CAPEC-522: Malicious Hardware Component Replacement
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
执行流程
步骤 1 Explore
[Determine Target Hardware] The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.
- Look for datasheets containing the system schematics that can help identify possible target hardware.
- Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.
步骤 2 Explore
[Discover Vulnerability in Supply Chain] The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.
- Procure a system and observe the steps it takes in the shipment process.
- Identify possible warehouses that systems are stored after manufacturing.
步骤 3 Experiment
[Test a Malicious Component Replacement] Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.
- Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.
- Obtain already designed malicious components that just need to be placed into the system.
步骤 3 Exploit
[Substitute Components in the Supply Chain] Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.
前提条件
- Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.
所需技能
缓解措施
Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.
Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.
Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.
示例实例
During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1195.003 | Supply Chain Compromise: Compromise Hardware Supply Chain |