Slashdot Mirror
Malicious Hardware Hacking May Be the Next Frontier
An anonymous reader writes "It's a given that hackers will target software, and that's enough for many people to worry about. But now there's the possibility that hackers would hide malicious code in the hardware itself. A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates. Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out."
From the title of the summary:
Hardware Hackers May the Next Frontier
May what....MAY WHAT?!?!?!??!?!?!?!??!?! Seriously...what's with the editors around here?
Living With a Nerd
Nice headline.
"Be prepared, son. That's my motto. Be prepared." --Joe Hallenbeck
Then again, July not.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
"A hardware hack could do [bad thing] or even [really bad thing]!" What about, "A hardware hack could free users from restriction systems?" or perhaps "A hardware hack could allow a mechanic to work on a transmission that was locked down by the manufacturer?"
Palm trees and 8
IANAEE, but isn't this already a potential problem with CPLDs? Or would you consider that a software/firmware hack?
...this reminds me of the whole "Hackers can make your computer explode!" scare that went around in the early PC era...
Someone hacked the article title, it seems. That's a bigger threat right there.
May. The Next Frontier. These are the failures of the Slashdot Editors. Their ongoing mission: To explore strange new URLs, to seek out new memes and new trending topics. To boldly fail where no man has failed before!
May has modified cars as part of the show, but does that qualify as "hardware hacking"? Even then, so has Clarkson and Hammond.
Yeah, THAT sounds practical. The article author watches/reads too much science fiction.
in the latest Scientific American, by the same guy.
Sheesh, evil *and* a jerk. -- Jade
I think it is possible that could hide malicious code in the. It could even potentially words from sentences. In Soviet Russia you.
You have it all wrong. Hardware Hackers May, the Next Frontier. New trip-hop inspired gloom-core band. Don't any of you guys get the HHM street team newsletter?
...with Taco's keyboard.
Because that's the way it's used in the article? The summary is nothing but sentences yanked straight out of it.
I wouldn't be too surprised if various intelligence services already did this. A service that puts moles in deep cover for decades would certainly be patient enough to put code in silicon and wait years for the right moment to execute it.
I really wish Slashdot headlines would stop using "Hacker" in the sense of "computer-oriented criminal." I clicked on this thinking it would be an interesting story about new hardware developments. It's just another boring story about what might be a problem for law enforcement. Who cares?
... and so can you !
(Stephen Colbert's next book ?)
All it takes is the ability to do a flash of a motherboard with a ROM that does everything, except adds a keylogger, and a driver that checks for Windows, and reinstalls the botnet client.
Exact same mechanism that LoJack for Laptops uses to reinstall itself. Except done by the blackhats instead of the whitehats. With more and more machines having motherboards with independent network stacks, it would be trivial to enable two-way NAT and have botnet clients that are easily communicated with this way.
Only real way to prevent these attacks is to go with a TPM based system. However, other devices can be easily flashed. A keyboard that stores macros might be able to be flashed to double as a keylogger.
Most of the defenses involve adding a kind of "policing" function to the chip's architecture. For example, one could design a block that would monitor the behavior of other blocks and make sure they fit certain patterns. If another block misbehaves, it would be "quarantined" and the monitoring hardware would take over the now-missing functions.
it's about time this kind of thing makes it to peecees. mainframes have this buit-in for eons now. of course, they use this for realiability, but having mainframe class reliability on desktop machines would't be bad, for a few extra bucks
What ? Me, worry ?
Seriously? /. editors can't tell the difference between Hardware and Firmware??
This story is so good...
...that 90% of the discussion is about the typo.
Nice QA as usual.
You read that headline, and your biggest criticism is their use of the word 'hacker'?
Seems like we almost need to add an "again" to the end of the title. Full circle, it has come.
Oooh. I wanna do it too!
- Hardware need more cowbell.
- O'rly?
- Ya'rly.
- Chuck Norris doesn't need hardware. All he needs to do is stare at Microsoft Word and it will run by itself.
- SHOOOP DA WOOOP THE GAME WHILE SNAPE KILLS DUMBLEDORE
Old memes are old.
Disclaimer: I've been involved in some research in verification of ASICs to uncover trojan hardware. Frankly, I think the threat of hardware hacks tends to be overblown.
