Can You Trust Chinese Computer Equipment?

Ian Lamont writes "Suspicions about China slipping eavesdropping technology into computer exports have been around for years. But the recent spying attacks, attributed to China, on Google and other Internet companies have revived the hardware spying concerns. An IT World blogger suggests the gear can't be trusted, noting that it wouldn't be hard to add security holes to the firmware of Chinese-made USB memory sticks, computers, hard drives, and cameras. He also implies that running automatic checks for data of interest in the compromised gear would not be difficult." The blog post mentions Ken Thompson's admission in 1983 that he had put a backdoor into the Unix C compiler; he laid out the details in the 1983 Turing Award lecture, Reflections On Trusting Trust: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."

Re:Another reason

[Spazztastic]

This is just another reason for me to not want to buy Chinese made goods. Unfortunately, so much is made in China that it is nearly impossible to completely avoid the country.

Some component of your car, cell phone, computer, etc. is going to be made in China. I have a feeling eventually they will catch on that people aren't buying Chinese made stuff and will just put stamps on it from their more friendly neighboring countries.

Bad Headline

[lyinhart]

Considering where a lot of this stuff comes from, it should probably read, "Can You Trust Computer Equipment?"

Re:Another reason

[TubeSteak]

I have a feeling eventually they will catch on that people aren't buying Chinese made stuff and will just put stamps on it from their more friendly neighboring countries.

It's not as simple as "put stamps on it from their more friendly neighboring countries" when those neighboring countries do not have the high-tech industrial base to produce the hardware in question.

On a strategic level, the USA really screwed the pooch by chasing the lowest bidder and not building up our domestic capacity to produce these items. And for you small gov't types, this is an example of free market principles colliding with what is effectively a national security issue.

put a backdoor into the Unix C compiler ?

The referenced to article doesn't actually state he included a back door. It was a proof of concept demo apparently: Suppose we wish to alter the C compiler

"one the creators of Unix, admitted that he had included a backdoor in early Unix versions. Thompson's backdoor gave him access to every Unix system then in existence"

It really depends on who "you" are...

[fuzzyfuzzyfungus]

In a general sense, you really can't trust any computer equipment that you didn't build yourself, pretty much from the ground up(as the issues with compilers and microcode suggest). I'm pretty sure that using somebody else's sand to make your silicon is safe; but that's about it.

Computer gear hasn't quite reached biological levels of complexity, where trust is even harder(one malformed Prion in a batch of millions can end up eating holes in your brain); but, from the perspective of a user who isn't a tech god, it might as well have.

That being so, the question of whether you can trust Chinese computer equipment is basically a political one. China's general enthusiasm for industrial espionage is well known, so if you have data on interesting technology or military stuff, the answer is almost certainly "no". If you are basically just Joe Consumer, though, your data are just noise obscuring what Chinese intelligence really wants. You would do better to be worried about the botnet your PC is part of, Google, ChoicePoint, Equifax, the NSA, and whoever is taking advantage of CALEA at that particular moment. The world of technology is a ghastly morass of potential backdoors, quite a few of them not even hidden, that most of us are constantly vulnerable to, and, in a great many cases, actively being monitored through.

Bugged Chinese chips are definitely something to think about if you are doing military COTS procurement, or doing security for somebody who has data of real interest; but, for most of us, it's all just one more piece of assymetric transparency. I, for one, don't feel any warmer and fuzzier about the Americans spying on me than the Chinese spying on me(worse, in fact, because some sinister chinese intelligence agency is substantially less likely to sell my information to advertisers, make it harder to get medical insurance, or damage my credit rating than some warm, fuzzy, American multinational corporation).

I really hope that this threat leads to a general recognition of the need for sound and open practices for security(both in the sense of novel CS research on how to do maximally verifiable stuff, test blackboxes, build verified bootstrap compilers, etc, etc. and in the sense of market acceptance of the fact that mysterious binary firmwares, and "just trust us" responses from vendors, and blackbox systems in general just aren't good enough). That would make things better for everybody. I get the unpleasant sense, though, that a lot of this concern is less about "We really need to understand how to build highly complex systems that are dependable and verifiable for those who use them." and more about "Goddam chinks, only we are supposed to have backdoors and surveillance capabilities!"

Re:Another reason

[Rogerborg]

You know that 2/3 of the phrase "trust but verify" is meaningless oxymoronic bullshit designed to mask the harshness of the only significant word, right? Like "strong but sensitive" or "sexy but geeky".

Re:Another reason

[BZ]

> You'll note nothing seems to get cheaper to the end user.

