A Hardware Supply Chain Attack
Hardware is the root of trust and security in all systems today. Many works on hardware supply chain attacks are built on implicit assumptions about the relative difficulty and effects of different types of hardware supply chain attacks.
Chip Scan is well aware of this, and has published research on hardware attacks within the realm of “script kiddies”. This extends security attack surfaces to far more perpetrators than the traditional nation-state or other advanced attackers behind hardware exploits.
Software and hardware designers alike do not suspect their tools to be broken or malicious. As shown in the recent Solar Winds "Orion" attack, compromises in build systems are extremely dangerous and hard to track down. Trusted vendors distributing compromised products to customers poses a critical threat to both commercial and national security. This brief demo illustrates the simplicity of a hardware supply chain attack using modern design tools:
Chip Scan has years of experience with hardware supply chain attacks and has developed a commercial product to address this issue. Based on the research documented in Functional Analysis for Nearly-Unused Circuit Identification and A Red Team/Blue Team Assessment of Functional Analysis Methods, Chip Scan's development tool, ESPY, uses an analysis algorithm to identify stealthy, malicious circuits within hardware designs that can perform backdoor operations to compromise system security.