Slashdot Mirror
Malicious Hardware Hacking May Be the Next Frontier
An anonymous reader writes "It's a given that hackers will target software, and that's enough for many people to worry about. But now there's the possibility that hackers would hide malicious code in the hardware itself. A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates. Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out."
From the title of the summary:
Hardware Hackers May the Next Frontier
May what....MAY WHAT?!?!?!??!?!?!?!??!?! Seriously...what's with the editors around here?
Living With a Nerd
Nice headline.
"Be prepared, son. That's my motto. Be prepared." --Joe Hallenbeck
Hardware Hackers May the Next Frontier
It's true, we just might the next frontier.
Would be more to the point.
"A hardware hack could do [bad thing] or even [really bad thing]!" What about, "A hardware hack could free users from restriction systems?" or perhaps "A hardware hack could allow a mechanic to work on a transmission that was locked down by the manufacturer?"
Palm trees and 8
IANAEE, but isn't this already a potential problem with CPLDs? Or would you consider that a software/firmware hack?
...this reminds me of the whole "Hackers can make your computer explode!" scare that went around in the early PC era...
Someone hacked the article title, it seems. That's a bigger threat right there.
May. The Next Frontier. These are the failures of the Slashdot Editors. Their ongoing mission: To explore strange new URLs, to seek out new memes and new trending topics. To boldly fail where no man has failed before!
May has modified cars as part of the show, but does that qualify as "hardware hacking"? Even then, so has Clarkson and Hammond.
What is it with a tech site using "hacker" as something negative? Are you too young to know or is it just the call
Yeah, THAT sounds practical. The article author watches/reads too much science fiction.
in the latest Scientific American, by the same guy.
Sheesh, evil *and* a jerk. -- Jade
I think it is possible that could hide malicious code in the. It could even potentially words from sentences. In Soviet Russia you.
...with Taco's keyboard.
I wouldn't be too surprised if various intelligence services already did this. A service that puts moles in deep cover for decades would certainly be patient enough to put code in silicon and wait years for the right moment to execute it.
I really wish Slashdot headlines would stop using "Hacker" in the sense of "computer-oriented criminal." I clicked on this thinking it would be an interesting story about new hardware developments. It's just another boring story about what might be a problem for law enforcement. Who cares?
... and so can you !
(Stephen Colbert's next book ?)
So basically what Motorola did for the Droid X?
All it takes is the ability to do a flash of a motherboard with a ROM that does everything, except adds a keylogger, and a driver that checks for Windows, and reinstalls the botnet client.
Exact same mechanism that LoJack for Laptops uses to reinstall itself. Except done by the blackhats instead of the whitehats. With more and more machines having motherboards with independent network stacks, it would be trivial to enable two-way NAT and have botnet clients that are easily communicated with this way.
Only real way to prevent these attacks is to go with a TPM based system. However, other devices can be easily flashed. A keyboard that stores macros might be able to be flashed to double as a keylogger.
Most of the defenses involve adding a kind of "policing" function to the chip's architecture. For example, one could design a block that would monitor the behavior of other blocks and make sure they fit certain patterns. If another block misbehaves, it would be "quarantined" and the monitoring hardware would take over the now-missing functions.
it's about time this kind of thing makes it to peecees. mainframes have this buit-in for eons now. of course, they use this for realiability, but having mainframe class reliability on desktop machines would't be bad, for a few extra bucks
What ? Me, worry ?
Seriously? /. editors can't tell the difference between Hardware and Firmware??
This story is so good...
...that 90% of the discussion is about the typo.
Nice QA as usual.
"All your grammar are belong to us!" There - haven't seen that for a while.
Hardware hacking is old news, in all sorts of definitions of "hack".
