Malicious Hardware Hacking May Be the Next Frontier

← Back to Stories (view on slashdot.org)

Malicious Hardware Hacking May Be the Next Frontier

Posted by CmdrTaco on Wednesday August 4, 2010 @02:14AM from the i-hide-it-in-my-pocket dept.

An anonymous reader writes "It's a given that hackers will target software, and that's enough for many people to worry about. But now there's the possibility that hackers would hide malicious code in the hardware itself. A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates. Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out."

26 of 146 comments (clear)

Min score:

Reason:

Sort:

lolwut? by Pojut · 2010-08-04 02:14 · Score: 2, Insightful

From the title of the summary:

Hardware Hackers May the Next Frontier

May what....MAY WHAT?!?!?!??!?!?!?!??!?! Seriously...what's with the editors around here?

--
Living With a Nerd
1. Re:lolwut? by 0racle · 2010-08-04 02:21 · Score: 5, Funny
  
  Someone accidentally the whole thing.
  
  --
  "I use a Mac because I'm just better than you are."
2. Re:lolwut? by Hijacked+Public · 2010-08-04 02:35 · Score: 5, Funny
  
  It may finally answer who was phone though. Hackers was phone.
  
  --
  "Sacrifice for the good of The State" - The State
Re:We Certainly May! by natehoy · 2010-08-04 02:17 · Score: 3, Funny

Then again, July not.

--
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Re:Uhm? by Anonymous Coward · 2010-08-04 02:18 · Score: 5, Funny

I think somebody accidentally the headline.
[Insert scary possibility] by betterunixthanunix · 2010-08-04 02:19 · Score: 4, Insightful

"A hardware hack could do [bad thing] or even [really bad thing]!" What about, "A hardware hack could free users from restriction systems?" or perhaps "A hardware hack could allow a mechanic to work on a transmission that was locked down by the manufacturer?"

--
Palm trees and 8
1. Re:[Insert scary possibility] by cygnwolf · 2010-08-04 02:27 · Score: 2, Interesting
  
  I have to agree. While I concede the point that someone can make malicious hardware, it seems like it would be -a lot- harder to infect someone's system with it than it would be to infect them with malicious code. Based on the headline, I would have thought this was an article about the people who call themselves hardware hackers who are trying to make hardware BETTER. Garage engineers, that sort. Unfortunately, these days, the word 'Hacker' carries a very negative connotation and it seems like, from this article, that some people are trying to perpetuate it.
  
  --
  Free Pie! The Pie is Also Evil!
CPLD? by MrFurious5150 · 2010-08-04 02:19 · Score: 2, Interesting

IANAEE, but isn't this already a potential problem with CPLDs? Or would you consider that a software/firmware hack?
1. Re:CPLD? by betterunixthanunix · 2010-08-04 02:25 · Score: 5, Interesting
  
  People have been hacking hardware for a really long time, longer than they have been hacking software. My security engineering textbook lists a number of hardware hacks that were used for espionage, particularly side channel attacks and other signals intelligence. Creating hardware trojan horses is an old trick; you might even say it dates back as far as the Trojan war.
  
  --
  Palm trees and 8
For some reason... by The+MAZZTer · 2010-08-04 02:20 · Score: 2, Funny

...this reminds me of the whole "Hackers can make your computer explode!" scare that went around in the early PC era...
Article Headline Hackers May the Final Frontier by noidentity · 2010-08-04 02:21 · Score: 2, Funny

Someone hacked the article title, it seems. That's a bigger threat right there.
Ahem... by Anonymous Coward · 2010-08-04 02:23 · Score: 4, Funny

May. The Next Frontier. These are the failures of the Slashdot Editors. Their ongoing mission: To explore strange new URLs, to seek out new memes and new trending topics. To boldly fail where no man has failed before!
Uhhh... by The+MAZZTer · 2010-08-04 02:26 · Score: 4, Insightful

Most of the defenses involve adding a kind of "policing" function to the chip's architecture. For example, one could design a block that would monitor the behavior of other blocks and make sure they fit certain patterns. If another block misbehaves, it would be "quarantined" and the monitoring hardware would take over the now-missing functions.
Yeah, THAT sounds practical. The article author watches/reads too much science fiction.
1. Re:Uhhh... by The+MAZZTer · 2010-08-04 02:50 · Score: 2, Insightful
  
  My problem with the paragraph is, if they can make a block of hardware that can take over the functionality of another block, why outsource the block in the first place since they already have a block that can do those functions? Answer: they can't make a block of hardware like that, that's why they had to outsource it. Also, they have to make it in house. If they outsource it they can no longer trust it either!
2. Re:Uhhh... by Pharmboy · 2010-08-04 02:59 · Score: 2, Insightful
  
  Or more importantly, whoever is adding the exploit to begin with obviously knows about the redundancy in hardware, which would be bypassed, in the same hardware if you are exploiting. It would add a false sense of security. This is like having TWO latches on your screen door.
  I like open source software just fine, but not preachy about it. However, when we are talking about critical infrastructure, this is a good argument for having the systems much, much more open and in plain view of many, many more eyes.
  
