The patching is incomplete!

Few hours ago, it is reported that 20GB of Intel Corp data breach is floating over internet with source code, classified docs and internal docs, backdoors etc.

Link to the news:

Thinking about the gravity, of what if - reminded me of late 2018 and the highly controversial article by Bloomberg written by Jordan Robertson and Michael Riley - The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

Link to the article:

This article claimed that Chinese state-sponsored hackers secretly added small chips to SuperMicro’s server motherboards. Supermicro motherboards in servers used by 30+ major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Lenovo also had an impact with this news as its share price tumbled.

Later, security researcher Monta Elkins claimed to have developed a version of that technique with off-the-shelf hardware. All Elkins needed was a $150 air-soldering tool, a $40 microscope, and some tiny programmable chips used in personal electronics projects. Elkins approach uses an ATtiny85 chip salvaged from Digispark Arduino boards, each of which costs around $2. The chips have a total surface area of about 5mm, more than small enough to go unnoticed on a circuit board.

Elkins created code for the chip that allowed him to interface with the administrator settings on a Cisco ASA 5505 firewall. When the firewall boots up, it impersonated as a security administrator accessing the configurations of the firewall by connecting their computer directly to that port. Then the chip triggers the firewall’s password recovery feature, creating a new admin account and gaining access to the firewall’s settings.

At the CS3sthlm security conference in 2019 Monta showed how he created a proof-of-concept version of that hardware hack in his basement. He demonstrated how easily cyber criminals can plant a chip in enterprise IT equipment to gain backdoor access.

Link to Monta’s Cs3sthlm video:

Let me make my point:

China makes 75 percent of the world’s mobile phones and 90 percent of world’s PCs (or their components). 

You may be the chief of security, a security professional or probably a naive consumer of technology. For each of the individuals, the basic access to technology is via internet and to get onto internet it is a compute device which may be a cell phone or a laptop/computer.

No matter these individuals be a home user or a corporate enterprise user operating in a secured IDS/IPS environment with all sorts of threat intelligent SDPs, efficient XDR etc. The basic medium (the hardware) through which the packets are processed and sent through, what if – if that is breached.

One method to safeguard is to build your own hardware.

The thought with which I would like to leave you with is ...

Does blocking of the mobile apps makes our data secure and private?

What about the laptops, cell phones, servers & other hardware that might be spying via its circuit board and would take ages to detect that?

Are you sure there is NO hardware component that is manufactured or assembled in China for the laptop, smart television, smartphones etc. that you use? It is the illusion of privacy & security until we are fully aware.

The patch management activity is incomplete !