In a world with an increasingly complex security landscape, hacking has gone well beyond corporate web sites and consumer's computers. More than ever before electronics OEMs need to be aware of the complex and multinational nature of hardware hacking, and plan their supply chain accordingly.
Just last year, for example, a number of smart phones in Asia and India were shipped new from the OEM with the Death Ring Chinese Trojan pre-installed. Clearly, the hackers targeted the supply chain of the phone manufacturer as a clever and effective way to get their exploit sent all over the world.
The problem goes well beyond cell phones, though. Cars are another piece of hardware that is readily hacked. Just yesterday, Wired reported that, at the Usenix security conference, "a group of researchers from the University of California at San Diego plan to reveal a technique they could have used to wirelessly hack into any of thousands of vehicles through a tiny commercial device: A 2-inch-square gadget that's designed to be plugged into cars' and trucks' dashboards and used by insurance firms and trucking fleets to monitor vehicles' location, speed and efficiency." Although this was just a test, it points to how close we are to this type of breach being a reality.
In light of the many threats, then, electronics OEMs need to start focusing on supply chain security with greater intensity than ever before. OEMs that build everything from smart meters to cars are concerned that they are building boards and using chips, but don't know exactly what's on them, Steven Chen, CEO of PFP Cybersecurity, which provides cyber intrusion detection for SCADA, semiconductor, mobile, and network devices, told EBN in an interview. "They want to know, before they plug a board into their product, how do they know that nothing has been hacked?" Chen added.
Design engineers are regularly exposed to counterfeit components that can introduce security holes in electronics products. Often, the product is in production or already released to the public before problems are identified. "The Semiconductor Industry Association (SIA) estimates that counterfeiting costs US semiconductor manufacturers $7.5 billion per year in lost revenue and robs the labor market of 11,000 jobs, according to testimony before the U.S. Senate Committee on Armed Services during the committee's investigation into counterfeit electronic parts in the Department of Defense (DOD) supply chain," a recent article in ECN said.
Historically, identifying counterfeit components has been costly and not always accurate. X-ray, for example, could tell if a pin on a chip was bent, but didn't confirm the chip itself. Special marking allows from tracking of the device, but doesn't always allow for the detection of tampering. "In the past, they might take a one percent sample out of a million (that's a hundred or so pieces), and send it to a lab, if they find a single counterfeit part, they reject the whole lot," said Chen. "It's costly and time consuming."
However, new methods are emerging that offer a much better alternative. "A few of us can give them 100% testing in seconds, in a way that costs almost nothing and gives them a 99% level of confidence," said Chen.
PFP Cybersecurity's technology measures the processor's power consumption and detects anomalies by comparing it against a base reference from trusted software. "We can instantaneously tell if there's malware or a hardware back door," said Thurston Brooks, vice president of product marketing at PFP Cybersecurity. "By setting up a known good baseline, you can tell very quickly if you are looking at chips that are identical or that are doing something different from the gold sample.
Another advantage of this type of testing is that it can be done when the chip is on the board or the finished device—to allow for testing at several points along the supply chain if desired. "Throughout the whole lifecycle of the product, from making it to sitting it on a self to putting it in the customers hand, you can tell if anything has happened in the interim," said Brooks.
Let us know how you are combatting the risk of counterfeit components in the supply chain in the comments section below.
— Hailey Lynne McKeefry, Editor in Chief, EBN