The recent reports on the malicious infiltration into U.S. companies by the addition of a small chip on a motherboard exposed in alarming fashion how hackers are bypassing software security and are turning to hardware to gain access to and manipulate code, including at the operating system level. While these claims have been vehemently denied, it doesn’t change the fact that hardware and physical hacking is imminent.
More importantly, this attack demonstrates and has brought to light the vulnerabilities on the production line and in the global supply chain. This level of visibility raises the concern regarding the supply chain attack vector, which proves to be a very real threat.
An attack from the inside is one of the market’s biggest fears and one of its most challenging problems to solve. China’s alleged manipulation to Amazon and Apple boards is just one example. Other significant attacks have already presented themselves and warranted real concern with regards to the U.S. government and critical infrastructure.
In 2016, the FBI released information to the public regarding Russian operatives injecting malware onto government computers and hacking related technology and equipment in an effort to interfere with the U.S. electoral process. Russia’s continued meddling into U.S. affairs was exposed again just two short years later. This time, Russian hackers went after electric grids and nuclear power plants probing the systems for vulnerabilities and opportunities to gain control over the operating systems.
When developing a security strategy, organizations need to realize and consider nefarious employees with device access as a critical intrusion point. Because rogue or bad actor employees have access to devices on the production line and at multiple touchpoints in the supply chain, cybersecurity must start from production line and continue protecting through and after a device’s end of life. It’s critical for organization to take into account that a device itself could be breached in transit or in storage even before it is delivered to its designated installation or end point. Enforcing an organization’s cyber policy throughout the device life-cycle is close to impossible and the need for a different approach to the security issue is evident. Devices are exposed to multiple entities in multiple geographies and companies and countries need protection in remote sites regardless of location, networks and vendors. Organizations must control and protect products even in remote sites.
As proven many times over, protecting and monitoring software is not enough, and recent attacks dictate hardware protection is crucial. Furthermore, protecting and monitoring the end device is critical. CPU security features are not always sufficient and holistic protection on the firmware of the end device, that can prevent a malicious chip attack outcome, like the ones used by Chinese hackers, from altering operating system code in persistent manner is needed. By protecting and monitoring CPUs, this prevents manipulation of the OS in such a manner that enables reading of the data, which, in most cases, is the main goal of any failed or successful hacking attempt. The way in which the chip was implanted on the board allowed it to effectively manipulate the stored code by injecting its own code or changing the order of the CPU instructions. This gives the hackers access to the sensitive data stored in the device. By ramping up hardware and end device protection, attacks that alter the operating system and code can be prevented.
Adding hardware that bypasses all security circles exposes a very real threat at the production level. To surmount savvy hackers who have evolved to manipulating the operating system – using hardware to gain access, a solution to protect devices from manipulating code or gaining control of the board must be implemented to solve the root of the problem and ease the market’s biggest fear – attacks from the inside. This is hardware infiltration, CPU infection, and an imminent threat on the global supply chain.