SOCIALS 

SUBSCRIBE 

 Keeping you informed | Latest News 

© 2018 Dr. Chaos 

doctorchaos.com and drchaos.com is a blog dedicated to Cyber Counter Intelligence and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic. Articles are gathered or written by cyber security professionals, leading OEMs, and enthusiasts from all over the world to bring an in-depth, real-world, look at Cyber Security. About this blog doctorchaos.com and drchaos.com and any affiliate website does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed, purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein. Everything on this blog is based on personal opinion and should be interoperated as such. Contact Info If you would like to contact this blog, you may do so by emailing ALAKHANI(AT)YMAIL(DOT)COM  

CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

After Allegations of Malicious Hardware Tampering, What’s in Store for the Supply Chain?

Written by:

Kayla Matthews

tech journalist & writer http://productivitybytes.com


One of the worst things that may someday happen to the modern supply chain will stem from a major cybersecurity attack. Theoretically, hackers could wreak absolute havoc on a variety of operations.


Consider the mechanics of the supply chain, where products are sourced — whether manufactured or harvested — and then passed on to other parties. In the case of material goods, the items may be further modified, making them more durable, better or even more capable. In the case of foods and beverages, the items may be processed, preserved or passed on as is. By somehow infecting products along the chain, it will have an impact on not just the current stage, but all proceeding stages as well. Think of it as a virus spreading from cell to cell within a body.


Ultimately, hackers that gain access to the chain could change any number of things down the line, tainting products and services. Worse yet, if the manufacturing supply chain is compromised, the products can be ruined at the time of creation. This issue also makes the tainted goods difficult to identify.

Luckily, it seems a major attack like we’re describing is hypothetical. Except, maybe it’s not. A recent Bloomberg report reveals just how such an attack plays out in the real world.


What Happened According to Bloomberg?


Reporters allege that actors from the Chinese government were able to infiltrate four subcontractors of Super Micro Computer Inc., a US-based firm. Purportedly, they concealed tiny, modified microchips on Super Micro motherboards to create a proprietary backdoor.


What’s the ultimate goal? To spy and gather intel on more than 30 U.S. companies using the hardware, including Apple, Amazon and many others.


With the malicious chips, the actors can gather intelligence on future business plans, private communications, intellectual property and trade secrets.


In response, Super Micro published a letter denying the allegations brought forth in Bloomberg’s report, claiming that they are wrong and that there is simply no physical evidence. Despite this response, the company is “undertaking a complicated and time-consuming review to further address the [report].” The company also says it’s “practically impossible” for hackers to breach Apple and Amazon’s hardware chips.

True or not, it highlights a frightening and ruinous possibility. Nicholas Weaver, a security researcher at the University of California at Berkeley, has succinctly described the danger: “This is a scary-big deal.”


A scary-big deal, indeed.


What Does This Mean for Modern Industry?


This possibility has major implications for modern industry as a whole, from IoT and consumer tech to manufacturing. Why? Let’s put it this way: When something can be infiltrated at a fundamental level, it brings everything else into question.


Who’s to say that any China-made routers or internet gateways we use aren’t already infected? How do we know the chips inside our IoT and smart home devices aren’t snooping on us? What other technologies, hardware and systems are compromised? It ignites a state of paranoia much as we experienced during the Cold War era.

It’s also clear that if the unnamed actors are willing to go as far as they potentially have with Super Micro’s chips, there’s nothing stopping them from taking the next step. That probably explains why reports are surfacing that China is eying the Internet of Things market for their next move in the so-called cyber war on the United States.


Will This Issue Affect the Supply Chain?


The Trump administration and related agencies are currently investigating and will likely take action against any Chinese firms that were part of an attack. But the real question is, how will it impact the rest of the business world? Will it change how companies source parts, hardware and even software?


In the short term, the answer is no, it probably won’t change much. There are many reasons that companies take the risk of importing or sourcing goods from an external party. The most obvious factor is cost, which is generally lower for outsourced components — such as Super Micro’s chips.


A global information technology researcher at Syracuse University named Jason Dedrick says, “Cleaning up the mess [...] would require looking at the whole value chain, from design through manufacturing, and carefully monitoring every step.”


Furthermore, Dedrick explains that it’s not necessarily difficult to shift motherboard assembly operations out of China. However, the bigger concern is “how to control the design process so that there isn't a space for a counterfeit chip to be inserted and actually function."


Even moving the assembly process out of an untrustworthy region doesn’t guarantee it won’t happen elsewhere. Actors back home could just as soon accomplish the same goal.


Hopefully, the news — true or not — will light a fire under some of these businesses to come up with more robust and accurate cybersecurity solutions. The alleged attack certainly serves as a wakeup call for the tech industry. Collectively, major players need to come up with mechanisms and systems that can be used to both detect and prevent hardware and software supply chain attacks, and it needs to happen sooner rather than later.