Updated 16Feb2019 to include links to Bunnie Huang's & Trammell Hudson's talks
With the recent Bloomberg kerfuffle, people are thinking more about hardware security and supply-chain security. So we wanted to share an interesting datapoint. A while back, we found a vulnerability in device that ended up telling a very cautionary tale about supply-chain security at various levels. Some links to the coverage of that are below, but the short of it is this: |
The single software component that contained the vulnerability of the camera, was used by the manufacturer not only in the firmware of the one camera model that we exploited, but also throughout the manufacturer's product line affecting more than just cameras. Furthermore, that same "design" (including the vulnerable component) was repeated by other manufacturers to make devices of all kinds (even desktop software)...all potentially vulnerable to the same bug.
We found a vulnerability in millions of devices....
Note: This is not a "black swan" either, read here how we also found a single vulnerability in staggering number of D-Link's products.
Remember: Code reuse, is vulnerability reuse!
In fact, as recently as a few weeks ago, the researchers behind the recent big FaxSloit news (a clever exploit that can allow and attacker to compromise a network via malicious fax sent to a fax machine) also told us that they were able to use our "Devil's Ivy" vulnerability to help exploit their Printer/Fax! So this proves that the vulnerability really was in places we could never imagine. There are presumably millions of devices that we didnt even consider that may use this vulnerable component. |
And this is exacerbated by the fact that most devices that have this vuln, will probably never get updated (for many systemic reasons that are beyond the scope of this blogpost.) especially in verticals like Industrial Control & SCADA (which has notoriously long hardware fresh cycles).
Some bad news: Hardware is designed a lot like software..
Hardware is not only designed with software but it is also designed like software. Many veteran technologists are unaware of this, but hardware designers will often reuse components and designs much like software developers reuse libraries and code. We explored this in greater detail in this blogpost (and other posts like it here). |
"hardware is basically designed with 'fancy Visio-like' software...
When circuit boards (or even individual chips) are manufactured, they are made by using software that is effectively like a fancy version of Visio. This software allows a designer to literally "drag and drop" components (chips, resistors, etc) into a workspace (much the way you drag flowchart shapes into your design in Visio) and then the software helps them connect the dots in clever ways. |
Sharing is caring...
This design software also makes hardware designs modular (like software) and sharable in the form of libraries. These "libraries" can then be reused in new hardware designs. In fact, most "System On Chips" like those used in modern devices like cellphones, have single chips with internal components designed many vendors!...IN A SINGLE CHIP!
So whether it is hardware or software, the advancements in modularity and reusability are really what make it possible for new products to be built quickly. (For example: a software developer no longer needs to write the whole operating system first, they can start directly on their code and use helper libraries along the way.)
So whether it is hardware or software, the advancements in modularity and reusability are really what make it possible for new products to be built quickly. (For example: a software developer no longer needs to write the whole operating system first, they can start directly on their code and use helper libraries along the way.)
This modularity is both a gift and a curse. Modularity and code-reuse has been a major contributor (of not the major contributor to our technological advancement in the last 30 years)...but is also the very thing that forces manufacturers, businesses, and consumers into unseen trust relationships with entities that they don't even know about.
Where to go from here?
There are two recent (since the initial publication of this blogpost) fantastic talks that are incredible brain-dumps by two World-Class minds. The first one is by the illustrious Bunnie Huang. The second is by Trammell Hudson and catalogs his research (re)creating the VERY kinds of attacks presupposed by the very nebulous Bloomberg article. |
Trammell Hudson's CCC 2018 talk. | Bunnie Huang's BlueHat 2019 talk. |
Related: See how we demonstrated a "World's First" at RSA 2018: We showed how an attacker can hack a network and abscond with sensitive company databy only hopscotching between compromised devices (not computers). |