Pwned On Arrival: Compromised Hardware Supply Chains

Year after year, U.S. military and intelligence officials rack their brains trying to find solutions for a fundamental problem: securing the electronics supply chain. MITRE corporation, the think tank behind the Common Vulnerabilities and Exposures (CVE) system, hosts semi-annual workshops on the topic, and a 2018 presentation at Lockheed Martin about trusted chipsets explains the dilemma well.  Using an iceberg as a graphical analogy, the "tip" represents short-term, tactical issues. Long-term strategic issues are the bulk of the iceberg, submerged underwater:

Most [off-the-shelf] electronics used in [Department of Defense] systems are fabricated overseas; significant risk from tamper... Risks similar for the broader national security community, banking, critical infrastructure, etc... Shift in electronics fabrication creates potential for overseas control... Significant electronics challenges represent a national security issue.

Every part of the U.S. military apparatus, as well as critical civilian infrastructure, is identified as vulnerable to infiltration of the supply chain — from office computers to missile guidance to NASA controls and satellites. If any link in the supply chain is not verified or, worse, is found to be adversarial (e.g. contains an enemy spy chipset), the trustworthiness of the electronics can't be assured.

To put the problem more simply and in terms that apply to us as individuals, "How do we keep our computer hardware from being compromised before we get our hands on it?"  To illustrate the difficulty of answering this question, let's first look at powerful state actors and some of the supply chain attacks they've utilized.

The Spies That Love Unboxing

U.S. intelligence has a division famous for "getting the ungettable", a now-legendary hacker squad called Tailored Access Operations (TAO). On the surface, this arm of the NSA appears to belong in a Marvel movie, harnessing a huge toolkit of high-tech tools to break into any computer system, camera, or phone around the planet. That version of TAO is not far off from the truth but, beneath the glamour, there are more boring and old-fashioned strategies. What TAO does best is disrupt the supply chain of computer hardware and software, plowing the Earth's digital infrastructure and preparing fertile ground for future infiltration. Some of that, according to one NSA manager, is as simple as intercepting packages:

Here’s how it works: shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.

It's not surprising that Hollywood never films these scenes for spy thrillers, with Amazon deliveries diverted to "load stations" for tedious unboxing, antenna placement, chip soldering, and repackaging. Such work requires an inventory of rigged electronics, cables, and peripherals. Many of these are detailed in the leaked ANT Catalog, a 50-page catalog of implants and radio devices. Rigged USB and Ethernet ports may not be exciting but they get the job done.

The NSA isn't the only agency physically intercepting devices to spy on them, either. In 2018 the Electronic Frontier Foundation (EFF) learned that Best Buy officials had a cozy relationship with the FBI since at least 2008. This not only included hosting a meeting for the FBI "Cyber Working Group" at a Best Buy repair facility but also paying Geek Squad employees as informants to dig through files on customer devices.

Lifting The Veil of Swiss Neutrality

Boris Hagelin was a pioneering designer of cryptographic cipher machines, perhaps the first inventor to have made a fortune building "computers". These machines don't resemble the general-purpose personal computer we now recognize. However, cipher machines were essential in shaping the cryptographic foundations of all modern computers. Hagelin and his Swiss company, Crypto AG, were inseparably tied to the NSA, CIA, and U.S. military. Their machines became the de facto standard encryption technology in a large part of the world. According to U.S. government documents declassified in 2015, Hagelin had an unwritten agreement with the NSA as far back as 1955 to compromise the security of his customers. As historian Stephen Budiansky puts it:

There was a certain degree of deception going on of the customers who were buying [machines] and thinking they were getting something the same as what Hagelin was selling everywhere when in fact it was a watered-down version.

This infiltration of the Crypto AG supply chain was documented by journalist James Bamford in 1980, who came across references to "The Boris Project" while researching his book The Puzzle Palace, and by Scott Shane in 1995 while reporting for The Baltimore Sun. Enemy governments of the U.S. such as Iran, Iraq, and Libya were buying from Switzerland-based Crypto AG specifically because of the Swiss reputation for neutrality. All the while, however, they were being backdoored by the company for the NSA. When Iran's prime minister was assassinated in 1991, the Iranian government became suspicious of Crypto AG. Iran arrested a Crypto AG salesman in 1992 and accused him of leaking communications, but they did not suspect the machines themselves were rigged so he was released after posting bail.

The full truth about Crypto AG would not come out until 2020, in an exposé by The Washington Post and ZDF. Crypto AG had actually been owned and operated jointly by the CIA and West German intelligence (BND) from 1970 until the mid-1990s, with the CIA as its only owner until the company was liquidated in 2018. The CIA report obtained by The Washington Post uses extraordinary language:

It was the intelligence coup of the century... Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.

