Supply Chain Security Talk

I recently gave an invited talk about supply chain security at BlueHat IL 2019. I was a bit surprised at the level of interest it received, so I thought I’d share it here for people who might have missed it.

In the talk, I relay some of my personal trials authenticating my supply chains, then I go into the why of the supply chain attacks to establish some scenarios for evaluating different approaches. The talk attempts to broadly categorize the space of possible attacks, ranging from attacks that cost a penny and a few seconds to pull off to hundreds of thousands of dollars and months. Finally, I try to outline the depth of the supply chain attack surface, highlighting the overall TOCTOU (time of check, time of use) problem that is the supply chain.

The main insight is that transparency or openness of design by itself does little to secure a supply chain, because the entire situation is one huge TOCTOU problem. Checking hardware design files, locking down the assembly line, and Fedexing the product to your office is like hashing and signing your source code, running it through a trusted compiler, and then sending the binary unencrypted over the Internet and trusting it because it was “thoroughly checked”.

The inverse analysis is equally daunting: in software, one may copy each binary into RAM, hash and check its cryptographic signature, and run it only if it checks out. For hardware, there is no equivalent of “hash this instance of hardware and check its cryptographic signature” before use: “hashing” hardware involves taking it apart and inspecting every transistor and wire, which is both impractical and likely to render the hardware non-functional.

Thus while open source hardware does engender some benefits for security (such as disclosing μ-state for Spectre side-channel analysis and ensuring no backdoors due to design oversight), it addresses a separate problem domain from supply chain attacks. While an open source hardware phone is arguably more trustable than a closed source one, open source is necessary but not sufficient for it to be trusted.

I do have some ideas on the practical mitigation of supply chain attacks, but they are still a bit too green to blog about. Stay tuned…

14 Responses to “Supply Chain Security Talk”

  1. Stephan Han. says:

    Wow. This opens up a whole new era of thinking. I feel so poor on knowledge by not seeing this perspective before. This a developing story… Thanks a lot Bunnie..

  2. George Westfall says:

    Is it possible to get a transcript? Your video has TS slides which means I can’t look at it? Thanks for any help.

  3. […] hardware as a way to exfiltrate data, Bunnie goes through a bunch of different exploit vectors in this talk that he shared over at his […]

  4. […] Supply Chain Security Talk.  Open source doesn’t make your hardware known. […]

  5. John Smith says:

    Hey. Thanks for sharing the article about the supply chain security. It is the most important part of which most people are not aware of. Thanks for making us aware

  6. seph says:

    It’s not quite a hardware checksum, but have you seen chipsec?

  7. SK says:

    Can’t a “hardware hash” be accomplished via something like a standardized X-Ray image format + software hashing of the resulting image/s.
    You may still need to do some disassembly, but definitely not “inspecting every transistor and wire”, at least not manually.

  8. […] can prepare a kill-chain well in advance and only use it once it is necessary—the famous “kill-switch.” Both because of the complexity of today’s mobile network equipment, and because of regular […]

  9. CJ says:

    This talk has been on my mind for a long time, and it reminded me of the Russian bug they installed in IBM Selectric typewriters. (https://www.cryptomuseum.com/covert/bugs/selectric/)

    If the Russi… erm, Soviets… were capable of this type of subterfuge in the 1950’s and 60’s, and weren’t caught by trained bug-finders with the NSA’s most sophisticated tools…

    It makes me think your presentation may actually be talking about the past, rather than the future surveillance capabilities of our adversaries…

  10. […] Huang shared his own lessons from attempting to authenticate his supply chain in a talk on Supply Chain Security. He also walks through categories of possible attacks, some which cost a penny and a few seconds, […]

  11. Al zakir says:

    Thanks for sharing.