Just from the top of my head, I seem to recall an incident when the Pentagon hacked the firmware in a printer that was being shipped from France to Iraq, in the early 90's. (No, I'm not going to bother with finding the source. Go ahead and Google it yourself.) It was probably lame, and considering that it pre-dated wide-spread use of the internet or even LANs, it probably did very little. But all the same, "sophisticated hardware hacks" are not the future, they've been here for a long time. I'm sure someone can find a good example and say "Ha! 90's!? Get off my lawn! When I was working with tabulation card punchers, we used to..."
Seems like we almost need to add an "again" to the end of the title. Full circle, it has come.
There have been stories identical to this for YEARS. Yawn.
No one has done it because it is much easier to do something like what happened in the story last month:
"Dell Ships Infected Motherboards"
http://it.slashdot.org/it/10/07/21/1354206.shtml
Or they just preinstall malware on storage devices. We get stories like that ALL THE TIME. It's usually detected quickly, but enough people can get infected that don't bother (or don't know how) to protect themselves that it is usually worth it.
Disclaimer: I've been involved in some research in verification of ASICs to uncover trojan hardware. Frankly, I think the threat of hardware hacks tends to be overblown.
The problem with planting Trojan circuits in hardware is that they're traceable. Given a compromised chip, you can locate the manufacturer and the fab it came from, and work backwards to the people who had access to the layout. It would be a financial and P.R. disaster for any third party vendor that allowed such a thing to happen. Who would ever trust them again with a design? These companies want to make money, and allowing government or criminal organizations to compromise the manufacturing process is too big a risk.
On top of that, using a hardware hack is equivalent to firing a shotgun into a swarm of gnats. How can you know that a hacked chip is going to make it into a box that just might happen to be used by a competitor you care about? It's an insane risk with a ridiculously small hope of payoff.
The way to compromise systems is the way that has worked extremely well so far - via software. You can target the attack, you can cover your tracks, and you have plausible deniability if you're caught. If you bribe someone inside the organization, you can place the software you want right on the machines you care about. And as long as organizations keep using Windows, you'll never run out of attack vectors.
Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out.
There are lots of other possibilites. Some examples:
A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates.
They wanted their BIOS-corrupting viruses back
BTW, I remember an urban legend circulating that there was a virus that changed some low-level instructions in 3.5 floppy drives making them keep reading discs... which made the drives get on fire. Anyone has got more info on that?
Ubuntu is an African word meaning 'I can't configure Debian'
Let's get this "Microsoft is the most used and therefore the most targeted" bit out of the way. Yes, being ubiquitous is a factor, but not in the internet server arena because Microsoft Windows is not the leader in that market -- Linux is. So at least two factors make a hacking target worthwhile on a large scale:
1. Ubiquity
2. Vulnerability (ease of hacking)
One of the reasons Linux isn't an internet target is that there are so many of them and they are nearly all different. There are many distributions, many versions of many distributions, many custom applications on many versions of many distributions... all with different components installed and configured in different ways. (With Windows, things are all pretty much done the same way.)
But why am I talking about this? Seems off-topic yes? Well I wanted to establish some background before going into the hardware situation.
With regards to hardware, we have little in the way of ubiquity. Yes, an increasing number of devices are actually running Linux in the firmware. That makes Linux increasingly ubiquitous in hardware. We have seen exploits associated with HP printers in the past where SNMP was exploited even when it is "disabled." This is an issue because HP printers in the office are quite ubiquitous. We have also seen the news story about certain Dell server system boards were compromised out of the box. Dell is quite common in the office and the data center as well.
But on the whole, the hardware market is still widely varied. We should all be concerned as additional commoditization of hardware components make hardware devices less differentiated. This makes predicting the hardware targets all the more possible. (Although "guessing" the hardware is less of a concern where external exploits will still largely be a software issue and once entry is gained, listing the hardware components would be trivial... processing that list to select from a list of exploit packages would then be trivial as well.)
All of this says "yes, hardware is vulnerable, but never as vulnerable as the software running on it." Keep the software doors tight and you have less to worry about with hardware.
