Well, depends on how the Q&A process is in the pipeline after the design.
What I thought of is maybe it might be feasible to sneak in some circuits that reroute e.g. a network port's traffic to a specific public IP/CnC. Depending on how complex the PCB layout is, it could be feasible to encode or modify the modulation of easy network busses (aside from ethernet).
But I guess that would involve deployment of malicious firmware or availability of a specific "malicious" chipset, too, because ethernet is quite complex in the sense that there are too many physical parts necessary to implement it in hardware form.
I was just thinking about the Q&A pipelines in the industrial process. Usually they never validate anything because of proprietary/protected intellectual property contracts, so suppliers down the line always claim it's according to specifications and that is blindly trusted by the manufacturers.
Identifying something like this is much harder in the organizational sense, because it involves a lot of time for verification down the line, and involves a lot of organizational blamestorm before anything really happens to fix it.
What I thought of is maybe it might be feasible to sneak in some circuits that reroute e.g. a network port's traffic to a specific public IP/CnC. Depending on how complex the PCB layout is, it could be feasible to encode or modify the modulation of easy network busses (aside from ethernet).
But I guess that would involve deployment of malicious firmware or availability of a specific "malicious" chipset, too, because ethernet is quite complex in the sense that there are too many physical parts necessary to implement it in hardware form.
I was just thinking about the Q&A pipelines in the industrial process. Usually they never validate anything because of proprietary/protected intellectual property contracts, so suppliers down the line always claim it's according to specifications and that is blindly trusted by the manufacturers.
Identifying something like this is much harder in the organizational sense, because it involves a lot of time for verification down the line, and involves a lot of organizational blamestorm before anything really happens to fix it.