  --
  Tequila: It's not just for breakfast anymore!
3. Re:Uhhh... by betterunixthanunix · 2010-08-04 03:03 · Score: 2, Informative
  
  There is a good bit of research on this topic, actually. I think the idea with the "block that takes over functionality" is that it is perhaps simple enough (and thus lower performance) that inserting malicious functions into it would be difficult to do without being detected. So, for example, you might have a very high performance DSP block that can do a 1024 point FFT in a few clock cycles, but that is going to be a lot of logic and leaves a lot of places for a malicious manufacturer to hide something; your fallback if extra circuitry was detected would be a less complex FFT circuit that takes thousands of clock cycles to do the FFT, and which would be harder to tamper with. Detecting hardware that has been tampered with is pretty hard, though, and that is where a lot of the research is.
  
  It is not just about outsourcing; a chip fab in this country might have a worker who is on the payroll of the Chinese government, and who tampers with a chip layout just prior to manufacturing. It is pretty expensive to run a secure chip fab, and even if all chip fabs were domestic, you would still have a number of important computers (think of utilities, critical services, etc.) being manufactured at facilities where the employees might be engaging in sabotage of this sort.
  
  --
  Palm trees and 8
4. Re:Uhhh... by PrecambrianRabbit · 2010-08-04 04:37 · Score: 2, Interesting
  
  Although it's not the solution mentioned in the article, one possibility is to have two competing outsourcers produce the same block, then add comparison logic that verifies that each block is doing the same thing.
  Of course, this more than doubles the chip area. Also, the checking logic could be very difficult or practically impossible depending on the complexity of the block.
5. Re:Uhhh... by timholman · 2010-08-04 07:33 · Score: 2, Insightful
  
  It is not just about outsourcing; a chip fab in this country might have a worker who is on the payroll of the Chinese government, and who tampers with a chip layout just prior to manufacturing. It is pretty expensive to run a secure chip fab, and even if all chip fabs were domestic, you would still have a number of important computers (think of utilities, critical services, etc.) being manufactured at facilities where the employees might be engaging in sabotage of this sort.
  The problem with subverting a single employee in the manufacturing process is that it would be extremely difficult for him to hide his tracks. Let's assume Mr. Smith is paid by the Chinese government to insert a logic block of, say, 2000 gates into a router chip to provide them with a remote shutdown capability. First Smith has to find a place to put it, so he reruns the place-and-route software, or else does some custom polygon-pushing and hopes he doesn't screw up something else in the design. Then he has to run LVS (layout versus schematic) and DRC (design rule check) scans to make sure the chip is manufacturable, and he made no layout or wiring errors. In most modern design teams, where layouts are managed and checked by multiple people before tape-out, this would be nearly impossible for a single employee to get away with.
  So, Smith decides to subvert the firmware instead. Again, unless he's the only person who touches the firmware, and the only person who maintains the updates and revisions, he won't be able to get away with it for long. What happens when Smith is transferred to another project, and Jones takes over the firmware maintenance and realizes something is screwy about the checksum in the current version? Not to mention having to outthink the test and verification group - what if they come up with test vectors that reveal his tampering?
  If you're going to subvert one guy, you need to subvert lots of them, and I think that's what worries the U.S. government. If the Chinese were willing to spend the money, they could set up a fake company that could operate for years, or recruit an entire Chinese design house from the get-go, building up long-term customer relationships and looking for opportunities to infiltrate enterprise products. This would not be cheap, but it is not without precedent (e.g. the Glomar Explorer). The problem is that it would take only one leak and the entire operation would be blown, and every fab and design house in China would suffer as a result.
  It's so much easier to work on the back end using software. Bribe or blackmail someone inside the targeted organization, hand him a USB thumb drive with a rootkit installer, and the job is done in a matter of hours. Even if the rootkit is discovered, who can prove where it came from? The IT department re-images the drives and the agent is free to try again later.
Article about it by Black+Parrot · 2010-08-04 02:27 · Score: 2, Informative

in the latest Scientific American, by the same guy.

--
Sheesh, evil *and* a jerk. -- Jade
Hackors by kaoshin · 2010-08-04 02:28 · Score: 3, Funny

I think it is possible that could hide malicious code in the. It could even potentially words from sentences. In Soviet Russia you.
Re:Uhm? by Sloppy · 2010-08-04 02:47 · Score: 4, Funny

In Soviet Russia, you!

