Demystifying the hardware supply chain for smartphones.

Earlier this month, a controversial report in Bloomberg Businessweek ignited a larger conversation about a topic that has long been a concern of security professionals: the hacking of the hardware supply chain. The fear of backdoors built into devices isn’t new (see: the blacklisting of Huawei and ZTE products by the US government), but concrete evidence is rarely made available to the public.

In the story, authors Jordan Robertson and Michael Riley detail how Chinese spies were able to implant a tiny microchip on the server motherboards produced by one the world’s biggest suppliers, potentially creating a series of surreptitious surveillance links back to China from high-value corporate and government customers around the world. While many security professionals have expressed skepticism of some of the article’s findings (and the customers of these server motherboards have denied the allegations), all seem to agree that more needs to be done to protect the hardware supply chain.

In this mobile security blog post, I’ll attempt to explain the hardware supply chain (with a focus on smartphones) and the importance of protecting it.

What is the smartphone supply chain?

Each smartphone on the planet is made up of a large and complex set of components, including processors, storage, sensors, communication chips, boards and much more. Given this complexity, smartphone manufacturers look to third-party vendors – hundreds of them – to supply the individual hardware components, and each of these suppliers may have its own sub-suppliers. The result is an immensely interdependent supply chain. And that’s before we get into the firmware and the upper layers of the smartphone stack.

Given its low production costs and excess of skilled manufacturing labor, China has become the world’s de facto electronics manufacturer, producing about 75% of the world’s smartphones. While smartphone makers would prefer to limit their security risks (of both the malicious and negligent variety) by keeping all manufacturing in-house, it’s generally not feasible to do so given China’s built-in economic advantages and the sheer scale of components required.

Why is the supply chain a target?

When it comes to smartphone attacks, there are a variety of software-based tools that hackers can use to remotely access and control the device, often without leaving a trace. Hardware-based supply chain attacks, on the other hand, are exceedingly difficult to pull off. However, for some larger players (i.e., nation-states), the risk/reward ratio makes sense for the following reasons:

• Lack of prevention: With the difficulty of validating every single component and sub-component within the entire smartphone, manufacturers lack the capacity to prevent a stealth supply chain attack.
• Lack of detection: Given that hardware and firmware are the lowest layers of the smartphone stack, existing security solutions – most of which run at the operating system or app levels – generally can’t detect abnormalities within these layers.
• Lack of remediation: Malicious additions or changes at the hardware level are difficult to remediate, often requiring physical access to the device.

"Supply chain attacks – like the one reported to have affected Supermicro – bring much-needed attention to the fact that implicitly trusting the underlying hardware found in most commercial devices may be unwise."

Mike Fong, CEO and Founder, Privoro LLC

How do supply chain attacks work?

Generally, hardware-based supply chain attacks occur during the production, quality control or delivery stages, often through bribery, coercion, deceit or simply counting on the manufacturer’s lack of due diligence. There are three main kinds of supply chain attacks that can take place before the smartphone even reaches the end user:

• Pre-installed malware: The firmware that’s installed during manufacturing may be riddled with pre-installed malware (possibly from a malicious third-party app) or additional code; an example of this is the batch of Android devices that shipped with Loki malware last year.
• Shipment interdiction: A threat actor can manipulate devices as they’re in transit between the manufacturer and the customer, similar to how the NSA has reportedly intercepted networking equipment and implanted backdoor surveillance tools before delivery to international customers.
• Hardware seeding: As in the case described in the Bloomberg Businessweek article, chips and other components can be added or manipulated during the manufacturing process.

What can be done by manufacturers?

While the sheer breadth of hardware supply chain attacks may seem overwhelming, there are a few protections that smartphone manufacturers may take to help prevent these kinds of exploits:

• Documented security controls: Requirements for supplier security controls – including incident response processes – can be clearly defined in vendor contracts.
• Supplier auditing: Each supplier can be audited – either by the manufacturer or a trusted third-party organization – to ensure that it’s following the proper security controls.
• Component validation: Each of the device’s hardware components and sub-components can be inspected, x-rayed and validated for unexpected characteristics and behaviors.
• Background checks: Employees can be screened for red flags before hire and at regular intervals during employment.
• Secured facilities: Manufacturing facilities can be protected through stringent physical security measures and monitoring.
• Isolated provisioning: Each device can be provisioned using an air-gapped, cryptographically assured process.
• Tamper protection: Steps can be taken to prevent hardware tampering, such as closing the device’s debug ports.

Even taking the most stringent precautions, however, it’s virtually impossible for manufacturers of smartphones and other consumer devices to completely isolate their supply chains from outside interference.

How can organizations mitigate risk?

Customers of smartphones, including enterprises and government agencies, lack control over the production of their devices, yet stand to suffer potentially disastrous consequences as a result of supply chain attacks. As such, these organizations will need to shift from a mindset of prevention to one of risk mitigation.

To mitigate risk, organizations must work on the assumption that their smartphones have already been compromised at the hardware level and figure out how to reduce their potential exposure. One way to accomplish this is by looking beyond software-based mobile security solutions (which ultimately require trust in the underlying hardware) to hardware-based iPhone security solutions that offer protections independently of the device. It is only by adding this layer of special-purpose, hardware-based protections to commercial smartphones that organizations will be able to ensure that they take back control and protect their most sensitive information.