in history took place last year: It targeted SolarWinds, a manufacturer of IT management solutions. It included multiple attacks that ultimately caused companies and government organizations around the world to execute malicious product updates. The attack showed how adversaries can gain access to a privileged network component, hijack the software build process to inject malicious code into each resulting binary, and then identify customers that use products that they could exploit by leveraging the injected code. While most people in the industry knew such an attack could happen, many are still scrambling to determine how susceptible their companies are to an attack they did not think would happen.

Four Supply Chain Threats of the Future
Attacks like this are why proactively thinking through potential supply chain threats is so crucial. As companies attempt to protect themselves from today's attacks, they should also be considering the next attack wave. Let's review four futuristic possibilities.

1. Sophisticated IC Cloning — Sophisticated integrated circuit (IC) components, such as modern CPUs and microcontrollers, have long been considered far too complex to be replicated accurately by a malicious adversary. However, advances in imaging and deprocessing capabilities have enabled researchers with significantly more powerful tools to reverse engineer designs and potentially replicate the technology. Manufacturers will likely still be safe with today's most cutting-edge technology (between 5nm and 10nm in size), but older technology is likely to be susceptible to clone attacks. Today's most advanced processor technology sizes will likely be safe for five to seven years after release, but manufacturers should assume any older technology may already be cloneable.

2. Hardware Trojans — These attacks have thus far been proven only in academic environments. Due to the significant complexity of implementing hardware Trojans, an attacker is unlikely to trigger one at anything less than an absolutely critical moment. As a result, there have been very few real-world examples of these attacks, and it's even caused struggles for researchers trying to obtain funding to identify such circuitry. While the possibility of such attacks is low, the potential implications are massive. As such, it is almost certain that hardware Trojans exist, and the first major event could be just around the corner.

3. Compromised Signing Keys — Signing keys are used more often as part of standard industry best practices for ensuring the integrity and validating the origin of software. Adversaries that can compromise such keys — either by gaining direct access to the key or by utilizing the key in an unauthorized manner — can create malicious versions of software that the original manufacturer perceives as legitimate. This is especially concerning when the key for verifying a signed image is rooted (or stored) directly in hardware or one-time programmable storage. If the signing key is compromised, then the corresponding verification key must be revoked to prevent the malicious software from being loaded. However, the revocation process for a verification key is rarely well-tested and doesn't happen instantaneously. This means that even if everything goes exactly according to plan and a company can immediately identify a key is compromised, it could take anywhere from weeks to years for all products to be patched and the keys revoked. This makes such an attack a huge risk for companies and a very attractive target for attackers.

4. Insider Attacks — Insider attacks are not new, nor are they something many companies would deny exist. Yet few companies or organizations are willing to address this threat. To be fair, it is likely not due to being lazy or in denial, but rather because a company asserting that it does not trust its employees would be devastating to employee morale. The zero-trust model for supply chain hinges around a fundamental change from the trust-but-verify model to a verify-then-trust model. The psychological impact of such a change on inanimate objects like businesses or companies is one thing; applying it to humans is another. The problem is that attackers just don't care. They will leverage any and every opportunity they can. Companies should therefore consider ways to adjust and find proper balance between security and trust within their organizations as nation-state and well-funded criminal organizations will increase their attempts to perform insider attacks.

Combating Supply Chain Threats with Collaboration
Computing systems today are composed of numerous different components, each of which may impact the security of the total system. As such, it is critical for all companies involved in the computing systems and components manufacturing cycle to work together to improve current approaches and provide better validation for exchanged goods.

There are many industry organizations and efforts aimed at these goals, such as the Global Semiconductor Alliance, Trusted Computing Group, SEMI, the IIC's Industrial IoT Security Framework, NIST's Cyber Supply Chain Risk Management program and its Supply Chain Assurance initiative, ISO/IEC SC27 WG4 TR6114, and more.

If the industry is ever going to get ahead of supply chain security risks, manufacturers should stop asking if advanced attacks will happen and start asking when they will.

Dr. Matthew Areno is a Principal Engineer at Intel Corporation in Security Architecture and Engineering group. Areno completed his Bachelor's and Master's degrees at Utah State University in 2007 and took a position with Sandia National Labs. At Sandia, he focused on ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...