Hacking the Motherboard: Exploiting implicit trust in all of the forgotten places presented at SupplyChainCybersecuritySummit 2019

by Sophia D'antoine,

Summary : Last year, Bloomberg's Big Hack article gave everyone a (questionably accurate but) much needed scare which forced companies to evaluate their exposure to supply chain intervention attacks. But a wider acknowledgement of the problem doesn't make it go away. We need to understand the attack vectors and the inherent hardware vulnerabilities used by these backdoors, as well as the steps we can take to protect ourselves. We must have confidence in the systems and the technical infrastructure that supports our economy. This confidence currently relies on too much implicit trust -- overlooking serious risks. Assurance in this area is hard won, manual, and costly. In this talk, I will dive into several recent hacks including the ASUS software update hijacking, the SuperMicro supply chain, allegations vs. reality. This discussion will include a technical overview of various types of hardware implants, the access they enable, and what we should be doing to detect and mitigate. Attendees will leave the talk with an in-depth understanding of what a hardware implant is, what types of implants provide what capabilities, and -- with this knowledge -- how to protect their enterprise from these attacks against a modern supply chain.