Supply chain attacks are attacks on the software (and hardware) that goes into the software (and hardware) that you buy. We keep seeing attacks that compromise that underlying software. Earlier this year, it was Ripple20 that affected millions of IoT devices. Many of those devices will likely never be patched and will be vulnerable forever. In part, that is because the software that the Ripple20 affected software is integrated into is no longer supported.
This week it is a series of Thales products that were discovered to be buggy. The bugs were found by IBM’s X-Force security team and disclosed to Thales. While Thales has released patches to these bugs, now begins the long hard slog to get vendors who used the Thales software and hardware to release patches. The bugs were actually discovered a year ago. Of course no one knows if or when these bugs were discovered by hackers.
The hardware involved is a series of small computer circuit boards that are integrated into many IoT devices to support communications functions.
In this case, the boards store sensitive information like passwords and encryption keys.
Concerns include the possibility that these devices are used inside of medical equipment and if hacked, could possibly kill patients.
Another potential attack is against connected devices that manage the electric grid. Attackers could accidentally or intentionally take the electric grid down.
Its even possible that hackers could compromise VPN concentrators, stealing encryption keys, certificates and other confidential information.
These are just two examples of supply chain problems.
What needs to happen now is for buyers to understand these issues and demand that vendors have a strong supply chain security program. Part of this is to create and provide buyers with software Bills of Materials.
In this case, the healthcare industry is concerned that connected medical devices, many of which are old and no longer supported, may be affected. In the case of healthcare devices, they also have the challenge of getting FDA approval to patch the devices.
While this article focuses on medical devices, the problem runs across all industries and all electronic devices.
Until buyers start demanding that sellers fix these problems it is unlikely to get any better. Credit: Health IT Security