Supply-chain hacks are an information-security problem we probably had coming. In retrospect, these hacks—which target the mechanisms companies employ to manage and update their software and systems—seem as inevitable as a virus evolving to infect more people.
And as the scope of the SolarWinds supply-chain hack shows, this problem is nearing pandemic proportions.
“These things are happening at a much bigger scale,” said Matt Tait, chief operating officer at the security firm Corellium, in a keynote last Wednesday that opened the Black Hat information-security conference with a concise description of this issue and some suggested bug fixes for it.
Tait, who tweets about information security issues as Pwn All the Things and whose career includes work at Google’s Project Zero vulnerability-research operation and the United Kingdom’s Government Communications Headquarters (GCHQ) intelligence agency, began by noting the business-model problems with traditional attacks that target a particular institution or individual.
Researching and selecting a target, finding a way into the target’s system, and exploiting that initial access to get data or extort money all impose real costs that limit an attacker’s ability to operate at scale.
A successful supply-chain attack flips the script on all of those factors, Tait said.
First, once an attacker selects a software provider to target, the attacker may intrude into too many targets and must screen out companies or organizations to keep things manageable.
“They needed to down sample the intrusion to 100 or so,” Tait said of the SolarWinds attackers, who exploited an IT-management platform used by some 30,000 customers to hit only 100 and change.
The usual next steps after an attacker’s initial entry into a targeted system—”privilege escalation” hacks to increase the reach of malware and “lateral movement” to get it implanted in other systems—also become irrelevant, since software supply chains already operate at high privileges and can go everywhere.
As Tait put it: “The update system will just automatically route my implant, my malware, past all of the cybersecurity defenses the organization might have.”
A variety of fixes
So what to do about supply-chain attacks? “The government is not going to fix this,” Tait warned. “The only way to tackle supply chain intrusions at the scale that is needed is to fix the underlying technology. And this requires platform vendors to step in.”
(In a Black Hat keynote Thursday, Cybersecurity and Infrastructure Security Agency director Jen Easterly emphasized how the government needed industry’s help: “We can’t do this alone, because over 80% of critical infrastructure is in private hands.”)
Tait offered a set of recommendations for different actors in the security ecosystem—all of which ought to make non-supply-chain attacks a little harder as well, and one of which might also complicate everyday computing.
Corellium COO Matt Tait
You create this perverse incentive for security researchers not to publicize, not to report their vulnerabilities earlier.”
Second, he urged companies running bug-bounty programs to stop requiring researchers to document complete exploits before getting paid for finding vulnerabilities.
By insisting on complete documentation, “you create this perverse incentive for security researchers not to publicize, not to report their vulnerabilities earlier,” Tait said. There’s also this bonus to not requiring full documentation: “The security researcher doesn’t have fully working chains on their laptop that can get stolen.”
Tait’s more challenging prescriptions applied to desktop and mobile operating system developers.
On the desktop, he’d retire the traditional system of having a few broad tiers of application privileges—which can set a fairly high floor for a program’s access—and replace it with far more limited “entitlements” that grant it permission to particular pieces of the system.
This would require Windows to become much more like Apple’s MacOS, which has already moved far enough in a locked-down direction to draw unflattering comparisons to the security-warning laden Windows Vista. But the Mac would itself have to operate more like iOS.
Such a transformation, Tait added, would still leave an “irreducible set of highly-permissioned apps” that need extensive access to do such sensitive chores as handling software updates. He urged extensive and regular auditing of those critical programs.
As for mobile platforms, Tait wants Apple and Google to provide ways for security researchers to audit apps on their iOS and Android stores at scale: “We should be able to scan all applications in a given app store.” He called that difficult in Android and essentially impossible in iOS.
Tait did not mention that his employer has tangled with Apple at length over Apple’s allegation that Corellium’s recreation of iOS in a desktop virtual-machine environment infringes on its copyright.
But he did acknowledge early on in the talk that this is a hard problem that requires hard work. As he put it: “All of the easy answers are bad, and the harder answers are really difficult.”