Supply Chain Security ConsiderationsWhat you don’t see can hurt you.

Who we are

Ian Robertson

Sr. Vice President, NCC Group

Josh Ryder

Senior Director of Network and Cybersecurity Engineering and Operations, AppNexus

What are you going to get in this talk

• overview of issues affecting technology integration

• approaches to enumerate and mitigate many of these.

• examples of supply chain attacks from autonomous vehicles to IoT to software/service supply with an emphasis on recent events

What do we mean by Supply Chain?

• A complex web of vendors and components that interact or are integrated in order to deliver an experience, product or service

• Hardware and software integrations: how, where and by whom• Intersects all contemporary product/service delivery

Threat modelling for devices

Some threats of relevance:

○ Physical access (lost/stolen device)

○ Embedded device based persistence (RAT, malware)

○ Jailbreaking (operational integrity, DRM)

○ Evil maid (what can you do in an hour of unsupervised access)

○ Supply chain

■ Evil components■ Evil factory worker■ Evil postman■ Evil repair facility

○ Recovered device/Forensics○ Biometric bypass○ IP theft and anti-RE (tamper resistance, tamper evidence)

5

Supply chain attacks in history

• XCodeGhost (2015) lead to largest outbreak of IOS malware

• Loss of control of tool chain components

• Bill-C51 (2015, Canada) - Postman attack

• F-35 engines in Turkey - Repair attack

• Batteries, radios and software stacks

Adversary Enumeration

• opportunistic / disgruntled employees or partners

• hackers

• nation states/governments

• organized crime

Impacts?

● loss of customer data○ financial penalties driven by GDPR, etc.

● loss of revenue○ service abuse○ loss of customer/investor confidence

● loss of IP○ competitive advantage○ giving aggressors a further advantage to attack your customers

● facilitation of crime○ see any of the above

GDPR (General Data Protection Regulation)

• 4% of global revenues or 20 million EUR fine (whatever is higher)• Designed to ensure safety and security of personal data for all EU

citizens, and it’s extra territorial. • How’s this play into supply chain? The consequences of a supply

chain failure, let’s say a library you’re using to encrypt/anonymise personal data is compromised, you could be on the hook for both breach disclosure ($$$) and penalties ($$$$$$). Or if your cloud provider is pwned...

Motivations (hint: Money)

● subsidy locks● DRM● jailbreaking● counterfeiting● component resale● laundering stolen devices

10

What happens when you really really care about the sanctity of your hardware?

Think about what level of engineering and secrecy must’ve gone into the development of the ICBMs: control systems, guidance systems, quality testing/control, vetting of contractors and employees, compartmentalization of knowledge, bespoke hardware development.

A word on hardware hacking

● Privilege escalation in SW through HW

modification and abuse

● Direct data / secret extraction

● higher barrier-to-entry for attackers due to

equipment costs and expertise

● maturity: hardware/embedded security is ~15

years behind the state of SW security, with few

exceptions

12

TPMs, Smart Cards

Smart Phones

HSMs

Internet of Things, Automotive, everything else

IncreasingHardware

Security

# of OEMs

.

.

.

Photo of a device board

• Can we trust all of the components?• Engineering residue often left behind

• WHY are debug interfaces (e.g. JTAG) left?

Tremendous cost pressure to avoid scrap and lead times for spinning hardware. This isn’t agile/continuous integration!

Detection

• number of devices: ordered != built != shipped != activated• the data needed is not likely in a single system• tracking scrap at each stage can be a problem• a few stations vastly overproducing

• factory network hardening• 3rd party factory• station to station traffic• TTL too high

• Credentials used from wrong site• Activity during quiet times: local holidays and timezones• Obsolete devices being newly produced, or produced at the wrong

factory

14

How do I know if I have a problem?

• You do. It really comes down to how much of a problem it is now, and how soon you can start building a response.

Things you can (and maybe already) do

• Compliance sometimes can be a good thing to establish basic security hygiene. **

• Start small: Decide on what controls with what elements in the supply chain you want to focus on.

• Educate. You can’t do this alone, and you’ll need to educate both to raise awareness of the threats and to help build an effective program.

attacks -> defenses I

● “Chip-off”○ -> data/code signing

● firmware exploits○ jailbreaking community can be a large contributor

■ -> allow root access○ -> no 100% solutions here, mostly exploit mitigations

● silicon exploits○ -> no 100% solutions here, mostly obfuscation to increase attacker cost

17

attacks -> defenses II

● leaked tools/software/schematics/mfg know-how○ -> strong authentication on factory interface○ -> end-to-end encryption (treat factory as a “dumb pipe”)

● 3rd party repair tools○ exacerbated by component monoculture○ often deployed in insecure environments including RMA○ -> disable all vendor interfaces in hardware/fuses

● stolen network access○ -> provisioned components, extensive process monitoring

18

So I’ve done all the things, I’m good right?

ROCA (CVE-2017-15631; Oct 15 2017)

- flaws in Infineon TPM RSA library generates weak keys- FIPS 140-2 and EAL5+ certified!- affects high security applications including HSMs, security tokens, etc.

Call to action

- Build out your response process before you start digging too much. You don’t want to find something and not have a way to respond.

- Start designing around the assumption that some components within your chain can and will be compromised. What are you doing to validate your trust relationships should be in place.

- Escrow

SlideHunter.com

Threats we talked about

today

Internal controls you have in

place

Suppliers who aren’t thinking

about this

What you don’t know, can hurt you.

If you’re integrating things, or building physical things that are connected, you absolutely have room for improvement

This is no longer the realm of theoretical attacks, we are seeing them all the time now

SlideHunter.com

Thanks! Questions?

Stories in the news

• https://techcrunch.com/2014/05/12/nsa-allegedly-intercepts-shipments-of-servers-to-install-spying-backdoors/

• https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/