Last week was a watershed for the embedded security community, and by implication everyone else. Bloomberg announced that rogue chips had been found on the motherboards of servers sold by Super Micro Computer to companies like Amazon and Apple. Whoever had added these during the manufacturing process would have acquired the ability to control and access data from the servers when those companies installed them. For the first time, it appeared there was evidence that the supply chain could be disrupted. That meant hacking was happening during the manufacturing process, before the products had even left the production line.
Up until now, hacking has predominantly been viewed as getting malicious code into a device which is “clean”, by exploiting security flaws in its code. That’s what’s happened with every PC virus; attacks like the WannaCry ransomware, and state sponsored attacks such as Stuxnet and the recently discovered attempt by Russian hackers to infiltrate the Organisation for the Prevention of Chemical Weapons in The Hague. Although the concept of hacking a product before it has shipped has been discussed for years, the Bloomberg report signals that we’ve moved from academic debate to reality.
There is still debate about whether the report is correct. Apple and Amazon deny much of the detail, but its publication has started people looking more closely at the supply line and concluding that whether or not it is true, the way we design, subcontract and manufacture complex electronic products today means that it is possible. If it is true, this attack was probably commercial, where a company or a state wanted to discover what leading global companies were doing. What is more worrying is the prospect of a future where malicious state actors target infrastructure with the aim of crippling a country. Which brings me to smart meters.