Protecting Against Physical Chip Implant Attacks from the Supply Chain

Potentially the best way to gain completely undetectable persistence PC access for years is with a chip implant. Mitre Att&ck refers to this as Hardware Additions ( Mitre Att&ck T1200). The only way to guarantee there are no chip implants is via regular physical visual inspection and comparison of a PC motherboard, components, and wires to manufacturers’ verified design drawings. Multiple solutions have been released to demonstrate the implant possibility and risk including PicoDMA.

The most famous case is the much refuted and debated Super Micro supply chain chip implant case. Whether reality or not, the possibility is enough to make it a serious concern.

PC manufacturers have enabled chassis intrusion detection switches on the PC chassis, however it is rarely enabled and used. Furthermore it is not available on all PC models (for example, two of the largest PC OEMs have chassis intrusion detection on desktops but not laptops.)

For an adversary to implant a chip, all it would take would be bribing (and there are many documented bribery cases) an IT admin, consultant, contractor with after-hours access to your facility, employee, etc. to gain access to a PC and implant a chip on any one of the PCs or servers in your environment. And of course there is the risk of malicious insiders and disgruntled employees.

This area of concern also includes components being swapped out for ones with malicious code or direct physical reflashing of a component firmware with additional malicious firmware code, not just chip implants.