4 future IC threats to watch out for

Threats to the supply chains of integrated circuits and other computing components are poised to wreak even greater havoc on organizations.

Note: Part one of this two-part article is here.

Supply chain attacks are increasing not only in number, but also in complexity. Indeed, according to the Identity Theft Resource Center (ITRC), the volume of attacks on the supply chain increased by 42% in the first quarter of 2021 compared to the previous quarter. Inasmuch as “ITRC 2020 Data Breach“Supply chain attacks are increasingly popular with attackers because they can access information from large organizations or multiple organizations through a single third-party vendor. This increase has produced an explosion of ransomware, virtualization and extensible firmware interface attacks. (EFI) secure boot hacks and jailbreaks.

As defenses within traditional operating systems have improved over the years, hackers have moved on to the early stages of the boot process and, increasingly, even to the hardware itself.

Arguably the most impactful supply chain attack in history took place last year, targeting SolarWinds, a manufacturer of IT management solutions. It included several attacks that ultimately prompted businesses and government organizations around the world to run malicious product updates. The attack showed how adversaries can gain access to a privileged network component, hijack the software creation process to inject malicious code into each resulting binary, and then identify customers who are using products they could exploit by exploiting the code. injected. While most people in the industry were familiar with such an attack could are happening, many are still scrambling to determine how susceptible their businesses are to an attack they didn’t expect would like happen.

Four supply chain threats of the future
Attacks like this are why proactive thinking about potential supply chain threats is so crucial. As businesses try to protect themselves from today’s attacks, they should also consider the next wave of attacks. Let’s review four futuristic possibilities.

1. Sophisticated IC cloning – Sophisticated integrated circuit (IC) components, such as modern processors and microcontrollers, have long been considered far too complex to be accurately reproduced by a malicious adversary. However, advances in imaging and de-processing capabilities have provided researchers with much more powerful tools to reverse engineer designs and potentially replicate the technology. Manufacturers will likely always be safe with today’s most advanced technology (between 5nm and 10nm), but older technologies are likely to be susceptible to clone attacks. Today’s more advanced processor technology sizes will likely be safe for five to seven years after release, but manufacturers should assume that any older technology can already be cloned.

2. Hardware Trojans – These attacks have so far only been proven in academic settings. Due to the sheer complexity of implementing hardware Trojans, an attacker is unlikely to trigger one unless an absolutely critical moment. As a result, there have been very few real-life examples of such attacks, and this has even caused difficulties for researchers trying to obtain funds to identify such circuits. While the possibility of such attacks is low, the potential implications are huge. As such, it is almost certain that hardware Trojans exist, and the first major event could be just around the corner.

3. Compromised signing keys – Signature keys are more often used as part of industry standard best practices to ensure integrity and validate the origin of software. Adversaries who can compromise these keys, either by directly accessing the key or by using the key in an unauthorized manner, can create malicious versions of software that the original manufacturer considers legitimate. This is of particular concern when the verification key for a signed image is rooted (or stored) directly in hardware or in a single programmable storage. If the signing key is compromised, the corresponding verification key must be revoked to prevent the malware from loading. However, the process of revoking a verification key is rarely well tested and does not happen instantly. This means that even if everything goes exactly as planned and a company can immediately identify that a key is compromised, it can take anywhere from a few weeks to several years for all products to be patched and the keys revoked. This makes such an attack a huge risk for companies and a very attractive target for attackers.

4. Insider attacks – Insider attacks are not new, nor are they something that many companies would deny exists. Yet few companies or organizations are ready to face this threat. To be fair, it’s probably not due to laziness or denial, but rather because a company claiming it doesn’t trust its employees would be devastating to employee morale. The zero trust model for the supply chain revolves around a fundamental change from the trust but verify one model verify-can-trust model. The psychological impact of such a change on inanimate objects like businesses or companies is one thing; applying it to humans is another. The problem is, attackers don’t care. They will take advantage of whatever opportunities they can. Businesses should therefore consider ways to adapt and strike an appropriate balance between security and trust within their organizations, as nation-state and well-funded criminal organizations will increase their attempts at insider attacks.

Combat Supply Chain Threats Through Collaboration
Today’s computer systems are made up of many different components, each of which can impact the security of the entire system. As such, it is essential that all companies involved in the manufacturing cycle of computer systems and components work together to improve current approaches and provide better validation of traded goods.

There are many industry organizations and efforts aimed at these goals, such as the Global Semiconductor Alliance, Trusted IT group, SEMI, the IIC Industrial IoT Security Framework, NIST Cyber ​​Supply Chain Risk Management Program and his Supply chain assurance initiative, ISO / IEC SC27 WG4 TR6114, and more.

If industry is ever to get ahead of supply chain security risks, manufacturers should stop asking if advanced attacks will occur and start asking when they do.

Dr. Matthew Areno is a Senior Engineer at Intel Corporation in the Security Architecture and Engineering group. Areno received his bachelor’s and master’s degrees from Utah State University in 2007 and accepted a position with Sandia National Labs. At Sandia, he focused on … See the full bio

Recommended reading:

More information

Comments are closed.