Hackers spent 2+ years looting secrets of chipmaker NXP before being detected
- Thread starter JournalBot
- Start date
The SDKs that can be downloaded by anyone who works with NXP chips by any chance?
If they had enough access to insert hardware backdoors in the designs that's one thing. If they downloaded the docs...
Source code? I don't want to see the source code for the NXP pin config tool even if they gave it to me. This is not a software company. Or they mean the kernel source code that's visible to anyone on github?
Upvote
39
(43
/
-4)
Uh, ASML is not a chipmaker, so NXP can't be the second-biggest after them.
ASML makes equipment that chipmakers buy, not chips.
ASML makes equipment that chipmakers buy, not chips.
Upvote
113
(113
/
0)
I guess we should just hope that the keys shipped on the SIM cards they make weren't compromised. You know, the keys that would make it trivial to decrypt any cell traffic that isn't protected by another layer of encryption.
Upvote
45
(46
/
-1)
The Dutch newspaper is called NRC not NCR.
Long time ago the name was Nieuwe Rotterdamsche Courant. Later it was called NRC Handelsblad after a merger.
Long time ago the name was Nieuwe Rotterdamsche Courant. Later it was called NRC Handelsblad after a merger.
Upvote
50
(50
/
0)
What would be interesting to know is whether or not they reported this breach to authorities. GDPR requires it, I'm fairly certain, and the upcoming NIS2 directive absolutely does.
Upvote
25
(27
/
-2)
I was wondering why I had never heard of NCR.
And calling it a news-outlet isn't technically wrong, but 'national newspaper' would have given readers a better idea of who they are.
Upvote
28
(28
/
0)
The link to the report containing that line is immediately above the paragraph. The quote appears toward the end of the first page of the Introduction section. The report does not include the actual author name(s), attributing it only to "Cycraft Research Team." This is common in the industry.
Detecting nation-state adversaries is difficult, even among the best defenders. You're up against people who have effectively unlimited resources, know about vulnerabilities often years before they're discovered by more open researchers, have anywhere from dozens to hundreds of highly-skilled developers to work around defenses, and can set up extensive labs to test ideas and ensure they won't get caught by any of the available detection engines.
Upvote
35
(35
/
0)
There are times when I really really wish that Tom Clancy and other spy fiction had little bits of reality, in which the wretched scum who do stuff like this would end up with a 9MM migraine...
(note: i'm an ex-Nortel employee: a company that was massively damaged by Chinese gov't funded and targeted espionage. One can trace vast amounts of Huawei's growth directly to theft from Nortel )
(note: i'm an ex-Nortel employee: a company that was massively damaged by Chinese gov't funded and targeted espionage. One can trace vast amounts of Huawei's growth directly to theft from Nortel )
Upvote
57
(65
/
-8)
Why can’t a company with critical sensitive data put servers and workstations on a restricted VLAN where outbound traffic is denied and logged if you have trade secrets etc would this not make sense?
Upvote
-12
(7
/
-19)
I'm going to presume this was a joke, but just in case not, let me lay it out in very short sentences:
Punishing people for security breaches is counterproductive.
All is does is encourage hiding them.
You should reward reporting at every level.
If an investigation turns up evidence of actual malfeasance or negligence, then punishing the guilty is fine. Otherwise, recognize that defense is hard, shit happens, and no company can be expected to withstand a targeted attack from a state-sponsored actor. In the physical world, that's what we have militaries for.
Upvote
63
(67
/
-4)
This kind of breach is not necessarily reported to authorities under GDPR. Because you only report security incidents where there is an impact on data subjects (personal data is affected).
One situation where they have to report this is if the hackers accessed their employees personal data.
Another situation is if they act as a processor for some of their clients, and the personal data of their clients' clients was exposed. But in this case they would report to the controller.
Upvote
24
(24
/
0)
The article says that they had access to email accounts. You can get a lot of PII from that (eg: phone numbers or IM accounts in signatures), and a lot more if you have access to the contact list. I wonder if that would qualify as "impact on data subjects" or not, genuinely curious.
Upvote
16
(17
/
-1)
There are a number of factual errors in this piece, namely that ASML is a company that makes and sells lithography machines to chipmakers. They do not make their own chips. Also, the major Dutch newspaper is called NRC, not NCR.
Upvote
26
(26
/
0)
It sounds like with the GPU import ban you can probably copy and replace the name with Nvidia in a couple years.
Upvote
-2
(3
/
-5)
Does this affect Apple devices? As for SIMs, is there a way to tell if my SIM card uses NXP technology?
Upvote
-5
(1
/
-6)
I can absolutely expect and demand military contractors dealing with national security matters to be able to withstand such attacks. Then again, those types of companies should be getting assistance from their home government to resist those attacks.
IOW, I would be shocked if say, the security of Lockheed Martin's infra that is related to the F35 program isn't helped being overseen by the US DOD.
Upvote
2
(6
/
-4)
In my experience working these kinds of incidents internal/external counsel usually will conclude that unless it can be identified through logs or analysis of exfiltrated data specifically who and what data was accessed they typically will say its impossible to quantify and say that there was no identified access to PII.
The same thing with
“is very dated as it was addressed back in 2019. As stated in our 2019 Annual Report, we became aware of a compromise of certain IT systems, and after a thorough investigation we determined that this incident did not result in a material adverse effect on our business...."
Ive been seeing more companies use a standardized consideration template to determine materiality specifically to address the new SEC rules. Unless its an extreme event (like ransomware shutting down production/sales) its probably not going to fall under what they consider material, and they can point to that document as justification for making that determination when choosing not to report.
