Supply chain security has been a hot topic in 2024. While the focus has mostly been on software supply chain and managing the risk of third-party software, hardware procurement can be equally risky. CISA has encouraged vendors to employ "Secure by Design" principles to reduce the number of vulnerable products reaching the market, and has encouraged customers to make stronger demands for product security.
Procurement plays a crucial role in corporate security as it represents an entry point and initial access to the buyer's network. Still the procurement process is often overlooked when planning an organization’s defenses. From counterfeit equipment and devices with hidden zero-day and even unpatchable vulnerabilities, the procurement process can open the door to cyber threats. Without considering security during the procurement process, businesses leave themselves vulnerable to a range of cyber threats that could have devastating consequences.
At the most basic level, organizations need to build security policies into their procurement process and at the more advanced stages of mitigation, should even strategically plan for how they might react if the hardware they are using is found to contain unpatchable security vulnerabilities.
Here are just some recent events from the first half of 2024 that highlight some of the various risks imposed by hardware procurement:
Procurement risks include buying hardware from unknown suppliers. These sellers may operate on otherwise legitimate and popular online sales channels such as Amazon or Ebay. In August 2024, a security researcher from Quarkslab discovered hardware backdoors in millions of RFID key cards manufactured by the Chinese company Shanghai Fudan Microelectronics.
The RFID cards, based on the widely used MIFARE Classic chips, allow attackers to clone them within minutes and gain unauthorized access to secure areas. The backdoors impact FM11RF08S cards and other models dating back to 2007, using a universal authentication key that is the same across all units.
The vulnerability allows attackers to bypass card security, exposing organizations using these cards to significant risks. Despite previous knowledge of the insecurity of MIFARE Classic cards, the discovery of an intentional backdoor elevates the threat, as cloning no longer requires the typical resources and time. The backdoor has also been found in other card models from manufacturers like NXP and Infineon, indicating a widespread supply chain risk in the RFID access card market.
Onur Aksoy, a Florida-based CEO and dual U.S.-Turkey citizen, was sentenced to six years and six months in prison for selling counterfeit Cisco networking equipment on Amazon and eBay. The counterfeit devices even ended up within US military bases, hospitals, schools, and critical military systems supporting fighter jets and helicopters. Despite Cisco and U.S. authorities' efforts to stop him—including intercepting 180 counterfeit shipments and sending multiple cease-and-desist letters—Aksoy continued his operations, using aliases and forged documents to evade detection.
For nearly a decade, Aksoy operated through at least 19 companies and over 25 storefronts, known as the Pro Network Entities, trafficking counterfeit Cisco products from China and Hong Kong. These low-quality items, often disguised with fake labels and packaging. In 2022, Aksoy was arrested, and in June 2023, he pleaded guilty to charges of mail fraud, wire fraud, and conspiracy to traffic counterfeit goods. Alongside his prison sentence, he was ordered to pay $100 million in restitution to Cisco.
Multiple federal agencies, including Homeland Security Investigations and the Department of Defense, were involved in the investigation. Aksoy’s conviction stands as a warning against the dangers of counterfeit products in essential systems.
In our final example, we will cover the side-channel attack against Apple M1, M2, and M3 Chips. Apple is lauded as one of the most security minded technology companies in the world. They are on the forefront of offering advanced security features to their users and are the devices of choice for government agencies burdened with the strictest security requirements.
In March 2024, researchers uncovered a flaw deeply embedded in the architecture of Apple's silicon. The flaw is unpatchable, meaning it cannot be fixed with a simple software update, however, exploitation is considered complex. The flaw was detailed by a team of seven U.S.-based researchers who designed an app called GoFetch to demonstrate exploitability. GoFetch can extract enough secrets to break encryption keys. The vulnerability lies within the Data Memory-Dependent Prefetcher (DMP), a feature that boosts Apple’s chip performance by predicting memory addresses. Apple has recommended that users with M3 devices enable Data-Independent Timing (DIT) to mitigate the risk, however, this significantly impacts performance and not work on M1 or M2 devices.
Apple must address the issue in future chip designs, beginning with the anticipated release of the M4 chips later this year. The newly identified vulnerability, similar to last year’s iLeakage attack, involves the extraction of encryption keys through a microarchitectural side-channel.
As a Procurement Specialist, your role involves continuously seeking out quality vendors that can meet the needs of your internal team and key stakeholders. Packetlabs, with over 10 years of experience in the cybersecurity industry, supports the security of procurement.
Packetlabs provides exceptional customer service alongside collaborative, white-glove penetration testing to ensure the software and hardware devices in your supply chain represent the strongest security value.
Procurement security incidents from 2024 highlight the critical security risks tied to hardware procurement, including backdoors in widely-used key card systems, counterfeit networking equipment in critical infrastructure, and unpatchable vulnerabilities in Apple chips. These examples demonstrate how flawed or fraudulent hardware can compromise entire networks and sensitive systems. Ensuring a secure procurement process, including stringent vetting and awareness of emerging threats, is essential for protecting organizations from these risks.
As demonstrated, oversight and proper vendor selection are key to mitigating the growing threats posed by faulty or malicious hardware. Companies must prioritize procurement security to avoid operational disruptions, financial losses, and potential data breaches.
What sets us apart is our passionate team of highly trained, proactive ethical hackers. Our advanced capabilities go beyond industry standards. We ask questions to dig deeper and encourage knowledge sharing.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.