CAPEC-520: Counterfeit Hardware Component Inserted During Product Assembly
An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.
Last updated
Overview
CAPEC-520 (Counterfeit Hardware Component Inserted During Product Assembly) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.
Skills required
- High skill: Resources to maliciously construct components used by the manufacturer.
- High skill: Resources to physically infiltrate manufacturer or manufacturer's supplier.
How to mitigate it
Defenses that reduce the risk of CAPEC-520.
- Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.
- Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.
Examples
A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The adversary constructs a counterfeit card that functions normally except that packets from the adversary's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the adversary to bypass the firewall unrestricted.
In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]
Terminology & mappings
Mapped taxonomies
- ATTACK: Supply Chain Compromise: Compromise Hardware Supply Chain (1195.003)
Frequently asked questions
Common questions about CAPEC-520.
- What is CAPEC-520?
- An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.
- How do you prevent CAPEC-520?
- Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.
- How severe is CAPEC-520?
- MITRE rates CAPEC-520 as High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-520
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.