Last October, Bloomberg published a blockbuster story claiming that some of the largest tech companies in the world, as well as sensitive US government and military systems, had been attacked through minute hardware implants that had been inserted at a subcontractor facility during the manufacture of servers from the world’s leading server company, Supermicro.
The story immediately drew forceful — and unprecedentedly detailed rebuttals — from many of the companies involved, creating a mystery that is still being debated: if Bloomberg sourced its story as carefully as it claimed, then how to explain all these detailed rebuttals? And if the rebuttals are to believed, then how to explain the dozens of people from different companies and agencies who would have had to collude to trick Bloomberg’s reporters into publishing the story?
Bunnie presented a 45 minute talk on supply-chain attacks earlier this month at Microsoft’s Blue Hat conference in Tel Aviv (he pitched the talk before the Bloomberg story broke, but the timing was indeed fortuitous).
I appreciate that 45-minute blocks of time are few and far between for most of us, but this is 45 minutes well spent. Huang walks through several techniques for sabotaging and compromising hardware, and uses his deep expertise in arranging and overseeing electronics manufacture to describe how you could pull these off in the real world, and what difficulties you’d encounter. In all the discussions of the supply chain hack story, I have never seen anything this comprehensive and nuts-and-bolts about what a supply chain hack actually looks like.
It’s a fascinating ride: part spycraft, part chewy logistics, part infosec, and Huang has plenty of “ooh” moments, to say nothing of laugh-lines.
In the end, Huang pronounces judgment on the Bloomberg story, declaring that it fails to pass Occam’s Razor for several reasons — not least that Bloomberg describes these cunning and fiendish implants that are still recognizable as implants, and as Huang demonstrates, there’s no reason for implants to be distinguishable from normal electronic component.
Having set out many ways in which hardware can be compromised (and usually not for spying, but for economic gain — that is, to slide counterfeit or recycled parts into the supply-chain), Huang does not describe what kinds of countermeasures might reliably detect these shenanigans — but he does dangle the possibility that he’ll address this in future talks or writing.
The main insight is that transparency or openness of design by itself does little to secure a supply chain, because the entire situation is one huge TOCTOU problem. Checking hardware design files, locking down the assembly line, and Fedexing the product to your office is like hashing and signing your source code, running it through a trusted compiler, and then sending the binary unencrypted over the Internet and trusting it because it was “thoroughly checked”.
The inverse analysis is equally daunting: in software, one may copy each binary into RAM, hash and check its cryptographic signature, and run it only if it checks out. For hardware, there is no equivalent of “hash this instance of hardware and check its cryptographic signature” before use: “hashing” hardware involves taking it apart and inspecting every transistor and wire, which is both impractical and likely to render the hardware non-functional.
Thus while open source hardware does engender some benefits for security (such as disclosing μ-state for Spectre side-channel analysis and ensuring no backdoors due to design oversight), it addresses a separate problem domain from supply chain attacks. While an open source hardware phone is arguably more trustable than a closed source one, open source is necessary but not sufficient for it to be trusted.
Supply Chain Security Talk [Bunnie Huang]
GE Transportation workers were told after merger their new employer “wants to turn this into an Amazon warehouse,” says labor union.
Many companies use private APIs to manage their A/B tests of experimental products and approaches; by grabbing the calls that mobile apps make to these APIs, Jon Luca was able to figure out all kinds of sensitive information about companies’ future plans, from the way Lyft steers customers towards credit cards that are cheaper to […]
Just when you thought Facebook couldn’t get any sillier.
If you gave up on playing the piano as a kid, don’t despair. Things have come a long way since those drills that had you playing “Chopsticks” endlessly. Take Pianoforall, for instance. This innovative new system lets students play keys right away, learning the structure of the music by playing rhythm-style hits. The 10-hour course […]
As big companies wrangle an ever-increasing amount of data, the applications for deep learning grow – and so do the job opportunities. If you’ve got a working knowledge of Python, all you need are the tools to start making data work for you. Get up to speed on the science and code behind the field […]
Anyone who really listens to vinyl knows the medium is far from dead. But convincing others of its appeal can be an uphill battle. For one thing, there’s the gear: A quality record player takes up a lot more space than, say, a smartphone packed with thousands of streaming songs at the ready. But here’s […]