SAS 2019: Joe FitzPatrick Warns of the ‘$5 Supply Chain Attack’

At the Security Analyst Summit, Threatpost editor Tara Seals catches up with Joe FitzPatrick, researcher with Securing Hardware, to discuss supply chain threats.

SINGAPORE – At the Security Analyst Summit this year in Singapore, Threatpost editor Tara Seals catches up with Joe FitzPatrick, researcher with Securing Hardware, who led a session during the conference titled “A Measured Response to a Grain of Rice: An Implant in the Shell.”

After a 2018 Bloomberg report last year alleged that a spy chip was implanted on Super Micro Computer servers, threatening several high-profile cloud vendors, supply chain was thrown to the forefront. (The report was strongly refuted by Supermicro, Amazon and Apple).

But FitzPatrick said the real supply chain threats that companies face are far more vital to focus on. “If you are looking from a hardware perspective, there’s a lot of $5 attacks, there’s a lot of hundred dollar attacks, and reacting to those is more important, understanding those and and considering them in your threat models is important,” he told Threatpost.

FitzPatrick talks about what stood out to him about the report- and what didn’t make sense – as well as the risks of supply chain that end users should focus on.

Below is a lightly edited transcription:

Tara Seals: This is Tara seals, senior editor with Threatpost, and welcome to the Threatpost Podcast. I’m joined today by Joe FitzPatrick, who is with Securing Hardware. Welcome, Joe. Thanks for being here. We’re in tropical Singapore for the Security Analyst Summit Kaspersky Lab event. And Jeff has stopped by to talk a little bit to me about his presentation that he gave us this week, and some of the takeaways that he has learned, and his research. So tell me a little bit about what you talked about.

Joe FitzPatrick: Sure, the title was “A Measured Response to a Grain of Rice: An Implant in the Shell.” It was in response to some news in the past six months about hardware supply chain attacks. And the message I’ve been trying to send both here and elsewhere is that, you know, there was a really neat news article; there are some technical things that were described that were kind of groundbreaking. But really, for the majority of people, what really matters is that, they want to react to this news of this big deal, and really they should be reacting to the the actual, true risks.

If you are looking from a hardware perspective, there’s a lot of $5 attacks, there’s a lot of hundred dollar attacks, and reacting to those is more important, understanding those and and considering them in your threat models is important.

A knee jerk reaction to a million dollar attack is probably not the best use of your resources.

TS: And so just for context, why don’t you describe for our listeners, the attack that you’re talking about? Obviously, there was a high-profile news story about this, but just give us a synopsis if you don’t mind.

JF: Yeah, so Bloomberg reported that there was a tiny spy chip that was made by or supported by the Chinese government, that was implanted on Supermicro motherboards and made it into the supply chain of several high profile cloud vendors.

The technical details of this were very interesting to me from a hardware perspective, you know, they described lots of things that, you know, fundamentally are possible. But what didn’t make sense is how it was put together, how the story played out, it didn’t make sense from an attackers’ perspective to take the approach that was described in this in this coverage.

TS: I think you’re right, in terms of a lot of enterprises had this knee jerk reaction, [saying] “Oh, my gosh, you know, is our hardware secure, how do we figure out if it’s not secure, what do we do about this?” What are some of the the misconceptions in terms of the types of hardware dangers out there that they should be concerned about, rather than the sort of giant attack that that Bloomberg, reported on.

JF: I was contacted by a lot of people who were asking me if they should tear apart their servers, should they do destructive analysis? Should they search for this?

And the first question is, what are you searching for? Right? We don’t know, we don’t have an indicator that is a device that looks like this, here’s how to detect it, we don’t have any of that information. So we could spend a lot of time and a lot of money and do a hugely destructive analysis of a board. And not only are you short one server board, but you’re also short time and money that it takes to do that, because this involves imaging the board, understanding the board… disassembling every component on the board, it’s massive. And if you’re not doing that, you’re not doing the whole job.

The reality though, when it comes to hardware, is when when we get a new server in a case, do you even open the case to look at it, right? When you have a plan to purchase 1,000 servers, do you have acceptance criteria, you have a conversation with your vendors about the supply chain security controls that they have. And if you haven’t done that in the past, then ripping out a server today is not going to solve anything. We don’t know what we’re looking for… So it’s a long term project. You can start now and maybe count on having some supply chain security controls in place in a matter of years. But you’re not going to go back and suddenly find out if you were subject to something like this.

TS: So going forward, what advice would you give to an enterprise that wants to lock down this aspect of their security?

JF: Well, so like I mentioned before, you need to have a conversation with your suppliers about supply chain security. That’s that’s where it starts. If you’re buying motherboards from Supermicro, you need to talk to Supermicro and figure out where they get their components, how they assure that the components on the board of the ones you get.

