Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hiding Backdoors In Hardware

Posted by Soulskill on from the hamster-escape-route dept.

quartertime writes "Remember Reflections on Trusting Trust, the classic paper describing how to hide a nearly undetectable backdoor inside the C compiler? Here's an interesting piece about how to hide a nearly undetectable backdoor inside hardware. The post describes how to install a backdoor in the expansion ROM of a PCI card, which during the boot process patches the BIOS to patch grub to patch the kernel to give the controller remote root access. Because the backdoor is actually housed in the hardware, even if the victim reinstalls the operating system from a CD, they won't clear out the backdoor. I wonder whether China, with its dominant position in the computer hardware assembly business, has already used this technique for espionage. This perhaps explains why the NSA has its own chip fabrication plant."

5 of 206 comments (clear)

  1. Re:Lojack for Laptops... by Anonymous Coward · · Score: 5, Funny

    I'm not sure that's a good example of a sentence...

  2. Undetectable? by countertrolling · · Score: 5, Insightful

    What, you can't sniff the traffic going in and out of your machine?

    --
    For justice, we must go to Don Corleone
  3. proprietary firmware by ArcRiley · · Score: 5, Insightful

    You don't even have to go to this great of a length; if you want to root Linux machines, release a proprietary driver in the form of a binary Linux kernel module and watch as your customers blindly install it.

    This is one reason why we should insist on the source code to all firmware - or reverse engineer write new firmware ourselves.

  4. Re:NSA Fabrication Plant... by smellsofbikes · · Score: 5, Interesting

    Wikipedia, as linked in the summary: "Its secure government communications work has involved the NSA in numerous technology areas, including the design of specialized communications hardware and software, production of dedicated semiconductors (at the Ft. Meade chip fabrication plant), and advanced cryptography research. The agency contracts with the private sector in the fields of research and equipment."

    Spectrum IEEE: "The DOD also maintained its own chip-making plant at Fort Meade, near Washington, D.C., until the early 1980s, when costs became prohibitive."

    I'm betting this statement is now bullshit.

    I dunno about the NSA, but I do know that *my* semiconductor fabrication company has a dedicated military fab line in California, and if the DoD orders a simple voltage regulator and is willing to pay for the extra cost, the fab goes through the layout, makes sure it's good, and runs it and packages it in a secure facility. I've not *seen* this, but coworkers have been in the fab and said that where most engineers in our company have Dilbert cartoons up, everyone in that facility has posters of military aircraft -- that it's like a military facility inside our company. Apparently they have full production capability: silicon design, fabrication, packaging, applications engineering, test engineering, and production engineering.

    I know my company's aversion to spending money. They wouldn't *do* this unless it was economically profitable, which means we're actively pitching our secure fabrication capability to buyers, so anyone who is buying compromised hardware is doing so knowing the risk.

    --
    Nostalgia's not what it used to be.
  5. Diverse Double-Compiling counters "Trusting Trust" by dwheeler · · Score: 5, Informative

    The "trusting trust" attack is a nasty attack, but there is a counter-measure. Diverse double-compiling can detect compiler executables subverted by the "trusting trust" attack. See my paper for more, if you're curious.

    --
    - David A. Wheeler (see my Secure Programming HOWTO)