Today’s complex web of interdependent companies has precipitated an inadvertent expansion of vulnerabilities within supply chains. According to the GAO-18-667T, the reliance on a global supply chain introduces multiple risks to federal information systems. Such risks include adversaries taking control of systems or decreasing the availability of materials needed to develop systems. Supply chain threats are present during the various phases of an information system’s development life cycle and can get introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain. Examples of such vulnerabilities include the acquisition of products or parts from unauthorized distributors; inadequate testing of software updates and patches; and incomplete information on IT suppliers. Exploiting these vulnerabilities could lead to the loss of the confidentiality, integrity, or availability of federal systems and the information they contain.
There are various actors who might target an organization’s supply chain and, with that, comes numerous motives behind an attack; be that an individual looking to gain financially, or a nation-state or state-sponsored actor seeking to sabotage an adversary by conducting espionage.
When attacking the supply chain, it is typically (but not always) the hardware that is tampered with, especially when some hardware components include built-in firmware. Devices can get compromised at any point throughout the supply chain, with the now-rogue device getting delivered to the end user. Ensuring a device’s integrity (i.e., that it is what it says it is) is not a simple task. Implants can be microscopic and can easily go unnoticed to the human eye, avoiding any suspicion as to the device’s true intentions.
Further, as they sit on the Physical Layer of the OSI model, Layer 1 implants do not get detected because security software solutions do not encompass level 1 security. Similarly, spoofed peripherals get authorized as a genuine HIDs thanks to Layer 1 manipulation, and thus do not raise any security alarms. Moreover, as supply chains are becoming increasingly complex, detecting an attack and its origin is extremely difficult. Hence, in many aspects, the supply chain represents the “holy grail” of hardware-based attacks, providing bad actors with access to even the most secured entities.
One possible way of tampering with the supply chain is through the transportation logistics – if the adversary is aware of the expected transportation route, they may find multiple entry points, whether air or sea freight, and, given enough motivation, a quick “unboxing” and “re-boxing” is not an issue.
What is physical layer?
Traditional visibility tools use Layer 2 (MAC) and Layer 3 (TCP/IP) network data to discover and identify their devices. This is problematic as at Layers 2 and above, devices without a digital existence, such as passive taps, unmanaged switches, MiTM attack tools or ‘spoofed’ devices go undetected. Hence, rather than relying on traffic monitoring, Physical Layer (analog) information detects and identifies devices for what they truly are by monitoring various data signals, such as voltage, current, noise level, signal timing, and more. This approach provides continuous real-time visibility of all network and peripheral devices within the environment.
How can we make our adversaries’ life harder?
Let’s consider site A wishes to send site B a hardware asset (switch, laptop, or even a simple keyboard). Other than the obvious anti-tampering solutions (stickers etc.) that may get bypassed, let’s embrace a new approach – using physical layer fingerprint stamping. While the device is in site A, it is connected to a HAC-1 solution, which probes and lists its physical layer fingerprint vector and Bill-Of-Material (BOM). After the asset reaches its final destination, site B, it is reconnected again to HAC-1 to verify that its physical layer fingerprint (and BOM) hasn’t been changed, which may indicate someone has been tampering with the asset.
Securing the supply chain has always been and will continue to be a never ending battle; it is up to us to make our adversaries’ life as difficult as possible, making them turn away and seek an alternative target.