Hacking the Electronics Supply Chain: Easier Than you Think?

If you thought that hacking into an electronic manufacturer’s component supply chain required a fab of one’s own, think again. Wired magazine recently reported on recent simulation that showed how someone using “only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online,” could implant a device the size of pinky fingernail into the motherboard of a communications firewall.

In the project, the stowaway chip was then programmed to attack as soon as the firewall booted up in a target’s data center. It poses as a security administrator accessing the firewall configurations by connecting their computer directly to that port. Once in, the chip triggers the firewall’s password recovery feature, creating a new admin account and gaining access to the firewall’s settings in a way that most IT admins wouldn’t likely notice.

Although the exercise was not intended to imply that people are already doing this, it does raise some valuable points:

• It demonstrates how easily an ill-intentioned nation state, ID thief, or IP thief can penetrate a component supply chain if they can get access to the electronics, for example, via an employee on the fab line
• Because the attack triggers on boot, embedding authentication and verification to ensure a clean boot is critical
• Component manufacturers should take measures to prevent access to the electronics through PKI encryption and authentication to access firmware
• To prevent after-the-fact access, critical firmware should be housed in physically anti-tamper enclosures

 
Of course, the best way to enforce these measures it to source critical components from trusted electronics manufacturers – ideally in the USA.

For more information about how Bedrock Automation enforces such criteria in its totally U.S.-based production facilities see Sam Galpin’s feature: How Locally Sourced Intrinsically Secure Components Keep the Supply Chain Secure.