Conditions préalables
The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.
Compétences requises
Resources to maliciously construct components used by the manufacturer.
Resources to physically infiltrate manufacturer or manufacturer's supplier.
Atténuations
Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.
Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.
Références
REF-439
Supply Chain Attack Framework and Attack Patterns
John F. Miller.
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf REF-712
Guarding against supply chain attacks—Part 2: Hardware risks
Cristin Goodwin, Joram Borenstein.
https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/ REF-713
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Jordan Robertson, Michael Riley.
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
Soumission
Nom |
Organisation |
Date |
Date de publication |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
|
Modifications
Nom |
Organisation |
Date |
Commentaire |
CAPEC Content Team |
The MITRE Corporation |
2015-11-09 +00:00 |
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2021-06-24 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated Description, Example_Instances, Mitigations, Prerequisites, References |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated Related_Attack_Patterns, Taxonomy_Mappings |