Since we're talking about computer equipment, this is demonstrably false.

Cisco

[Lifyre]

This isn't just for good known to be made in china. This past year we performed an audit of our network infrastructure with Cisco's help. We found almost 10% of our switches were counterfeit. They were all models of layer 2 and layer 3 switches and were virtually indistinguishable from genuine Cisco products down to the enhanced security IOS.

Re:Another reason

[networkBoy]

It's not that it is an additional chip, it is a different chip all together.

For example:
the ICH (southbridge) on your system likely handles the following things for you:
keyboard/mouse
USB
IDE
SATA
FireWire
Lan on Motherboard
Boot from BIOS
WebCam

Using an ARM/ARC/MIPS core + SRAM added to the circuit of the ICH and fabbed as a "special item" one could conceivably manufacture motherboards with a larger than spec flashrom (to hold NVRam data for the extra proc) and so long as your system was on (possibly even "off" but plugged in if you can make it low enough power to run on standby voltage) you can datalog nearly anything.
Parse the data for the interesting bits and store that to a hidden file on the HDD (since you're the controller for the HDD this should be trivial, no one will miss 1 meg of sectors you've marked bad).
When you have an internet connection SSH over to your drop server (you run the ethernet MAC remember) and unload your stash.

Really not all that far fetched and as long as the government pays for it (the fab of chips) you can sub these into assembly and not even no there was something wrong on the system even with a physical inspection.

Re:Back doors in hardware

[smellsofbikes]

DoD is really worried about this. They're trying to develop ways to efficiently examine ICs to check for unexpected "features". Right now, it's necessary to open up the IC and put it under a scanning electron microscope, then use software that can extract the logic diagram from the scan.

One of the obvious places to put in a "back door" is in Ethernet controllers. Many used in servers already have logic for hardware "remote administration" (turn machine off, reboot, load code, etc.). It is supposed to be disabled by default, and work only when initialized with keys during hardware installation. Just build a set of default remote administration keys into the chip, and everyone using that chip is 0wned. Send the right UDP packets, and you can take over the machine. This would be completely invisible until activated.

Whenever this subject comes up, I post about it and either get a +5 insightful or get flamed to hell and told I don't know what I'm talking about, so let's see what happens this time. I work in semiconductor design. In a CPU or memory chip there are some sections of the chip that have duplicate/spare circuitry that can be brought into play if some of the main circuitry is defective. This is what people refer to when they talk about trimming memory chips. I don't do this sort of stuff so I don't actually know for sure, but people who post on slashdot claiming to know, say that it would be "easy" to jigger some of the spare circuitry to provide added/surreptitious functionality to the chip.

Thing is: I don't see that this is very useful since it's in ram or the cpu, and it seems to me to be possible, maybe even likely, to see surreptitious traffic from them heading outwards to the ethernet controller chip.

I think -- as apparently do you -- that the most likely places to try to put in backdoors are the I/O chips because it's hard for you to determine what they're doing. But then they have to include some serious functionality, to implement at least a little intelligence to decide what to send, unless they want to send everything, which again would be pretty obvious to someone looking at the hardware.

And since I work at a place that *does* design ethernet controller chips, although that's not what *I* do, I can say with at least some assurance that it's really, really, really unlikely that they could be backdoored.

Let me explain why: on analog and small digital chips, die size is *unbelievably* important because it is directly related to your profit margin. I've done chip layout. We will go to any lengths whatsoever to make the die smaller, even if it means completely relaying out the chip. There isn't any space for extra circuitry at all. Every square mil is loaded.

On top of that, we then run our prototype chips on planet runs, where a bunch of proto chips from various designers are all masked onto a chunk of silicon, in either our own local fab or our tiny owned fab in Europe, and then characterize the returned chip, and do metal changes and maybe a complete new mask set, and only *then* does it go out to the big fabs. And when we get *those* back, we spend months characterizing *them*, making sure that every individual pin has the same leakage current and ESD protection characteristics, as the ones we got back from our local fab, to ensure the chips will actually work in the field.

In order for a Chinese fab to put a backdoor into one of our designs they'd have to increase the die area, which would be really amazingly obvious, or remove existing circuitry, which would be really amazingly obvious. Even if they're so incredibly clever as to redesign the chip better than we can design it in the first place, giving them space to add their circuitry, it's very unlikely that the current draw on every pin during operation and when forced into test mode and pushed to failure, would be within 1% of the chips we got from fabs that we control.

