The Big Hack - What did we learn?

Happy “The Big Hack”-iversary! What have we learned in a year?

There are still divergent opinions about what actually happend here’s a bit of a refresher, plus some of my conclusions. Initially I was fascinated by the technical possibilies and quickly shared my thoughts:

I was asked repeatedly by people if they had hardware implants, so I summarized my answer:

Way too many people spent those few weeks ripping apart servers looking for grain-of-rice sized malicious chips. When I saw this happening and took the time to stop think about it rationally, I realize that this was most certainly not a good use of resources. At the time, I also shared the best TL;DR that I heard:

Many of you owe thanks to @kimzetter and @riskybusiness who both convinced me to got on the record and share my dissatisfaction with the reporting. I have heard in the past year thanks from many people who felt the riskybusiness podcast saved them days or weeks of work searching for something that still hasn’t surfaced a year later.

I also spent some time theorizing about how and why the whole story came together, analyzing all of the details to see if they could fit together in a more realistic way. I never found the solution, but do check out my amateur, and likely incomplete anaysis.

So What?

Over the past year, I’ve presented a few times and touched on several points that I feel are critical:

  • Perhaps it’s time to consider hardware differently in your threat model.
  • Focus on your threat model. Don’t waste your budget protecting someone else’s threat model.
  • $1M hardware and supply chain attacks sound cool, but don’t waste resources on them if you’re not protecting against $5 attacks.

October 4, 2018 was a firedrill.

Who passed or failed the firedrill? Who took steps to adequately prepare for the actual fire when it happens?

Are you better prepared today for a supply chain attack than you were a year ago?

Have you had conversations with your suppliers about what they do to ensure authenticity?

If a report came out today that a specific silicon manufacturer had a supply chain issue - how long would it take you to confidently confirm whether or not you have any of that manufacturer’s silicon?

How have you revised your threat model in the past year to consider hardware and supply chain attacks?

Joe FitzPatrick

Written by

Joe (@securelyfitz) is an Instructor and Researcher at Joe has spent his carrer working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontroller. He has spent the past decade developing and leading hardware security-related training, instructing hundreds of security researchers, pen-testers, hardware validators worldwide. When not teaching classes on applied physical attacks, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.