Following the controversy from Bloomberg Businessweek’s report claiming that Chinese government agents infiltrated the supply chain of server hardware vendor Supermicro, Apple CEO Tim Cook has called on Bloomberg to retract the story, stating that “There is no truth in their story about Apple,” during an interview with BuzzFeed News. Cook’s statement is perhaps the most vociferous among the cacophony of denials from companies claimed in the report to have been recipients of compromised hardware. Further, the US Department of Homeland Security and UK National Cyber Security Centre have backed up these denials, and a source cited in the story has likewise casted doubt on the claims made by Bloomberg.
Independent of the validity of the report, CIOs are now breathlessly working to verify the security and integrity of their systems out of fear that their organizations are being targeted by malicious actors. The question is, how do you verify that your hardware is not compromised?
SEE: Hiring kit: IT audit director (Tech Pro Research)
As one might expect, doing so is quite challenging. BuzzFeed News cites a high-ranking national security official as claiming there is a “highly classified effort in the US government to detect how adversaries implant devices” similar to the PCB-level type of implant described in Bloomberg’s report.
Jasper van Woudenberg, North America CTO of Infosec firm Riscure, noted in a blog post that hardware tampering can be detected by comparing components with a “known good” board. There are varying levels of effort that this requires — it is relatively trivial to analyze nonvolatile memory, moderately time consuming to identify ICs on a board by labeling and package type, and exceedingly time consuming and expensive to decap ICs on a board for analysis. There are other points to keep in mind when performing audits to ensure hardware security.
Let’s think about this calmly
Certain industries are higher-value targets for hackers. Generally, government offices, banks, and critical infrastructure such as power plants and airports would be primary targets for data exfiltration by a state-level actor. As a result, it likely isn’t worth the time or money for most organizations to pull apart systems to decap ICs on a circuit board. It is vital to note that attempting to gain control of a system through a PCB-level implant, in the way claimed in the Bloomberg article, is a very high-risk attack which requires a great deal of precision and secrecy to achieve undetected. Using these implants indiscriminately in a mass harvest of data would be too easily discovered. Likewise, van Woudenberg notes that attempting this type of attack in this way is “is not the easiest technical means to remotely control a system; rewriting firmware is much easier from an engineering perspective.”
Verify system firmware and software, and keep it up to date
Speaking optimistically, hardware vendors should offer timely security and bugfix updates for their products. These should be applied in a timely manner. When downloading firmware updates, particularly for system BIOS files, ensure that the downloaded file matches the checksum published by the vendor. Likewise, for software updates, make sure that the update packages are signed using a trusted, published key.
Check your JTAG headers, PCI, and USB ports
The JTAG (Joint Action Test Group) headers found on many enterprise (and consumer) electronics offer powerful debugging abilities and system-wide access, intended for hardware and software testing. These are also critical weak points in many systems, and exposed JTAG headers have been used to gain root access to IoT devices, routers, and game consoles. Exploitation of JTAG was demonstrated in the GODSURGE implant developed by the NSA, evidence of which was uncovered in 2013 by Der Spiegel. Likewise, an organization dubbed “Equation Group” by Kaspersky Lab has used exposed JTAG access to modify the firmware of hard disks.
While these may require more software-side engineering to achieve root access or enable data exfiltration, and exist in a more obvious locations susceptible to visual detection, PCI and USB ports are also useful targets for attackers. Ensuring that no unknown devices are inserted in these ports is an important additional step.
Balancing security with risk (and paranoia)
Practically speaking, it is impossible to guarantee security with absolute certainty. There are multiple tiers of verification, which can be explored depending on the resources at your disposal and the validation or compliance needs of your organization. Good security hygiene and thoughtful policies, which are adhered to without exception are vital to ensuring the security of data in your organization.