This document discusses supply chain security considerations. It provides an overview of issues that can affect technology integration and approaches to mitigate risks. Examples are given of past supply chain attacks on autonomous vehicles, IoT devices, and software. The supply chain is defined as the network of vendors and components used to deliver a product or service. Threats include compromised hardware, software, tools and facilities. Detecting issues can be difficult due to the distributed nature of supply chains. Defenses include things like signing, monitoring, and designing with the assumption that some components may be compromised. The document emphasizes that supply chain attacks are increasingly common and that organizations should have response plans in place.

1. Supply Chain Security Considerations
What you don’t see can hurt you.

2. Who we are
Ian Robertson
Sr. Vice President, NCC Group
Josh Ryder
Senior Director of Network and Cybersecurity
Engineering and Operations, AppNexus

3. What are you going to get in this talk
• overview of issues affecting technology integration
• approaches to enumerate and mitigate many of these.
• examples of supply chain attacks from autonomous vehicles to IoT to
software/service supply with an emphasis on recent events

4. What do we mean by Supply Chain?
• A complex web of vendors and components that interact or are
integrated in order to deliver an experience, product or service
• Hardware and software integrations: how, where and by whom
• Intersects all contemporary product/service delivery

5. Threat modelling for devices
Some threats of relevance:
○ Physical access (lost/stolen device)
○ Embedded device based persistence (RAT, malware)
○ Jailbreaking (operational integrity, DRM)
○ Evil maid (what can you do in an hour of unsupervised access)
○ Supply chain
■ Evil components
■ Evil factory worker
■ Evil postman
■ Evil repair facility
○ Recovered device/Forensics
○ Biometric bypass
○ IP theft and anti-RE (tamper resistance, tamper evidence)
5

6. Supply chain attacks in history
•XCodeGhost (2015) lead to largest outbreak of IOS malware
• Loss of control of tool chain components
•Bill-C51 (2015, Canada) - Postman attack
•F-35 engines in Turkey - Repair attack
•Batteries, radios and software stacks

7. Adversary Enumeration
•opportunistic / disgruntled employees or partners
•hackers
•nation states/governments
•organized crime

8. Impacts?
● loss of customer data
○ financial penalties driven by GDPR, etc.
● loss of revenue
○ service abuse
○ loss of customer/investor confidence
● loss of IP
○ competitive advantage
○ giving aggressors a further advantage to attack your customers
● facilitation of crime
○ see any of the above

9. GDPR (General Data Protection Regulation)
• 4% of global revenues or 20 million EUR fine (whatever is higher)
• Designed to ensure safety and security of personal data for all EU
citizens, and it’s extra territorial.
• How’s this play into supply chain? The consequences of a supply
chain failure, let’s say a library you’re using to encrypt/anonymise
personal data is compromised, you could be on the hook for both
breach disclosure ($$$) and penalties ($$$$$$). Or if your cloud
provider is pwned...

10. Motivations (hint: Money)
● subsidy locks
● DRM
● jailbreaking
● counterfeiting
● component resale
● laundering stolen devices
10

11. What happens when you really really care
about the sanctity of your hardware?
Think about what level of engineering and secrecy must’ve gone into
the development of the ICBMs: control systems, guidance systems,
quality testing/control, vetting of contractors and employees,
compartmentalization of knowledge, bespoke hardware development.

12. A word on hardware hacking
● Privilege escalation in SW through HW
modification and abuse
● Direct data / secret extraction
● higher barrier-to-entry for attackers due to
equipment costs and expertise
● maturity: hardware/embedded security is ~15
years behind the state of SW security, with few
exceptions
12
TPMs, Smart
Cards
Smart Phones
HSMs
Internet of Things, Automotive, everything else
Increasing
Hardware
Security
# of OEMs
.
.
.

13. Photo of a device board
• Can we trust all of the components?
• Engineering residue often left behind
• WHY are debug interfaces (e.g. JTAG) left?
Tremendous cost pressure to avoid scrap and lead times for spinning
hardware. This isn’t agile/continuous integration!

14. Detection
• number of devices: ordered != built != shipped != activated
• the data needed is not likely in a single system
• tracking scrap at each stage can be a problem
• a few stations vastly overproducing
• factory network hardening
• 3rd party factory
• station to station traffic
• TTL too high
• Credentials used from wrong site
• Activity during quiet times: local holidays and timezones
• Obsolete devices being newly produced, or produced at the wrong
factory
14

15. How do I know if I have a problem?
• You do. It really comes down to how much of a problem it is now,
and how soon you can start building a response.

16. Things you can (and maybe already) do
• Compliance sometimes can be a good thing to establish basic
security hygiene. **
• Start small: Decide on what controls with what elements in the
supply chain you want to focus on.
• Educate. You can’t do this alone, and you’ll need to educate both to
raise awareness of the threats and to help build an effective
program.

17. attacks -> defenses I
● “Chip-off”
○ -> data/code signing
● firmware exploits
○ jailbreaking community can be a large contributor
■ -> allow root access
○ -> no 100% solutions here, mostly exploit mitigations
● silicon exploits
○ -> no 100% solutions here, mostly obfuscation to increase attacker cost
17

18. attacks -> defenses II
● leaked tools/software/schematics/mfg know-how
○ -> strong authentication on factory interface
○ -> end-to-end encryption (treat factory as a “dumb pipe”)
● 3rd party repair tools
○ exacerbated by component monoculture
○ often deployed in insecure environments including RMA
○ -> disable all vendor interfaces in hardware/fuses
● stolen network access
○ -> provisioned components, extensive process monitoring
18

19. So I’ve done all the things, I’m good right?
ROCA (CVE-2017-15631; Oct 15 2017)
- flaws in Infineon TPM RSA library generates weak keys
- FIPS 140-2 and EAL5+ certified!
- affects high security applications including HSMs, security tokens, etc.

21. Call to action
- Build out your response process before you start digging too much.
You don’t want to find something and not have a way to respond.
- Start designing around the assumption that some components
within your chain can and will be compromised. What are you doing
to validate your trust relationships should be in place.
- Escrow

22. Threats we
talked about
today
Internal controls
you have in
place
Suppliers who
aren’t thinking
about this
What you don’t know, can hurt you.
If you’re integrating things, or
building physical things that are
connected, you absolutely have
room for improvement
This is no longer the realm of
theoretical attacks, we are seeing
them all the time now

23. Thanks! Questions?

24. Stories in the news
•https://techcrunch.com/2014/05/12/nsa-allegedly-intercepts-shipme
nts-of-servers-to-install-spying-backdoors/
•https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-andr
oid/