The vast majority of the world’s semiconductor companies have glaring security gaps which may have already been exploited by threat actors, according to a new study from BlueVoyant.
The security services firm appraised the security posture of the 17 most prominent players in one of the globe’s most strategically important supply chains. These included companies in Asia, Europe and the US such as “fabless” chip designers, semiconductor software designers, manufacturers of equipment that fabricates semiconductors, foundries, and integrated device manufacturers (IDMs).
BlueVoyant said its data came from “publicly available and proprietary datasets and tools over a 30-day period.”
The report revealed some surprising lapses in security, considering the quality of the IP at stake and the potential impact a successful ransomware attack could have on production.
Nearly all (94%) of the companies studied had open, at-risk ports, while a quarter (24%) had open RDP ports, one of the top vectors for ransomware. A similar number had open authentication ports (24%) and open datastore ports (18%) were also commonplace.
What’s more, 88% of the companies demonstrated evidence of high-severity vulnerabilities which could allow attackers to gain a foothold into systems.
This matters, because 100% are already experiencing inbound targeting and 88% were being targeted by IPs associated with ransomware. A further 94% showed evidence of brute-force attacks.
In some cases, the report may be too late to stop breaches: over three-quarters (76%) of chip companies studied presented evidence of outbound traffic to known malicious infrastructure. This indicates that the organizations in question may already have been compromised.
BlueVoyant argued that such attacks are preventable if companies proactively scan for and patch vulnerabilities, close open high-risk ports and monitor internal traffic for signs of compromise.
“Our digital economy hinges on the availability of semiconductors and so does any digital transformation going forward,” the report warned. “While high volumes of targeting are not necessarily a surprising discovery, the widespread lack of adequate protections against such targeting certainly is.”