Hoo boy. The denials to Bloomberg’s Big Hack story have come in, and the sound of “No” is deafening, with Amazon, Apple, the DHS, and the GCHQ all in unison proclaiming: the Bloomberg story’s bogus. So what’s going on?
To recap: Bloomberg published a story detailing upstream supply chain compromise of critical infrastructure in the US. The gist of the story is: the Chinese suppliers of motherboards for US firm Supermicro got infiltrated by Chinese security services and coerced into adding a chip onto these boards (selectively, not wholesale, as apparently there was enough visibility into which boards would end up where), which could alter the boards firmware and allow remote access onto the hardware, hence escaping any intrusion controls built into software running on the boards. The Bloomberg story portrays both Apple and Amazon as potential victims, along with several three-letter US agencies.
And while the denials are atypically strong, the accusations made in the report reverberate across the industry. Of course, Apple and Amazon would deny this, the thinking goes, otherwise nobody would trust their cloud services anymore. And it is striking that Google announced a custom security chip last year, codenamed Project Titan, which seems tailor-made to counter exactly this threat vector. Project Titan and similar approaches speak to the need to embed security even in the hardware. If you’re compromised in hardware, there’s not much you can do in software.
And yet we’re overindexing on one highly-specific scenario which seems targeted enough to not even tough the broad majority of users, while the steps taken to further secure everyday users draw ire due to the trade-offs involved. Case in point: Apple restricting the functionality of its Operating Systems if the hardware has been tampered with.
Apple instituted this policy when it first launched its TouchID authentication system which relies on a custom cryptographic chip called SecureEnclave. To make interception of fingerprint data between the TouchID reader and the secure enclave impossible, these components get coupled at manufacturing time. This means that later repair of replacement of the TouchID sensor results in TouchID not working, as the SecureEnclave doesn’t find its coupled sensor attached to itself. With the SecureEnclave spreading to more Apple platforms, these security precautions do, too.
Security is hard, and usually exploits are found in the software supply chain (back in
March ‘17 we talked about outdated JS libraries which present security issues), or poorly secured IoT devices lateraling into infrastructure, so the intentionality of the #BigHack story almost is refreshing.