SolarWinds Attack Is A Cautionary Tale For Hardware And Its Supply Chain
By: John Hallman
Reduce the risk of exploits by using automated checks to identify known issues early.
Although this attack happened through software, hardware and its supply chain are susceptible to comparable attack scenarios. During pre-IC fabrication a backdoor could be inserted at the time of design or within integrated IP. It could even occur during mask or silicon modification. After IC fabrication, malicious logic could find its way in through physical or packaging modifications, side-channel exploits (i.e., power, analog, RF), and even maintenance or upgrade updates. The impact of these attacks on hardware is much more severe than software. With software, the impact can take hours or weeks fix but is usually corrected with a software update. Resolving the hardware may require that the entire IC be redesign and re-fabricated. This effort could take months and the company would suffer a major hit to its reputation and bottom line.
[..]
There are many “bad actors” in the world today that thrive on exploiting products. Both intentional insertions and unintentional weaknesses or flaws are a means for exploitation. Running automated checks to identify known issues early and quickly can help to improve code and product quality and will reduce the risks of later exploits. Detecting if a product is “fit” for use is often difficult and time-consuming, but anything we can do today to start detecting potential holes early will save significant costs in later verification, minimize rerunning regressions tests or implementation steps, and prevent even worse, a recall or re-spin of an IC.
