With the recent Bloomberg kerfuffle, people are thinking more about hardware security and supply-chain security. So we wanted to share an interesting datapoint.
A while back, we found a vulnerability in device that ended up telling a very cautionary tale about supply-chain security at various levels.
Some links to the coverage of that are below, but the short of it is this:
Remember: Code reuse, is vulnerability reuse!
In fact, as recently as a few weeks ago, the researchers behind the recent big FaxSloit news (a clever exploit that can allow and attacker to compromise a network via malicious fax sent to a fax machine) also told us that they were able to use our "Devil's Ivy" vulnerability to help exploit their Printer/Fax!
So this proves that the vulnerability really was in places we could never imagine. There are presumably millions of devices that we didnt even consider that may use this vulnerable component.
Some bad news: Hardware is designed a lot like software..
Hardware is not only designed with software but it is also designed like software.
Many veteran technologists are unaware of this, but hardware designers will often reuse components and designs much like software developers reuse libraries and code. We explored this in greater detail in this blogpost (and other posts like it here).
"hardware is basically designed with 'fancy Visio-like' software...
When circuit boards (or even individual chips) are manufactured, they are made by using software that is effectively like a fancy version of Visio. This software allows a designer to literally "drag and drop" components (chips, resistors, etc) into a workspace (much the way you drag flowchart shapes into your design in Visio) and then the software helps them connect the dots in clever ways.
Sharing is caring...
So whether it is hardware or software, the advancements in modularity and reusability are really what make it possible for new products to be built quickly. (For example: a software developer no longer needs to write the whole operating system first, they can start directly on their code and use helper libraries along the way.)
Where to go from here?
There are two recent (since the initial publication of this blogpost) fantastic talks that are incredible brain-dumps by two World-Class minds. The first one is by the illustrious Bunnie Huang.
The second is by Trammell Hudson and catalogs his research (re)creating the VERY kinds of attacks presupposed by the very nebulous Bloomberg article.
Trammell Hudson's CCC 2018 talk.
Bunnie Huang's BlueHat 2019 talk.
Related: See how we demonstrated a "World's First" at RSA 2018: We showed how an attacker can hack a network and abscond with sensitive company databy only hopscotching between compromised devices (not computers).