At its peak in the 1980s, The Washington Post continues, backdoored Crypto AG messages accounted for "roughly 40 percent of the diplomatic cables and other transmissions by foreign governments that cryptanalysts at the NSA decoded and mined for intelligence." This was standard practice for half a century, all while the company generated millions of dollars in profit. No one knows how many U.S. fingerprints are inside Crypto AG technology that is still utilized around the globe by allies and adversaries alike.

In Switzerland, these revelations have resulted in the shattering of the nation's cherished neutrality, with consequences that will reverberate for many years to come. If you can't trust the Swiss to be neutral, who can you trust?

Surveillance Goes TikTok

The 2018-2019 trade war between the U.S. and China is over and both sides have declared victory, though the sparks could be ignited at any moment. Silicon Valley startups were hurt by the departure of Chinese investors, and the empires of Big Tech rest on a foundation of Chinese manufacturing and assembly. Computers, phones, and other digital equipment cross the Pacific many times before the final product reaches U.S. consumers. Though U.S. allies in Asia such as South Korea and Taiwan also play a large role, China still dominates the supply chain of major U.S. brands like Apple.

Teardowns by researchers have exposed a myriad of targeted surveillance on Chinese hardware, hidden in operating system firmware, and in third-party apps. There is malware on a wide variety of U.S. handsets that originate in China, with vulnerabilities being actively exploited on brands such as Xiaomi, Lenovo, Huawei, and smaller players. In 2016, Kryptowire exposed malware on as many as 700 million Android devices from China. Hidden, third-party software collected and transmitted SMS text messages, address books, call history, location, and other sensitive data to Shanghai on a 72-hour schedule.

Xiaomi devices have long been suspected of spying on users, with apps and services phoning home in the background. The massively-popular TikTok app has also been suspected of similar practices, and is now the subject of a U.S. lawsuit:

TikTok clandestinely has vacuumed up and transferred to servers in China vast quantities of private and personally-identifiable user data that can be employed to identify, profile, and track the location and activities of users in the United States now and in the future.

TikTok has also been banned for use by members of the U.S. Army and Navy.

It is difficult to know whether these phones and apps have been compromised directly by the Chinese state. Any relationship between a technology company and the Communist Party of China (CPC) is a web that's difficult to untangle due to blurred lines between government and private enterprise. Social credit scores are making these ties even closer, and compelled data-sharing programs by the Chinese state are even more brazen than the U.S. counterparts.

There are well-known examples of CPC malware deployed via apps. Not surprisingly, "Study the Great Nation", an official Chinese state propaganda app, is spying on at least 100 million handsets in China. There is also an app called "CellHunter" that is installed on the phones of tourists in China when they are confiscated by border guards. CellHunter searches for files that might be considered contraband or illegal, in addition to spying on communications.

Huawei or the Highway

In any discussion of Chinese electronics, Huawei is the "elephant in the room". Huawei stands to rival Samsung and Apple in the U.S. unless policy and diplomatic pressure continues to halt its march.

Washington and its allies repeatedly accuse Huawei of supply chain exploits. Claims of espionage reach back to at least 2012, when former Nortel security adviser Brian Shields accused the company of hacking the Canadian telecommunications provider for over a decade and hastening Nortel's demise. These claims are mirrored in a 2020 indictment by the U.S. Justice Department against Huawei, which goes much further in 16 counts against the Chinese company.

The filing states that Huawei stole trade secrets from at least six companies in the U.S., going as far back as 2000. It includes charges from a previous indictment that claimed Huawei stole trade secrets from T-Mobile and also mirrors lawsuits that have been brought against the Chinese firm by Motorola and Cisco. The allegations don't stop there, containing racketeering (RICO) charges, claims that Huawei sold equipment to North Korea, and older claims related to U.S. sanctions against Iran. The latter has resulted in a diplomatic emergency in Canada, with Huawei CFO Meng Wanzhou arrested in 2018 and still detained in Canada where she faces extradition to the U.S. Wanzhou is not just CFO of Huawei but is also the daughter of the company's founder.

All of this comes at a time when the U.S. is attempting to stop allies from installing Huawei's 5G technology, pressuring the UK in no uncertain terms. Though Britain has decided to allow Huawei to install the equipment in a limited rollout, Robert Strayer, a U.S. cyber politician, questioned the finality of the decision:

Our understanding is that there might have been some initial decisions made [by the UK] but conversations are continuing... If countries adopt untrustworthy vendors in 5G technology, it will jeopardise our ability to share information at the highest levels.