" * Enable unauthorized access"
And how exactly are you going to do that in microcode or even hardwired circuits? Its the same BS as when he talks about "shipping data out". Yeah , sure you could do it , if you took up half the chip die with "secret" ROM code that ran its own networking stack, hardware drivers etc etc. If you're thinking about modifying the BIOS thats not hardware hacking, thats software.
Since nobody seems to have mentioned it yet: Reflections on trusting trust.
Note that he already mentions planting exploits into microcode, which is already quite close to the hardware. Do you know for sure there's no exploit planted in the microcode of your CPU? Maybe someone manipulated the compiler for the microcode? The compiler on which the compiler for the microcode was compiled?
But even with the actual hardware, that's possible: Just as you can place an exploit in the C compiler, you can also place an exploit in the VHDL compiler. Then the VHDL code will be unsuspicious, and run correctly in the simulator, but the actual chip will still be modified. Again, several levels are possible.
OK, is there anything which can protect us? Well, on one hand it's getting more complicated with each intermediate step. But then, there's also another protection: Exactly the fact that not everything isn't done by the same company! And this even applies for the simple case mentioned in TFA: A company which is asked for a component which, say, adds up a bunch of numbers, doesn't know how it's combined with the other blocks, or what the other blocks actually look like. Therefore he likely cannot tell how you could actually trigger the bad behaviour in the complete chip, or how to do something "useful" on that condition. The same is true on all the other levels: The chip developers will not write their own VHDL compiler, and the VHDL compiler writers have no clue what the chips which will defined with them will look like. The microcode developers likely don't write the microcode compiler, and the microcode compiler people probably don't have access to the microcode source code.
The Tao of math: The numbers you can count are not the real numbers.
Can you??
TFA is talking about someone embedding extra functionality at the chip-level which can later be accessed to achieve some desired result. It is not talking about injecting an update into the firmware of a running system. He's literally talking about hiding something at the circuit board level so by the time the chips are manufactured, they already have the embedded functionality.
So, before you start complaining about the editors being unable to tell the difference between the two things ... RTFA so you know what is being talked about. There is no mention of firmware, and he's not talking about firmware.
The article is literally talking about hardware.
Lost at C:>. Found at C.
dont get all huffy there, its a huge difference tween circuit board level and chip level, and people already do this ALL THE TIME its called REDUNDANCY
know what your talking about before going on a crusade against someone, fiberglass with a copper pattern etched on it is not going to do jack shit and is about 10 miles away from chip level
http://cm.bell-labs.com/who/ken/trust.html
TFS literally refers to "hiding malicious code in the hardware", and it was the summary I referred to.
Go read the article. It's talking about chip fabrication and embedding the malicious stuff down at the chip level -- or, more accurately, functional blocks within chips. There isn't anything about firmware in the entire article.
Do you have anything to support the 'Firmware' claim?
I see what you're saying, but my understanding of something at the chip-level is that while it still may be 'code', it's immutable because it's printed on/embedded in the chip (whatever the correct term is) and implements the logic, but it can't be changed.
Firmware is static, but can be modified. It's not clear to me that what is being described is firmware, but true, fixed, unchanging hardware. It just has an embedded bit of behavior that under some circumstances will trigger something potentially malicious.
I mean, the instruction set in a CPU is 'code', but it can't be changed since it's part of the circuitry.
This isn't about adding new code to an existing bit of hardware, I think it's about building in the functionality at the lowest level in the actual chip itself. An embedded logic bomb or something, but not something which can be updated once the chip is manufactured.
Lost at C:>. Found at C.
just as much as the huffy one has on circuit board level hacking
and TFA says code in it as noted below you dont code transistors and capacitors, they are passive devices
Software hacks, generally, are third parties attacking a piece of software after it's been made and deployed.
The hacks suggested here are vulnerabilities deliberately put into the hardware while it's being made. I think the risk of these is reasonable, for the following reasons:
1. They are hard to detect - typical designs are very complex, and just like in software it's possible to deliberately slip in a bug which causes unintended behaviour. Normally the bug would be discovered during testing, but if the bug is obscure enough that it is never encountered during normal use, then it could pass all checks and get into production.
