How well do you know your supply-chains?
It was only a couple of days ago that I was commenting online about supply chain assurance. And now, today, we have a real and dramatic demonstration of what a supply-chain attack can achieve.
Maybe it will encourage some better consideration of supply-chain risks throughout industry. All sorts of risks tend to be assumed too esoteric to worry about – until they become real.
Whilst most of our own supply-chains are unlikely targets for such violent and destructive attacks, it does show how important this area can be.
There have been some other successful supply-chain attacks but they’ve not tended to make the headlines quite so dramatically. In 2008, a significant number of compromised chip & pin payment devices were discovered in Britain, Ireland, the Netherlands, Denmark, and Belgium. These devices stole credit card details including PIN (providing enough information to create a magnetic-strip copy usable in ATM machines around the world, which they were) and incorporated cellular technology to “phone home” the harvested details and pick up updates & fresh instructions. They were initially detected after a member of staff at an all-night petrol station noticed repeated interference to their (analogue!) portable radio, a sound familiar to many of us back then.
This attack was notable because the devices’ security seals and anti-tamper devices were all intact, meaning that the additional ~19g of circuitry had been added inside the factory before the devices were sealed.
This led to the strange sight of teams of technicians descending upon supermarkets late at night once they were shut and accurately measuring the devices. I say measuring… initially weighing them, but before long this was not enough as the tampering became more sophisticated and equivalent weight was removed to compensate. At this point, spinning the devices in different axes became necessary; the weight was the same, but the angular momentum measurements would reveal a different weight distribution in 3D within the devices.
That 19g is interesting because initial estimate of the explosive load within the exploding pagers is between 10g & 20g HEX. The thing about pagers is that you dont want to make them ever smaller or they get lost. So I suspect modern ones have plenty of space inside.
What does all this mean for our own supply-chains? Well, as ever, it comes down to assessing the risk and then managing the risk. Be realistic about who might threaten your supply-chain and how. We’re not all likely to be targeted by Mossad, but consider who might target you and why. Remember that you may just be collateral damage in someone else’s supply-chain, of course.
Gânduri Eclectice - Eclectic Thoughts 