The problem with planting Trojan circuits in hardware is that they're traceable. Given a compromised chip, you can locate the manufacturer and the fab it came from, and work backwards to the people who had access to the layout. It would be a financial and P.R. disaster for any third party vendor that allowed such a thing to happen. Who would ever trust them again with a design? These companies want to make money, and allowing government or criminal organizations to compromise the manufacturing process is too big a risk.
On top of that, using a hardware hack is equivalent to firing a shotgun into a swarm of gnats. How can you know that a hacked chip is going to make it into a box that just might happen to be used by a competitor you care about? It's an insane risk with a ridiculously small hope of payoff.
The way to compromise systems is the way that has worked extremely well so far - via software. You can target the attack, you can cover your tracks, and you have plausible deniability if you're caught. If you bribe someone inside the organization, you can place the software you want right on the machines you care about. And as long as organizations keep using Windows, you'll never run out of attack vectors.
Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out.
There are lots of other possibilites. Some examples:
A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates.
They wanted their BIOS-corrupting viruses back
BTW, I remember an urban legend circulating that there was a virus that changed some low-level instructions in 3.5 floppy drives making them keep reading discs... which made the drives get on fire. Anyone has got more info on that?
Ubuntu is an African word meaning 'I can't configure Debian'
Let's get this "Microsoft is the most used and therefore the most targeted" bit out of the way. Yes, being ubiquitous is a factor, but not in the internet server arena because Microsoft Windows is not the leader in that market -- Linux is. So at least two factors make a hacking target worthwhile on a large scale:
1. Ubiquity
2. Vulnerability (ease of hacking)
One of the reasons Linux isn't an internet target is that there are so many of them and they are nearly all different. There are many distributions, many versions of many distributions, many custom applications on many versions of many distributions... all with different components installed and configured in different ways. (With Windows, things are all pretty much done the same way.)
But why am I talking about this? Seems off-topic yes? Well I wanted to establish some background before going into the hardware situation.
With regards to hardware, we have little in the way of ubiquity. Yes, an increasing number of devices are actually running Linux in the firmware. That makes Linux increasingly ubiquitous in hardware. We have seen exploits associated with HP printers in the past where SNMP was exploited even when it is "disabled." This is an issue because HP printers in the office are quite ubiquitous. We have also seen the news story about certain Dell server system boards were compromised out of the box. Dell is quite common in the office and the data center as well.
But on the whole, the hardware market is still widely varied. We should all be concerned as additional commoditization of hardware components make hardware devices less differentiated. This makes predicting the hardware targets all the more possible. (Although "guessing" the hardware is less of a concern where external exploits will still largely be a software issue and once entry is gained, listing the hardware components would be trivial... processing that list to select from a list of exploit packages would then be trivial as well.)
All of this says "yes, hardware is vulnerable, but never as vulnerable as the software running on it." Keep the software doors tight and you have less to worry about with hardware.
Chuck Norris doesn't need to use Microsoft Word, when he wants to write a letter he roundhouse kicks the keyboard.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
" * Enable unauthorized access"
And how exactly are you going to do that in microcode or even hardwired circuits? Its the same BS as when he talks about "shipping data out". Yeah , sure you could do it , if you took up half the chip die with "secret" ROM code that ran its own networking stack, hardware drivers etc etc. If you're thinking about modifying the BIOS thats not hardware hacking, thats software.
Since nobody seems to have mentioned it yet: Reflections on trusting trust.
Note that he already mentions planting exploits into microcode, which is already quite close to the hardware. Do you know for sure there's no exploit planted in the microcode of your CPU? Maybe someone manipulated the compiler for the microcode? The compiler on which the compiler for the microcode was compiled?
But even with the actual hardware, that's possible: Just as you can place an exploit in the C compiler, you can also place an exploit in the VHDL compiler. Then the VHDL code will be unsuspicious, and run correctly in the simulator, but the actual chip will still be modified. Again, several levels are possible.
OK, is there anything which can protect us? Well, on one hand it's getting more complicated with each intermediate step. But then, there's also another protection: Exactly the fact that not everything isn't done by the same company! And this even applies for the simple case mentioned in TFA: A company which is asked for a component which, say, adds up a bunch of numbers, doesn't know how it's combined with the other blocks, or what the other blocks actually look like. Therefore he likely cannot tell how you could actually trigger the bad behaviour in the complete chip, or how to do something "useful" on that condition. The same is true on all the other levels: The chip developers will not write their own VHDL compiler, and the VHDL compiler writers have no clue what the chips which will defined with them will look like. The microcode developers likely don't write the microcode compiler, and the microcode compiler people probably don't have access to the microcode source code.
