Last year, Bloomberg’s Big Hack article gave everyone a much needed scare which forced companies to evaluate their exposure to supply chain intervention attacks. But a wider acknowledgment of the problem doesn’t make it go away. We need to understand the attack vectors and the inherent hardware vulnerabilities used by these backdoors, as well as the steps we can take to protect ourselves. We must have confidence in the systems and the technical infrastructure that supports our economy. This confidence currently relies on too much implicit trust — overlooking serious risks. Assurance in this area is hard won, manual, and costly.
In this talk, I will dive into several recent hacks including the ASUS software update hijacking and the SuperMicro supply chain allegations vs. reality. This discussion will include a technical overview of various types of hardware implants, the points of weakness in a standard supply chain, and discussion of how trust can be assured.