TSMC's iPhone chip attack is a wake up call for enterprise security

Credit to Author: Jonny Evans| Date: Mon, 06 Aug 2018 05:21:00 -0700

Apple chipmaker TSMC suffered a serious WannaCry-related ransomware infection that closed down production at some of its factories. The incident should be a wake-up call for manufacturers across every industry.

TSMC has said the incident was not the result of a direct attack. Instead it says its systems were exposed to the malware. “When a supplier installed tainted software without a virus scan,” it said.

The malware spread fast and impacted some of the company’s most advanced facilities used to build Apple’s A-series chips.

The TSMC attack (which seems likely to have impacted iPhone production) took place at a critical time for its biggest customer, with new chips designed to power the next-generation iPhones likely at peak production as Apple preps for the fall iPhone refresh.

TSMC has taken steps to minimize the damage. “We are surprised and shocked,” CEO C.C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened

It was only a matter of time. Manufacturers across every supply chain must take strong steps today to protect themselves. They must accept that they are already being attacked – and be prepared to mitigate any that make it through.

Stephen Phipson, Chief Executive of the Manufacturers’ Organization warns that, “Manufacturers urgently need to take steps to protect themselves against the burgeoning threat.”

To understand the scale of risk, the latest report from IBM X-Force warns that 18 percent of all cyberattacks are aimed at manufacturing. IBM’s researchers point out that the true scale of such attacks may exceed published data, saying:

“The manufacturing sector is not subject to the same obligations to report breaches as industries such as financial services, healthcare and retail. Nevertheless, there were some incidents in which customers were affected that did see public reporting.”

A wave of ransomware attacks – including the original WannaCry ransomware a variant of which impacted TSMC, along with NotPetya, and Bad Rabbit hit the sector in 2017. It’s not clear how much damage was done. We’ve seen whole cities (including Atlanta) impacted by similar attacks against infrastructure.

Production isn’t just hardware – we’ve also seen at least one example in which attempts to subvert device security have been made by attempting to undermine the software development environment.

XCodeGhost was a version of Apple’s XCode development environment distributed through non-traditional channels that sewed malware inside apps built using the kit. Apple stopped this fast, but apps made using XCodeGhost were distributed at the App Store briefly.

We’ve also seen plenty of incidents in which production facilities have been targeted. StuxNet may have been the first but is unlikely to be the last. Only last year Checkpoint revealed that  dozens of shipping Android smartphones contained malware that had been installed during manufacturing.

The evolution of connected manufacturing creates a huge number of potential attack vectors – and these vulnerabilities have huge value.

A hacker getting into your computer to steal personal data is bad enough, but criminals successfully attacking manufacturing, healthcare, transportation or energy logistics can hold entire nations, or at least, corporations, to ransom.

As we enter a state of hybrid warfare, there should be little doubt among C-seat executives, consumers or security professionals that attacks against key manufacturing infrastructure will intensify. The apps used to control connected industrial equipment must also be thoroughly secured.

The TSMC case is a clear illustration of the need for enterprise security chiefs to ensure strict adherence to the security protocols in place across their company.

It also shows that even where such adherence is kept, manufacturers must attend to the security practice of all their partners– including equipment suppliers.

The famed Target attack in which credit card details belonging to millions of customers were seized was enabled by a security weakness in the company’s connected HVAC systems. This is why a recent Trend Micro report is so concerning. It found that many industrial robots in use across Industry 4.0 run outdated software, use vulnerable operating systems and or possess poor password protection.

In the case of TSMC, it seems clear the company acted swiftly to protect its systems and reject the attack. The company has also done precisely the right thing in disclosing the attack — situational awareness demands everyone shares what they know as attacks occur.

While the company denies the incident was the result of a hack, its timing – as A-series processor production peaks, causes one to wonder just how the partner company was itself attacked. Was this the result of a deliberately engineered series of sophisticated (phishing?) attacks in which multiple attack vectors were used in an attempt to insert malware into the Apple supply chain?

I think it highly probable that Apple, TSMC and the hapless supplier will be strenuously exploring that possibility. We can expect much more of this as connected industry opens the doors for large-scale, complex and highly profitable attacks.

It is also why every enterprise must double down to ensure internal and external employees are clued-up to the scale, potential consequence and best practises for the prevention of such attacks, as noted last week.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.

http://www.computerworld.com/category/security/index.rss