The Tao of math: The numbers you can count are not the real numbers.
Can you??
TFA is talking about someone embedding extra functionality at the chip-level which can later be accessed to achieve some desired result. It is not talking about injecting an update into the firmware of a running system. He's literally talking about hiding something at the circuit board level so by the time the chips are manufactured, they already have the embedded functionality.
So, before you start complaining about the editors being unable to tell the difference between the two things ... RTFA so you know what is being talked about. There is no mention of firmware, and he's not talking about firmware.
The article is literally talking about hardware.
Lost at C:>. Found at C.
What the are you on about?
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
TFS literally refers to "hiding malicious code in the hardware", and it was the summary I referred to.
I see what you're saying, but my understanding of something at the chip-level is that while it still may be 'code', it's immutable because it's printed on/embedded in the chip (whatever the correct term is) and implements the logic, but it can't be changed.
Firmware is static, but can be modified. It's not clear to me that what is being described is firmware, but true, fixed, unchanging hardware. It just has an embedded bit of behavior that under some circumstances will trigger something potentially malicious.
I mean, the instruction set in a CPU is 'code', but it can't be changed since it's part of the circuitry.
This isn't about adding new code to an existing bit of hardware, I think it's about building in the functionality at the lowest level in the actual chip itself. An embedded logic bomb or something, but not something which can be updated once the chip is manufactured.
Lost at C:>. Found at C.
"American planes will always be superior as long as there are wonderful young men like you in the cockpit.....and German^H^H^H^H^H^H Chinese parts."
A couple of years ago there was a news story about how Chip and Pin devices had been hacked in the factory to send information overseas:
http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html
This definitely falls into Villasenor's "shipping data out" category.
There was also a story recently of someone convicted of modifying these devices.
Still fighting that uphill battle? See, nobody knows or cares about the proper use of the word "hacker" except a small percentage of the geek population. And that samll percentage is NEVER going to be able to convince the other 99.5% of the population what the true meaning is. The meaning has been changed, and it happened in the 1980s. Just accept it.
Oh, and also -
A desktop tower is also now called the "CPU" or "hard drive"
RAM capacity and hard drive storage capacity can now be used interchangeably
Internet Explorer and Firefox applications are now called "the internets"
Transferring any data over any medium is called "downloading"
Any mp3 player, regardless of the brand, is called an "iPod"
Please make a note of this for future reference.
"But this one goes to 11!"
If it's built in at the hardware level by some jerk, isn't that more of a backdoor?
Vote monkeys into Congress. They are cheaper and more trustworthy.
The puns just keep marching along.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
OK, so how about the recent articles about Dell servers with infected hardware (I think it was in the monitoring firmware?). Is it Dell's fault, the company that did their refurbs/repairs, or what?
How about all the times when a device with USB-storage came preloaded with malware. Or how about the Intel CPU's that were actually big chunks of useless metal.
So a third-party steals a chip/board design, makes a clone, and then sneaks it in somewhere along the line. It doesn't have to be at the manufacturer, they just have to replace good hardware with the compromised units.
Hell, how about online sellers in general, many of which are in China, etc. How do you known that the firmware or even hardware of that fancy smartphone you just bought wasn't tampered with?
I see no reason that hardware is much safer than software... especially when loadable is a vulnerable midpoint between the two.
> the people who insist on calling themselves "hardware hackers" who are
> really "hardware tinkers" are causing a lot of confusion here
Words can have more than one meaning, different meanings in different contexts, and language constantly evolves. Live with it. It's stupid for old-timers to gripe that "hacker" has taken on a new negative meaning, but it is equally stupid to complain that the old meaning is confusing.
BTW, words also have connotations, and the connotation of "tinkerer" is very different than that of "hacker". If the continued use of "hacker" in this context bothers you too much, propose a new usage --- if it's catchy enough, maybe it'll catch on. But "tinkerer" won't (for the above reason).
The answer is simple: Don't buy mission critical components from China.
So basically what Motorola did for the Droid X?
Or what Intel has been selling as a feature for years.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way