According to recent reports, the Chinese Army purportedly inserted chips into the supply chain for 30 US businesses. These chips, if the allegations are true, provide hackers a connection into the back-end infrastructure where they can steal information and credentials, exploiting a critical weakness in most data monitoring. With that they could leverage those systems to compromise others, or even to launch attacks.
As was outlined in a Bloomberg Business article, by Jordan Robertson and Michael Riley:
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.
Investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.
While this supply-chain vulnerability is scary, we were warned for years about the danger inherent in outsourcing all our manufacturing. Analysts are still missing a major issue: we have blind spots in our monitoring.
Why was this only discovered as part of a due-diligence exercise for a potential acquisition? These chips must use standard Internet protocols to communicate back to their controllers. Their attempts to connect home or exfiltrate information should have been blocked and set off alarms immediately.
Their attempts to connect home or exfiltrate information should have been blocked and set off alarms immediately.
Traditional network security approaches trust machines on the inside to connect out. Firewalls generally block incoming traffic. Even the few companies that block outbound traffic with firewalls do not alert on that. That is why hackers can stay undetected inside organizations for about 200 days.
HOPZERO has a different approach. We start with the servers and limit how far data can be transmitted. Each server gets a custom limit, or limits, for each protocol. Any attempt to breach those limits is blocked, triggering an alert. This approach would have spotted these attacks immediately and rendered them impotent.
The report says 30 companies were identified as targets, but that is just the tip of the iceberg. Now an attack has been demonstrated, it will get cheaper and easier to deploy. We can expect many more attempts, but they can be stopped with the right tools.
Regardless of whether reports of the China chip hack are true, the question now is whether we are going to step up our security to face these attacks. Or wait for the next exploitation before we are motivated to change our ways.