2. They could be very powerful. Lets consider a potential attack:
Lets say the design of a new CPU "accidentally" wrote data to memory address 0 rather than the correct address whenever a particular register had a particular value. This could be reasonably easy to hide in hardware, and reasonably deniable. It would also be very powerful, because it could be triggered by something as simple as copying data containing this "magic number". Next time the machine is rebooted, the CPU starts executing code at memory address zero, which just happens to be that memory address that was written earlier - the attacker now has control of the machine. The powerful thing here is something like that could be triggered by simply visiting a web page or opening an email, or even just sending a data packet to the machine. Unlike software flaws, something like this couldn't really be fixed without scrapping all the affected chips and re-making them.
3. they could be kept secret. If one of these flaws gets into a piece of hardware, I can imagine the entity that put it there wouldn't use it to send spam - instead they'd target individual machines in such a way their attack is never noticed. An attack like this could be run entirely in memory, so as soon as someone comes a fault, the mere act of logging into the machine could remove all traces of the attackers actions.
4. There are lots of places to hide something like this. In a modern computer system lots of pieces of hardware have direct access to memory, and therefore any piece of dodgy hardware could mount an attack like this - yes it might only be the battery controller chip, but it is probably still connected to a data bus where it can do serious damage.
1024Hello
"American planes will always be superior as long as there are wonderful young men like you in the cockpit.....and German^H^H^H^H^H^H Chinese parts."
eEye Network Security have been researching flaws in embedded software devices for many a moon and I am sure they are not the only outfit that has been doing so. - no news.
A couple of years ago there was a news story about how Chip and Pin devices had been hacked in the factory to send information overseas:
http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html
This definitely falls into Villasenor's "shipping data out" category.
There was also a story recently of someone convicted of modifying these devices.
If it's built in at the hardware level by some jerk, isn't that more of a backdoor?
Vote monkeys into Congress. They are cheaper and more trustworthy.
TFS literally refers to "hiding malicious code in the hardware", and it was the summary I referred to.
And for it to be useful it would have to be made accessible by the memory and address buss. That's no different then any other exploit. Normal QC should find that.
Mainframes have had "machine checks" and "wrap tests" for over 50 years that would find things like that on startup and vary off the offending subsystem.
OK, so how about the recent articles about Dell servers with infected hardware (I think it was in the monitoring firmware?). Is it Dell's fault, the company that did their refurbs/repairs, or what?
How about all the times when a device with USB-storage came preloaded with malware. Or how about the Intel CPU's that were actually big chunks of useless metal.
So a third-party steals a chip/board design, makes a clone, and then sneaks it in somewhere along the line. It doesn't have to be at the manufacturer, they just have to replace good hardware with the compromised units.
Hell, how about online sellers in general, many of which are in China, etc. How do you known that the firmware or even hardware of that fancy smartphone you just bought wasn't tampered with?
I see no reason that hardware is much safer than software... especially when loadable is a vulnerable midpoint between the two.
us!
> the people who insist on calling themselves "hardware hackers" who are
> really "hardware tinkers" are causing a lot of confusion here
Words can have more than one meaning, different meanings in different contexts, and language constantly evolves. Live with it. It's stupid for old-timers to gripe that "hacker" has taken on a new negative meaning, but it is equally stupid to complain that the old meaning is confusing.
BTW, words also have connotations, and the connotation of "tinkerer" is very different than that of "hacker". If the continued use of "hacker" in this context bothers you too much, propose a new usage --- if it's catchy enough, maybe it'll catch on. But "tinkerer" won't (for the above reason).
The answer is simple: Don't buy mission critical components from China.
So basically what Motorola did for the Droid X?
Or what Intel has been selling as a feature for years.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
...and most still don't. It's so fun that every 1 in 3 pieces of hardware you buy comes with a flavor of Linux, and so scary that you never likely be given control to check its sanity. SO scary.