New to CAPEC? Start Here
Home > CAPEC List > CAPEC-522: Malicious Hardware Component Replacement (Version 3.7)  

CAPEC-522: Malicious Hardware Component Replacement

Attack Pattern ID: 522
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.439Manipulation During Distribution
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Determine Target Hardware: The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.

    Techniques
    Look for datasheets containing the system schematics that can help identify possible target hardware.
    Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.
  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.
Experiment
  1. Test a Malicious Component Replacement: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    Techniques
    Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.
    Obtain already designed malicious components that just need to be placed into the system.
Exploit
  1. Substitute Components in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

+ Prerequisites
Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.
+ Skills Required
[Level: High]
Advanced knowledge of the design of the system.
[Level: High]
Hardware creation and manufacture of replacement components.
+ Mitigations
Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.
Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.
Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.
+ Example Instances
During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment.
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-712] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 2: Hardware risks". Microsoft. 2020-02-03. <https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/>. URL validated: 2022-02-17.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09CAPEC Content TeamThe MITRE Corporation
Updated Typical_Likelihood_of_Exploit
2021-10-21CAPEC Content TeamThe MITRE Corporation
Updated Mitigations
2022-02-22CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Execution_Flow, References
More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 21, 2021