During February 2021, Dell engaged NCC Group to conduct a security assessment of their supply chain security functionality and related and supportive foundational security functionality on 14th and 15th generation Dell servers. Documentation and source code was provided as well as access to a running lab server via network access, with access to both the BMC and server host network interfaces. The assessment was carried out by hand selected consultants from NCC Group’s Hardware and Embedded Systems practice who have expertise in areas of secure product manufacturing systems.
SCV is Dell’s solution to provide last-leg assurance of product integrity from order fulfillment at the factory through to end-user delivery. The primary class of threat that SCV is intended to address is known as Supply Chain Interdiction, where a threat actor would intercept a shipment of products and install a malicious implant (such as malware or a backdoor) before forwarding the system to the intended recipient. This is a particularly difficult threat to mitigate since attackers would have prolonged physical access to systems prior to customer deployment. In recent years NCC Group has seen a significant interest in this area from our clients, especially since the now infamous Bloomberg allegations1.
While a full assessment report was provided to Dell along with recommendations, below is a summary version published with Dell’s permission.