The other side of this is supply chain issues happen all the time. But these supply chain issues aren’t spy chips installed by some other government. These supply chain issues are counterfeit devices that get into the supply chain. The motivation here is just pure profit. If you can slip in a reel of components that cost a few dollars less, you’re making a few dollars right there. And there’s a whole range of what these counterfeit components look like, where they come from and how they’re made. But the reality is it’s sometimes it’s pretty hard even to just tell whether you have a counterfeit or genuine component. So understanding whether it’s a genuine component, a counterfeit component, or a maliciously-implanted component is very difficult.

TS: And I was I was going to ask you, so that the the fact that components might be counterfeit doesn’t necessarily present a malicious threat to the enterprises.

JF: Yeah, and counterfeit components can be a problem. So like, components are sold with different specifications. So they make, they make a million chips, and some of them work fine and some of them don’t work. Some of them work fine within narrow temperature ranges. So they sell the regular ones in the narrow temperature range. They sell the ones that are really viable in the mil spec temperature range, which means that operates will lower and higher temperature within specification, and they throw out the rest, right? Or they grind the rest or you know, someone buys the rest and rebrands them as something else.

So again, you know, if there’s a lot of range of what can happen with these counterfeit devices, and, if you’re, if you’re buying mil spec components, and someone has taken regular spec components and ground them down and rewrote the label on them, and you’re operating in a temperature range that you need mil spec components, like this is a problem. This is this is real issue.

It’s a very different issue from talking about with like a malicious attack.

TS: Right, an espionage type of effort. Okay, and so when you were talking about the different types of hacks, saying some of them are easier than others – so what would a $5 hack look like?

JF: So a $5 hack is kind of like when you think about game consoles. For many years, you know the way you hack your game console is you put a modchip in there.

And this is a great example of a hardware attack, right? It’s very interesting because the owner is the attacker, right? But what you do is get a little tiny board, it’s got a microcontroller on it, you sodder a few wires in there, and it does something – it tells the system, it lies to the system, it does something that makes the system think that everything is good.

The same thing can be done for like, you know, networking gear to like disable the DRM that goes into it to enable the speed or quantity of your network ports. There’s a lot of all things that you can do with a tiny board. That’s a $5 attack.

The $10 to $100 attack is a little more advanced, like an example is like, “Oh, yeah, we were looking at the the server room and we found this Raspberry Pi hooked up to a network port, anybody have any idea what this is? You know, that’s an employee, you know, a contractor or anyone who is in the building who happens to slip it in there. Or if you’re buying a case, computer in a case or server on a rack, you know, and you don’t open it and look at what’s inside. You know, stuff like this can slip in there and that’s less than $100 worth of hardware. And of course the the time and development and all that is probably a far bigger issue.

TS: Right and that can be very targeted, I would think.

JF: Well the other thing is these are things that are accessible to hobbyists, right? Anybody who has a background in electronics or even a background in embedded computers can  build a device like this and and apply it. There you know, companies that sell tools for Red Team exercises that do exactly this. And so the difference between a Red Team exercise and and attackers is very, very unclear sometimes.

TS: And what level of awareness do you think that companies have when it comes to the danger that the hardware supply chain may present to them?

JF: Well, if we talked about it for the perspective of like a products company, so you know, you have a startup that has an IoT device like whether it’s a thermostat or Internet camera or something else. A lot of the times the sales pitch is usually software-backed or cloud-backed, or AI, machine learning-whatever backed product. And the hardware is just supporting it, hardware is just the platform that it runs on.

So a lot of these companies don’t make their own hardware, they outsource it, right, they go to an OEM, who’s going to give them a box that they put their own label on. And the board inside that box is made from a reference design that came from the manufacturer of a piece of silicon, which you know, has a bunch of IP blocks that are licensed for third parties. So like, just looking back at this stack, you know, we’re dealing with companies that don’t even have visibility into the hardware, they understand how the hardware works, but they don’t worry about it, they get a software stack, and they build their app on top of them. So it’s pretty difficult for someone in this realm to understand the supply chain, sort of where the components came from, and what to expect from them. A lot of what we see in IoT vulnerabilities is because of this, right, you ship a reference design from the silicon manufacturer, and it’s designed to prove this device works. It’s not designed to be secure. And then you can go put your app on top of that, your web front end on top of that, and you don’t worry about the underlying bits and pieces that may not be great.

TS: Okay, well, I think we’re gonna have to leave it there. But thank you so much for your time and for offering to give us a little bit of an overview of what you’re seeing in the space.

JF: Awesome. Thanks for having me.

TS: And I once again, I’m Tara Seals with Threatpost and I’m here with Joe FitzPatrick, with Securing Hardware, here at SAS 2019 in lovely Singapore. Thanks for joining us.

For direct download click here.

Suggested articles