CAPEC-520

Counterfeit Hardware Component Inserted During Product Assembly
Low
High
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.

Informations CAPEC

Prerequisites

The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.

Skills Required

Resources to maliciously construct components used by the manufacturer.
Resources to physically infiltrate manufacturer or manufacturer's supplier.

Mitigations

Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.
Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.

References

REF-439

Supply Chain Attack Framework and Attack Patterns
John F. Miller.
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf

REF-712

Guarding against supply chain attacks—Part 2: Hardware risks
Cristin Goodwin, Joram Borenstein.
https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/

REF-713

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Jordan Robertson, Michael Riley.
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00 Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Example_Instances, Mitigations, Prerequisites, References
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Related_Attack_Patterns, Taxonomy_Mappings
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.