This is just what I have observed in the last couple years, im not a lawyer or expert on these topics by any means.
Upvote
15
(15
/
0)
Article 29 WP says that ""This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached". So there has to be some direct impact.
Yes, going through emails could result in having access to PII, but if the PII is already public - e.g. phone numbers in signatures - then this is not considered a risk.
If, however, they did access personnel files, then this is likely a case when the supervising authority should be notified.
For more detailed information here is the link to Article 29 guidelines:
Upvote
11
(11
/
0)
Sorry, no.The SDKs that can be downloaded by anyone who works with NXP chips by any chance?
If they had enough access to insert hardware backdoors in the designs that's one thing. If they downloaded the docs...
Source code? I don't want to see the source code for the NXP pin config tool even if they gave it to me. This is not a software company. Or they mean the kernel source code that's visible to anyone on github?
I do some work with NXP, and in my admittedly narrow experience, good portions of their SDKs (and APIs) are protected by NDAs and are well protected, at least from normal users.
NXP does make software to use their products that could be reverse engineered with some effort, and I would bet big dollars none of it is available on github, certainly nothing sensitive.
Upvote
25
(25
/
0)
NCR is a fairly well-known American company, formerly called National Cash Register.
Upvote
3
(7
/
-4)
Whether the defenders at NXP are incompetent or the attackers at Chimera are very competent, it's clear that the attackers were much better at gaining access and hiding than the defenders were at detecting attacks, if NXP didn't notice anything for over two years and had to be told by a third party that they were compromised.
And yet NXP confidently claim to know exactly what the attackers accessed during more than two years, and that they never gained access to anything important. How reassuring.
Or do they mean that the compromise "did not result in a material adverse effect on [NXP's] business" because their customers are forced to continue buying from NXP no matter how compromised they are?
And yet NXP confidently claim to know exactly what the attackers accessed during more than two years, and that they never gained access to anything important. How reassuring.
Or do they mean that the compromise "did not result in a material adverse effect on [NXP's] business" because their customers are forced to continue buying from NXP no matter how compromised they are?
Upvote
18
(19
/
-1)
Upvote
25
(26
/
-1)
My first thought with this was: how does this timeline track with Huawei's latest bump in capacity?
https://www.androidauthority.com/huawei-vs-united-states-990007/ -- seems to track almost perfectly.
Upvote
11
(14
/
-3)
It would have helped me if they had kept the full name of NRC Handelsblad when they talked about it as only the initials confused me as there are many other three lettter initial users of NRC.
Upvote
4
(5
/
-1)
Couldn't help but notice how NXP keeps deflecting the issue. We aren't talking about the effect on your business; we're talking about security compromises in the products that used your chips.
Upvote
11
(11
/
0)
Blame the newspaper for that, they officially rebranded by dropping the 'Handelsblad', I think around the same time that they stopped being an evening newspaper. Sic transit gloria mundi.
Mind you, I also lament the Manchester Guardian moving their headquarters to London.
Upvote
11
(11
/
0)
It can't affect your business if nobody knows about it. But that wasn't really the point of the hack, now was it? The purpose of hacking NXP was never about damaging NXP as a company, but about obtaining information that would be useful in engineering hacks on third parties. Thus, the damage to your business only occurs if and when such hacks are traced back to your failure to notify your partners in a timely fashion.
This is really quite an eggregious example of corporate double-speak. And yet:
Why? What is it that makes the lack of disclosure surpising? There were no laws requiring timely or complete disclosure at the time (still aren't, as far as I'm aware). So long as they were careful to run their statements through legal to confirm they didn't actually lie, there was no upside to telling the whole truth--especially when the breach was going on for long enough to make their raison d'être seem almost iredeemably suspect.
Upvote
5
(6
/
-1)
Disclosure laws are changing. I can't speak for the Netherlands or EU, but the SEC finalized a rule in September that will require publicly traded companies to file disclosures with the SEC within four days of incidents that have a "material" impact, meaning that many will be reported while they're cleaning up. This applies as of 15 Dec 2023 for most large businesses and as of 15 Jan 2024 for the rest. They will also have to make annual filings describing their cybersecurity strategy, a summary of all incidents handled during the prior fiscal year, and the amount of cybersecurity expertise (if any) within the board of directors. The materiality definition is still vague, but the SEC has been taking a rather negative view of playing with those rules of late, and companies have taken note.
Similar rules will also apply to foreign private issuers, which is a complicated topic, but loosely defined is a mostly foreign-owned company that issues some shares in the US. I don't know if NXP is an FPI.
Upvote
5
(5
/
0)
Isn't security through obscurity usually frowned upon? If (a very big if) NXP is actually doing a good job then security of their products should not be impacted as protection is based on maths rather than obscurity.
Upvote
1
(2
/
-1)
It's the 21st century and companies designing multi-billion-transistors chips use code, rather than the old kit of discrete logic gates, superglue, and tiny tweezers. TMYK.
Upvote
3
(3
/
0)
China has pretty much all the plans for both the F-22 and F-35. If Lockheed can’t keep their systems secure, why would we expect anyone else can. (Not that Lockheed is necessarily such a great company, but then again, what company is?)
Upvote
7
(7
/
0)
Did you watch Shawn Ryan's interview with YTCracker?
Towards the end of the interview he mentioned that he is not aware of the any organizations in the United States that fund offensive hacking operations against foreign entities.
I literally thought, "Unfortunately that kind of stuff only happens in Tom Clancy books."
Upvote
2
(2
/
0)
The last company I worked for was responsible for doing supply chain analysis on the F-35. It's not being overseen by the DOD. This is America. They subcontract that out.
Upvote
9
(9
/
0)