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Hardware is traceable, software is not by timholman · 2010-08-04 03:07 · Score: 4, Interesting

Disclaimer: I've been involved in some research in verification of ASICs to uncover trojan hardware. Frankly, I think the threat of hardware hacks tends to be overblown.
The problem with planting Trojan circuits in hardware is that they're traceable. Given a compromised chip, you can locate the manufacturer and the fab it came from, and work backwards to the people who had access to the layout. It would be a financial and P.R. disaster for any third party vendor that allowed such a thing to happen. Who would ever trust them again with a design? These companies want to make money, and allowing government or criminal organizations to compromise the manufacturing process is too big a risk.
On top of that, using a hardware hack is equivalent to firing a shotgun into a swarm of gnats. How can you know that a hacked chip is going to make it into a box that just might happen to be used by a competitor you care about? It's an insane risk with a ridiculously small hope of payoff.
The way to compromise systems is the way that has worked extremely well so far - via software. You can target the attack, you can cover your tracks, and you have plausible deniability if you're caught. If you bribe someone inside the organization, you can place the software you want right on the machines you care about. And as long as organizations keep using Windows, you'll never run out of attack vectors.
1. Re:Hardware is traceable, software is not by QX-Mat · 2010-08-04 03:35 · Score: 2, Insightful
  
  A good point, except when small businesses try to extract the best value for money in an expensive IT purchase, counterfeit products can be very tempting - whether you know you're buying fake goods or not is irrelevent when the price is cheap. Cheap counterfeits are [arguabley] not traceable enough. Check out the Reg article on a recent Cisco raid
  I remember reading another article on the Chinese fakes, where it was said that the only outward difference was the type of screw used. Scary to think that a specially crafted packet (or more likely, sequence of) could destroy the internet :)
Ubiquity is a potential factor by erroneus · 2010-08-04 03:22 · Score: 2

Let's get this "Microsoft is the most used and therefore the most targeted" bit out of the way. Yes, being ubiquitous is a factor, but not in the internet server arena because Microsoft Windows is not the leader in that market -- Linux is. So at least two factors make a hacking target worthwhile on a large scale:
1. Ubiquity
2. Vulnerability (ease of hacking)
One of the reasons Linux isn't an internet target is that there are so many of them and they are nearly all different. There are many distributions, many versions of many distributions, many custom applications on many versions of many distributions... all with different components installed and configured in different ways. (With Windows, things are all pretty much done the same way.)
But why am I talking about this? Seems off-topic yes? Well I wanted to establish some background before going into the hardware situation.
With regards to hardware, we have little in the way of ubiquity. Yes, an increasing number of devices are actually running Linux in the firmware. That makes Linux increasingly ubiquitous in hardware. We have seen exploits associated with HP printers in the past where SNMP was exploited even when it is "disabled." This is an issue because HP printers in the office are quite ubiquitous. We have also seen the news story about certain Dell server system boards were compromised out of the box. Dell is quite common in the office and the data center as well.
But on the whole, the hardware market is still widely varied. We should all be concerned as additional commoditization of hardware components make hardware devices less differentiated. This makes predicting the hardware targets all the more possible. (Although "guessing" the hardware is less of a concern where external exploits will still largely be a software issue and once entry is gained, listing the hardware components would be trivial... processing that list to select from a list of exploit packages would then be trivial as well.)
All of this says "yes, hardware is vulnerable, but never as vulnerable as the software running on it." Keep the software doors tight and you have less to worry about with hardware.
Re:Why the poor choice of word? by Mister+Whirly · 2010-08-04 06:14 · Score: 2, Funny

Still fighting that uphill battle? See, nobody knows or cares about the proper use of the word "hacker" except a small percentage of the geek population. And that samll percentage is NEVER going to be able to convince the other 99.5% of the population what the true meaning is. The meaning has been changed, and it happened in the 1980s. Just accept it.

Oh, and also -
A desktop tower is also now called the "CPU" or "hard drive"
RAM capacity and hard drive storage capacity can now be used interchangeably
Internet Explorer and Firefox applications are now called "the internets"
Transferring any data over any medium is called "downloading"
Any mp3 player, regardless of the brand, is called an "iPod"

Please make a note of this for future reference.

--
"But this one goes to 11!"
Hardware is not all that traceable by phorm · 2010-08-04 07:19 · Score: 2, Insightful

OK, so how about the recent articles about Dell servers with infected hardware (I think it was in the monitoring firmware?). Is it Dell's fault, the company that did their refurbs/repairs, or what?
How about all the times when a device with USB-storage came preloaded with malware. Or how about the Intel CPU's that were actually big chunks of useless metal.
So a third-party steals a chip/board design, makes a clone, and then sneaks it in somewhere along the line. It doesn't have to be at the manufacturer, they just have to replace good hardware with the compromised units.
Hell, how about online sellers in general, many of which are in China, etc. How do you known that the firmware or even hardware of that fancy smartphone you just bought wasn't tampered with?
I see no reason that hardware is much safer than software... especially when loadable is a vulnerable midpoint between the two.