Cybersecurity truisms have long been described in simple terms of trust: Beware email attachments from unfamiliar sources, and don’t hand over credentials to a fraudulent website. But increasingly, sophisticated hackers are undermining that basic sense of trust and raising a paranoia-inducing question: What if the legitimate hardware and software that makes up your network has been compromised at the source?
That insidious and increasingly common form of hacking is known as a “supply chain attack,” a technique in which an adversary slips malicious code or even a malicious component into a trusted piece of software or hardware. By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier’s customers—sometimes numbering hundreds or even thousands of victims.
“Supply chain attacks are scary because they’re really hard to deal with, and because they make it clear you’re trusting a whole ecology,” says Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute. “You’re trusting every vendor whose code is on your machine, and you’re trusting every vendor’s vendor.”