[Hardware] SolarWinds Attack Is A Cautionary Tale For Hardware And Its Supply Chain

[rlex]

 

The recent SolarWinds hacking incident that left many Fortune-500 companies and US government networks exposed is an interesting cautionary tale for unchecked software and hardware supply chain security vulnerabilities. The highly sophisticated software supply chain attack occurred in the SolarWinds Orion IT monitoring system. This system, used by over 33,000 companies, monitors performance across multiple networks. In early March of 2020, SolarWinds unintentionally sent a certified binary software update that included malicious code to 18,000 clients. The hacked code created a backdoor to companies’ IT systems that allowed even more malware to be installed, allowing the hackers to spy on these companies. The backdoor communicated via HTTP to third-party servers and uses multiple blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. This attack meant that highly confidential information was exposed and could have resulted in complete control of the systems being lost.

Although this attack happened through software, hardware and its supply chain are susceptible to comparable attack scenarios. During pre-IC fabrication a backdoor could be inserted at the time of design or within integrated IP. It could even occur during mask or silicon modification. After IC fabrication, malicious logic could find its way in through physical or packaging modifications, side-channel exploits (i.e., power, analog, RF), and even maintenance or upgrade updates. The impact of these attacks on hardware is much more severe than software. With software, the impact can take hours or weeks fix but is usually corrected with a software update. Resolving the hardware may require that the entire IC be redesign and re-fabricated. This effort could take months and the company would suffer a major hit to its reputation and bottom line.

OneSpin can mitigate the risks of exploits throughout the hardware lifecycle by thoroughly verifying the absence of vulnerabilities. During IC design and IP integration, trust technology models the implementation, proves the functional correctness of the design and detects weaknesses and vulnerabilities. During fabrication, IC assembly, and packaging, we can formally verify the physical IC to the model in a digital twin scenario. The model can be verified in the system during system integration and updates can be verified in isolation prior to deployment.