It's rare to hear such a clear statement of purpose from U.S. intelligence — rather than just talking about "national security", Strayer chose to identify dragnet surveillance and the Five Eyes information-sharing alliance as the primary impetus to ban Huawei in the UK. Strayer's worry is not primarily about cybersecurity, and is instead a concern about portions of the UK "going dark" to Five Eyes intelligence.

The Five Eyes includes the U.S., UK, Canada, Australia, and New Zealand. Though Canada has captured Wanzhou, they may not bow to U.S. pressure on Huawei's 5G. The situation in New Zealand is not yet decided, with Kiwi politicians likely waiting to see how diplomacy plays out in Britain. Australia has already blacklisted Huawei and its 5G network, falling in line with U.S. warnings. Of all the Five Eyes countries, Australia seems to be the most eager to implement cyber policy recommended by U.S. intelligence, requiring encryption backdoors on its own soil even when such legislation fails to be introduced in America.

The U.S. conflict with China over Huawei is hotter than ever, and Huawei appears to keep losing. There is no end to bans, restrictions, and lawsuits on the horizon, and U.S. firms are not allowed to sell key technology to the Chinese company. U.S. government employees and its contractors can't buy equipment from either Huawei or ZTE, and the Huawei brand has been inextricably tied to malware and hacking in the minds of U.S. businesses and consumers.

China no doubt ships cyber weapons and spy electronics around the world. Whether Huawei is the front line, however, remains to be seen. It's worth remembering the extensive 2018 "Big Hack" story in Bloomberg Businessweek, which alleged that many U.S. and international companies such as Amazon, Cisco, and Apple were compromised by China via hardware from Supermicro. Supposedly, surveillance chips were hidden in their hardware, infecting the supply chain with Chinese implants.

These claims, and others in a Bloomberg followup, have either never been confirmed or have since been discredited. What was then called "the most significant supply chain attack known to have been carried out against American companies” never materialized. Though such infiltration can happen, claims have to be substantiated by evidence rather than superpower rivalry.

Spy vs. Spy

As The Privacy Issue has explored in other contexts, U.S. intelligence agencies stockpile cyberweapons and spy on computer systems that are both foreign and domestic. As the home of Silicon Valley as well as the world's largest military, the U.S. plays a powerful role not only in the development of cyber weapons, but the proliferation of them.  Some of these are supply chain attacks, resulting in targeted surveillance by TAO or by the CIA's Center for Cyber Intelligence (CCI).

There are too many examples of supply chain infiltration by the U.S. to name. The fears of U.S. intelligence about supply chain attacks by their rivals are perhaps more illuminating. These spies fear spying by adversaries because they know how easily it can be done: 

An increasing number of actors are seeking the capability to target … supply chains and other components of the U.S. information infrastructure... Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations.

U.S. intelligence focuses mainly on China and Southeast Asia when talking about supply chain, as the region where most electronic components (and nearly all semiconductors) imported to North America are manufactured. However, the revival of the Cold War with Russia also hinges on supply chain concerns.

One notable supply chain vector infiltrated by the Russia-linked "Fancy Bear" group is the low-level Computrace/Lojack software. Lojack is a known security issue and, though it may be installed for legitimate reasons on a computer, it can also be rigged to execute remote instructions. Since it comes pre-installed on a wide range of laptops, irregular activity can be difficult to investigate.

Despite its work disclosing and blocking attacks by Russian actors such as Fancy Bear, Kaspersky Lab has been singled out by U.S. intelligence as an arm of the Russian state in all but name. These charges have grown from a general fear of attacks by Russia on U.S. infrastructure that surfaced in the 2016 election cycle and may again be revived in 2020.

The U.S. and UK blame Russia for widespread cyber attacks in Georgia and Ukraine and a California-based firm claims Russia may be responsible for attacks on Ukraine oil giant Burisma. As with China, the veracity of claims against Russia can be difficult to discern when rivals are the accusers and little evidence is presented. Spies blaming spies has a long history, though it is certain that Russia is beefing up its cyber espionage programs.

Summary

Supply chain attacks are a difficult problem to address for any person or organization. Often, threat modeling relies upon industry and national borders, as well as available resources, catastrophic weather events, or even the outbreak of a disease. Your political allegiance and who you consider an adversary or ally can sway your strategy in a direction that is diametrically-opposed to someone else. This is the lamentable case during global cyber warfare, revealing how deeply the geopolitical landscape shapes our daily lives when technology mediates nearly every action and communication.

Though you may feel powerless, there are some strategies you can employ to better protect yourself from malware and targeted surveillance that exploits vulnerable supply chains.