Thursday, October 8, 2020

Will there ever be supply chain attacks on firmware?

Last Friday, I watched an excellent webinar on software supply chain security, which focused on aDolus – a really interesting company offering a potentially very useful service for supply chain security. The webinar started with an excellent presentation on supply chain security by Patrick Miller – who I believe needs no introduction to anybody in the North American electric utility cybersecurity/CIP compliance world. In his presentation, Patrick focused on both hardware and software supply chain security risks.

After Patrick spoke, there was an active chat session conducted on the webinar site. Somehow it moved to the subject of hardware vs. software supply chain risks (or maybe I moved it myself. I can’t remember, and I don’t have access to the chat text now). I expressed the opinion that supply chain risks to software were much more pervasive than supply chain risks to hardware (I’ve hinted at this idea in several posts, but never devoted a post to it. I hope to do so in the not-too-distant future).

Was this last statement simply an intuition due to pure brilliance on my part? I’m afraid not. It was definitely due to brilliance, but not mine – rather, that of Matt Wyckhouse, the founder and CEO of Finite State, which is another very interesting company. I’ve known Matt since the beginning of this year, but what I said about firmware attacks came from a very good paper from Finite State entitled “Huawei Supply Chain Assessment”, and specifically the section titled “SUPPLY CHAIN SECURITY CHALLENGES”, which starts on page 12.

I will summarize the discussion I think is most relevant from this section, but I strongly recommend you read the whole section, because there is a lot more in there. What I said about firmware is based on the following chain of logic, which isn’t exactly in the order it’s presented in the paper:

·        A vulnerability is a flaw in software or firmware, and a backdoor is a vulnerability that is uniquely known to the attacker. Of course, at least 95% of backdoors (or so I would think) are intentionally inserted by the manufacturer to make it easier for them to troubleshoot the device later.

·        There are three kinds of supply chain cybersecurity attacks: hardware, firmware and software. A hardware supply chain attack requires physically altering the microcode of a microprocessor or a field programmable gate array, or adding another component onto a board that can enable access or data exfiltration. These attacks are fiendishly difficult to execute; moreover, “No software defenses can truly overcome a hardware backdoor, and they cannot be patched after detection.” 

·        Of course, we know there are software supply chain attacks. They usually involve insertion of a backdoor or a hidden user account. These happen regularly. I discussed two examples in this post and this one.

·        And then there are supply chain attacks on firmware. To understand why I say there’s never been a supply chain attack on firmware, read the section titled “Modern Electronics Supply Chains” on pages 12 and 13 of the report. That section describes the complex web of suppliers and integrators that contribute to a component that goes into an electronics product, each of which contributes to the final firmware image, with no supervision of the overall process.

·        The section concludes by saying “In the end, that image could contain software written by thousands of engineers at dozens of companies across many different countries.” Of course, this inevitably results in lots of vulnerabilities (certainly many more than are found in most software products).

I need to confess that I told Patrick on Friday that there’s never been a supply chain cyberattack on firmware; that isn't accurate. It is accurate to say that it would be close to impossible, if a vulnerability were exploited in a cyberattack, for an investigator ever to conclude it was due to a supply chain attack (i.e. a backdoor) - rather than just due to somebody exploiting one of the numerous vulnerabilities found in your average firmware package.

And it’s those numerous vulnerabilities that point to another reason why it’s unlikely there will ever be a clear supply chain attack on firmware: With so many different vulnerabilities to exploit in firmware, why would your average Joe Hacker – or even your average Vladimir Nation-State – go to all the trouble of crafting and executing a supply chain attack? As Patrick pointed out in his presentation, supply chain attacks are awfully hard to execute and usually take a lot of resources; it’s better to go in the wide-open front door, not the back door with multiple locks, a security camera and guard dogs. After all, cyber-attackers need to pay attention to costs, just like the rest of us do. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment