application code on screen

Spotlight Podcast: Fixing Supply Chain Hacks with Strong Device Identities

Supply chain hacks like ME Docs and ASUS aren’t inevitable. In this Spotlight Podcast, sponsored by Trusted Computing Group, I speak with Dennis Mattoon, a Principal Researcher at Microsoft Research and the Chairman of the Trusted Computing Group’s DICE Architectures Working Group* about how strong device identities for IoT endpoints can stop supply chain compromises.


Software supply chain hacks are a growing problem. In just the latest example, it was reported earlier this month by Motherboard and Kaspersky Lab that hackers compromised a server of computer manufacturer ASUS’s live software update tool and used it to install a malicious backdoor on thousands of computers.

Security Ledger Sponsored Content

The attackers distributed a malicious file that masqueraded as an authentic software update, signed with legitimate ASUS digital certificates. According to the reports, ASUS unwittingly pushed out the backdoor to customers for at least five months before its discovery last year.

A worrying trend

Supply chain attacks aren’t new. But they’re a worrying trend that appears to be gathering steam. Other examples include the outbreak of the NotPetya wiper malware in 2017, which initially spread as a signed update from the Ukrainian finance software ME Docs. As the Internet of Things takes shape and more Internet-connected devices require remote software updates, it is a safe bet that cyber criminals and nation-state actors will increasingly look to leverage software updates as a means to gain control over connected endpoints and targeted networks. 

Dennis Mattoon Microsoft
Dennis is a Principal Software Development Engineer at Microsoft Research

But our guest this week, Dennis Mattoon of Microsoft Research, says that supply chain attacks only work because current approaches to verifying firmware updates rely entirely on cryptographic signatures on the file, without verifying the content of the update itself.

Essentially, if the signature checks out, the update is “good to go,” Mattoon notes. That signature _is_ the identity of the file, regardless of what the file contains. So, hackers who can compromise the update server and its signing keys can push out whatever they like.

Mattoon says there is a better way to do this. He is one of the engineers working on  the Device Identifier Composition Engine – or DICE- a new architecture for the Internet of Things promoted by The Trusted Computing Group. Using commodity hardware suitable for low-cost, low power endpoints, DICE creates cryptographically strong device identities. Those can be the foundation for attestation for software updates, patches and so on.

With devices that use a DICE architecture, a signed-but-malicious software updates would not be installed. That’s because a wide range of measurements from the system generating the update would be used to create the cryptographic signature that attests to its authenticity.

That sounds good – but how do we get IoT device makers to start implementing the DICE architecture? In this interview with Security Ledger, Dennis and I talk in detail about DICE and how it is different from the TCG’s other major technology The Trusted Platform Module. We also talk about how a DICE architecture would prevent supply chain compromises like NotPetya and how IoT developers can leverage DICE in their own creations. 

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more.


(*)

Trusted Computing Group is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

Comments are closed.