With all that said, my company recently closed our Chinese fabs, an

Re:Another reason

[BrokenHalo]

I'd trust the Chinese further than most of my neighbours.

That's a bit sad. I get on quite well with the majority of my neighbours, but most people I know who have wide experience of commercial dealing with Chinese (not to be confused with personal interactions with individuals and their families) have told me of a catalogue of dishonest, conspiratorial and treacherous activities. Basically, it seems their attitude is that "westerners" are fair game, since their rules are just not recognised by the Chinese.

Adopting this attitude in comparatively small business dealings is one thing, but enshrining it in (unofficial) government policy is another. If the Chinese insist on treating other nations as enemies, they should expect the same in return. The fact that our governments and corporations are so ready to kowtow to them for their business is nothing short of sickening.

Re:Another reason

[oatworm]

Actually, it's probably going to be a little bit of both.

Look, we need to remember something here - it's not like we were manufacturing high-quality goods in the US when we were still manufacturing goods. There's a reason people stopped buying American cars, for example. Sure, you can point at something made in the US from 50 years ago and say, "Ah ha! See? Our stuff was better!", but that's just selection bias. Of course the stuff that made it to today from 50 years ago is more durable than the stuff we have lying around our house now. That's why it's over 50 years old.. All the crappy stuff that fell apart instantly fell apart fifty years ago.

Back in the day, we made TVs. In those days, TVs were so expensive, TV repair was a legitimate career path. Nowadays, TVs are so cheap that it just doesn't make sense, which is why you don't see too many black & white TVs running around these days. Heck, the transition from analog TV to high definition TV will probably take less time for most families than the transition from black & white to color, if only because the cost of high definition TVs is falling so fast and so far that, when people's analog TVs die every 3-5 years (or so), they'll be able to easily afford a high definition one. How long did it take for VCRs to disappear once DVDs came out? The reason we can make these transitions so quickly these days is because of inexpensive manufactured goods.

That said, back in the day, we were pretty much the only industrialized country on the planet. After World War 2, the US was the only country around that had a significant industrial base that hadn't been bombed into the Stone Age (at least the only one of a decent size - obviously Australia, Canada, and New Zealand were still in decent shape, too). Guess who was the world's China? That's right - the US, which is why, even if we switch to a protectionist stance, we're never getting back to a world in which the United States is 10x more prosperous than every other country on the planet. There's simply too much competition these days. Of course, back in the day, China was starving - that's less of an issue now. Back in the day, Mexico was a backwards, lawless hellhole. Nowadays, they possess the 13th highest GDP in the world, just ahead of Australia, with a slightly lower per capita GDP than Russia and Turkey. That's still not great, mind you, but it's still more than double China's and a heck of a lot better than it was at the turn of the last century. Japan is now a world-leading economic power; going into World War 2, they were just a regional power, roughly along the lines of South Africa today and with roughly the same amount of regional and international pull. South Korea? They weren't even a regional power when they gained independence from Japan after World War 2.

Besides, life in the '50s and '60s wasn't that great in the US anyway, especially if you actually possessed melanin or were unfortunate enough to live in the South. Even if you were white, middle class meant something very different in '50s-era Birmingham than it meant in, say, '50s-era Detroit or Cleveland. Even if you were fortunate enough to live in an industrial city with lots of well-paying union jobs, what'd you get for it back then? A cookie-cutter suburban home sans-grounded wiring, a car that would rust or fail every three years or 50,000 miles, a TV if you really saved up for it, and lots and lots of canned food. Back then, frozen food was considered so novel and interesting that four-star restaurants in New York used to advertise that they used frozen product. Seriously, if you compared '50s America with today's... oh... Jamaica, you'd find yourself picking Jamaica in a heartbeat, and not just because of the weather.

No, he didn't, as best we can tell.

[jeffb+(2.718)]

I was a gung-ho CS student when this article came out, and we spent a LOT of time hashing it over. He specifically did not say that he had done this, and while I don't remember him making an outright denial, we concluded that he hadn't. After all, the C compilers of that day were still small enough to be understood by a single human, and comparing C code to the assembly code generated from it (or comparing that assembly code to generated machine instructions) was not very challenging.

Maybe the Jargon File entry is right, and he did implement it as a proof-of-concept, but it wasn't widely distributed. It was easy enough for an interested (and bored) undergrad to check out over a weekend, but hard enough that compiler distributions weren't routinely examined.

With today's optimizing compilers and layers upon layers of abstraction, though, it seems like there's more than enough room for plenty such exploits. Pham Nuwen can still have his backdoor into the localizers.