1 week Ago
Forget sophisticated and elaborate chip implants. At Black Hat Asia 2025, hardware hacker Bunnie Huang presented a starkly different view of the hardware supply chain threat landscape: one dominated by opportunistic, economically driven actors exploiting manufacturing defects for profit. Huang argued that this seemingly low-tech, constant exploitation creates a vast pool of skilled individuals capable of far more damaging attacks.
His presentation centred around the idea of “following the money” and highlighted how the immediate profitability of hardware exploits, especially through , makes them far more attractive than complex, time-consuming . “The majority of threat actors..
.are too busy making money on much simpler attacks,” he explained. Huang detailed the surprisingly simple process: identify a common manufacturing defect, learn how to trigger the associated error code, assemble a device from readily available scrap parts to replicate the error, and then exchange it for a new device.
Consider the 2016 , which disabled Touch ID fingerprint authentication after a system restore. Huang said the issue can be easily replicated by opportunistic actors who could send the affected devices to Apple for repair. “Payday is only on the order of $1,000,” Huang said, adding that the person doing the tinkering is often not the person sending the device for repair, so there’s some fencing involved.
The scale of this problem is immense. Huang cited reports indicating Apple lost billions to warranty fraud that year. “Of course, Apple doesn’t publish clear financial numbers on this, but we can see the signals in terms of what they had budgeted and what the things came back as,” he said.
Even today, a single warranty fraud scheme can net $10m, Huang claimed, comparable to some . Huang offered a glimpse into the thriving ecosystem supporting this activity, pointing to the bustling repair markets in Shenzhen, China. “Everyone knows it – it’s no secret,” he said, describing a district filled with shops overflowing with spare parts harvested from discarded electronics.
He pointed to the Chinese mindset of not putting anything to waste – the original “hackerism” of extracting maximum value from everything. “They’ve taken e-waste and turned it into a gold mine for themselves,” he said. This constant tinkering, repairing and repurposing, Huang argued, builds a deep understanding of hardware vulnerabilities.
“Literally, this is their job,” he said, referring to how repair technicians are perfectly positioned to identify and exploit manufacturing defects. He cited examples like forged microSD cards and relabelled field-programmable gate arrays (FPGA) chips, illustrating how easily counterfeit or substandard components can infiltrate the supply chain. “Hardware threats are dynamic and local,” Huang warned, noting that the sporadic nature of these exploits and the nature of the actors involved makes detection extremely difficult.
“I have to check 100% of the chips in every single lot, all the time, to try to catch these exploits.” But Huang’s presentation wasn’t just focused on the problem. He also offered potential solutions, showcasing his research on infrared in situ inspection of silicon (Iris), a non-destructive method for inspecting chips after assembly using infrared light.
“A very big part of me doing this is to open source it and make sure everyone knows that when these threats come along, we have counter-measures,” he said. “With a $400 DIY home setup, you could catch lower-level threats if you have the original source design to compare against.” The more alarming aspect of Huang’s presentation, however, was the potential for this low-level activity to evolve into something far more nefarious.
He outlined a tiered framework for chip-level attacks, from simple relabelling to near-undetectable modifications to . “What happens when supply chain attackers start to go for the chips?” he asked. Huang posited that improved warranty fraud countermeasures, macroeconomic shifts, or even (APTs) could trigger this escalation and warned of state actors co-opting this existing talent pool.
“Never underestimate the power of a USB drive slipped into the hands of the right actor by someone.”.
