Supply chain attacks can introduce yet another vector for a network attack

Threatpost have released a fascinating interview with Joe Fitzpatrick, a researcher with Securing Hardware.

Prompted by last year’s Bloomberg article on alleged spy chips being implanted in Supermicro servers, Fitzpatrick and Threatpost editor Tara Seals discuss the many layers in the supply chain of computer hardware, and how each layer can introduce risks for network and hardware security.


“Sometimes it’s pretty hard even to just tell whether you have a counterfeit or genuine component”



The conversationbloomberg-apple-report focused on the integrity of the supply chains for all hardware manufacturers. Where there are costs to be cut and profit to be gleaned, some see no harm in buying products that seem, at a glance, to be the genuine article. Often, these can be sold as “refurbished” or second-hand, terms which resonate strongly with the counterfeit smartphone problem.


When such products are integrated into computer hardware or network equipment, it’s highly unlikely to be spotted once installed. Whereas a counterfeit phone will eventually run out of power and noticeably decrease in performance (while committing unknown privacy and security offences in the background), a dodgy network component can continue to perform relatively well for years and years. Until it breaks and needs replacement, any backdoors or malware contained within can run in the background unchecked.


I was contacted by a lot of people who were asking me if they should tear apart their servers, should they do destructive analysis? Should they search for this?



Fitzpatrick explains the differences between counterfeit for cost and malicious implants within hardware. The former is simply a profit motive, whereas interrupting a supply chain to insert something nefarious is costlier and riskier to implement, but often more difficult to detect. The real dangers occur in smartphones where the cost motive leads to components themselves being the backdoors.


In the world of “bring your own device” workplace policies, these same risks apply. While a well-planned physical attack to install a Raspberry Pi in your server room is clearly high on most organizations’ threat radar, a rogue device joining the corporate network probably doesn’t pop up in the security conversations too often. The impact of both types of intrusions can be similar, as we learned when we analysed a fake iPhone and discovered what it was trying to contact and download.


The lesson is that you can only 100% trust any device if you’ve built it yourself, including every component it contains. Naturally, this is an impossible barrier, so the next best thing is to ensure the devices that you do let access your network are using the same components the original, genuine manufacturer chose to use.


To do that, you need an accurate, reliable, real-time device verification solution, which compares the internal components of each device with known, good configurations. Devices that don’t pass this initial check don’t get to your network – thus eliminating any potential risks within.


Read more about how DeviceAssure does just that here.


You can read the transcript and listen to the Threatpost interview here.


Share on: