A Measured Response to a Grain of Rice

The presentation discusses the complexity and risks associated with hardware attacks and the need for a measured response to them. The speaker provides real examples of hardware implants and how to classify them in terms of complexity and risk to make rational decisions on responding to hardware threats.

• Hardware has become smaller, faster, cheaper, and more complicated, leading to increased attack surfaces and a more difficult detection problem
• Hardware attacks are often sensationalized in the media, making it difficult for laypeople and software security experts to understand the details
• Real examples of hardware implants are provided to understand the scenarios where hardware implants make sense
• Recent cases of claimed hardware implants are examined to classify them in terms of complexity and risk
• Rational decisions can be made on where hardware threats fit in a threat model based on these examples
• A story about a grain of rice-sized device allegedly causing issues in the way software runs is used to illustrate the potential risks of hardware implants

The speaker discusses a news article about a tiny chip the size of a grain of rice that allegedly caused issues in the way software runs. The chip was implanted in the entire supply chain, and 30 vendor companies had found or may have allegedly been on the list to get this malicious implant. The article provides limited technical details, but it describes malicious code or manipulating existing code, which can be a big deal.

Over time, our hardware has become smaller, faster, cheaper - and also incredibly more complicated. Just like with software, this complexity brings with it both increased attack surfaces and a more difficult detection problem.Unfortunately right now, when it comes to hardware attacks, the discourse is focused on sensationalism. We've got reports of devices few people have heard of, doing things few people realize is possible, perhaps happening on a scale fewer people understand. When it comes to hardware details, they're incomprehensible to laypeople, as well as to most software security experts.I'll start with a background on real examples of what we'd call 'hardware implants' to set the context and understand the scenarios where hardware implants make sense. We'll examine a few recent cases of claimed hardware implants to understand how we can classify them in terms of complexity and risk. With that information, we can then make rational decisions on where these and other hardware threats fit in your threat model.With these examples in hand, you will better understand when it make sense to respond to hardware threats, as well as how to prioritize your response to best reduce your overall risk.