Hardware supply chain attacks aren’t fantasy!

Just now, I opened up a Wired magazine online story on hardware hacking through the supply chain, and was pleased – although not surprised – to see that Monta Elkins of FoxGuard (who has been featured in this blog at least a couple of times, most recently here)  is the subject of the story, discussing how he planted a $200 chip on a Cisco firewall to enable a remote attacker to essentially gain control of the firewall.

The big point of the article is that, while most people probably think a hardware supply chain attack – as in the SuperMicro attack that was the subject of a Bloomberg article last year (which is now the subject of a lot of doubt) - would require the resources of a nation-state to pull off, it could be done by someone like Monta (not that there is anyone like Monta, of course!) with a miniscule budget.

But even that isn’t the most interesting conclusion from the article. That is found in Monta’s sentence that closes the article: "If I can do this, someone with hundreds of millions in their budget has been doing this for a while." In other words, not only could it be done at scale by a number of organizations (mostly state-sponsored, of course), it probably is being done, and has been for some time.

Have a nice day! 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, has received a great response, and remains open to NERC entities and vendors of hardware or software components of BES Cyber Systems. To discuss this, you can email me at the same address.