Protecting the Storage Platform through Measurement and Attestation │Part 2: Threat Modeling for the New Age of Protection
Part 2: Threat Modeling for the New Age of Protection
Part 1 of this series examined how security challenges have changed with the globalization of the supply chain. The Part 2 installment goes beyond the supply chain to examine other elements of the overall threat model, shown below.
A category of threat comes from individuals who have access to an abundance of information, methods, and resources on the internet. Resources include downloaded development environments, online for sale probes/analyzers, schematics and other tools. Bad actors in non-conventional environments with very low budgets can easily assemble everything needed to compromise a device either in production or on the way to production environments.
Nation states may also target a corporate workforce. Employees may be unduly influenced to insert damaging lines of code through monetary, subversive, or unintentional means. Trust models are increasingly challenging as the workforce is distributed worldwide. In other cases, nations sponsor academia and industry to develop vulnerability methods which become published works. Generally the work is intended to harden the industry or establish new methods to develop products. Often times the published work provide methodologies for exploitation.
From a sophistication standpoint, it can be also be assumed actors have access to production lines or own production environments. Components are brought in, sent through the production process, and returned to original packaging. The end resulting consumable, appears identical to the OEM produced end product - right down to being sealed with the OEM box tape. Detection remains obscured until something goes wrong with the product or there is evidence of a breach.
The proposed manufacturing line is not factious, as evidence exists that compromised systems have reached customers. In 2015 by example, several drive manufacturers contained drive firmware which had been compromised. A bad actor analyzed the firmware layout and determined how to flash the firmware with malicious code. Unused flash space was exploited on the device itself as part of the attack. The malware was nearly impossible to purge as every time the device would boot, the malicious code would run, intercept the data meant for storage, and acknowledge successful flashing the new firmware.
There are many examples of this type of attack but the important point is it’s a sophisticated attack and disturbingly widespread across a range of hard drives from different manufacturers.
In Part 3 of our series we will look at how product manufacturers can close this major vulnerability gap through the use of Secure Trusted Firmware.
For more information visit www.microchip.com.