Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hiding Backdoors In Hardware

Soulskill posted more than 3 years ago | from the hamster-escape-route dept.

Security 206

quartertime writes "Remember Reflections on Trusting Trust, the classic paper describing how to hide a nearly undetectable backdoor inside the C compiler? Here's an interesting piece about how to hide a nearly undetectable backdoor inside hardware. The post describes how to install a backdoor in the expansion ROM of a PCI card, which during the boot process patches the BIOS to patch grub to patch the kernel to give the controller remote root access. Because the backdoor is actually housed in the hardware, even if the victim reinstalls the operating system from a CD, they won't clear out the backdoor. I wonder whether China, with its dominant position in the computer hardware assembly business, has already used this technique for espionage. This perhaps explains why the NSA has its own chip fabrication plant."

cancel ×

206 comments

Sorry! There are no comments related to the filter you selected.

Lojack for Laptops... (2, Informative)

mlts (1038732) | more than 3 years ago | (#34063732)

A good example of this is Lojack for Laptops to see about having stuff in hardware be able to keep a program installed and hidden.

Re:Lojack for Laptops... (5, Funny)

Anonymous Coward | more than 3 years ago | (#34063840)

I'm not sure that's a good example of a sentence...

Re:Lojack for Laptops... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34063932)

A good example of this is Lojack for Laptops to see about having stuff in hardware be able to keep a program installed and hidden.

I have built and imaged hundreds of Sourcefire servers and THOUSANDS of desktop PC's for the NSA and their hardware is (mostly) the same thing everyone else buys. Alot of Dell. Most of the people I worked with only held a Postition of Public Trust security clearance if any. I had none at the time and was only bonded with a background check. They didnt even care about the Felony that was 10 years old.

Re:Lojack for Laptops... (1)

datapharmer (1099455) | more than 3 years ago | (#34064212)

And here's the scary part [newscientist.com] about that.

Re:Lojack for Laptops... (1)

k6mfw (1182893) | more than 3 years ago | (#34065142)

Cylon kill switch anyone?

Re:Lojack for Laptops... (1)

Ihmhi (1206036) | more than 3 years ago | (#34064844)

Pfft, backdoors?

Here's [img194.exs.cx] a case that has a back door, a front door, and windows, too!

Not bad but.. (1)

Stregano (1285764) | more than 3 years ago | (#34063846)

It sounds like a technique that a random hacker won't do. That is a bunch of work to get that going on a user's system. By that, I mean you are modding a rom on something on the pci slot. So unless you are fixing their pc, it will hard to make an excuse as to why you are opening up their machine when they wanted some anti-virus installed.

Re:Not bad but.. (2, Insightful)

ByOhTek (1181381) | more than 3 years ago | (#34063918)

So unless you are fixing their pc, it will hard to make an excuse as to why you are opening up their machine when they wanted some anti-virus installed

You haven't dealt with the average end user much have you? Probably less than 1% would be worried/suspicious. Of those that said anything, the answer "Oh, the antivirus has a special piece of hardware that it uses to prevent it from being disabled by viruses..." would suffice.

Re:Not bad but.. (4, Interesting)

mlts (1038732) | more than 3 years ago | (#34063942)

This could be what malware could do. Take some of the newer botnet clients that have modules for everything, be it trying to climb out of a VMWare machine, try to get around sandboxie, or other items. Malware could try to find items that are flashable, and reflash them with code for hooks to malware, or even worse an active keyboard logger. It was mentioned a while back in a previous /. article about a major computer maker with keyboard HIDs that were flashable with new code. So, if one got root on the box, it wouldn't be hard to reflash the keyboard with a keylogger that could store keystrokes, or just send them as packets to the blackhat's site.

Other than cellphone makers, a lot of devices really don't put much in the way of protecting their BIOS against rogue code, so it isn't farfetched to reflash a sound card, a NIC, a Northbridge/Southbridge controller, a video card, motherboard BIOS, or any other subsystem with malicious programming.

Re:Not bad but.. (1, Insightful)

spottedkangaroo (451692) | more than 3 years ago | (#34064162)

"sandboxie"

Please don't do this. You'll regret it if you make it popular.

Re:Not bad but.. (1)

tibman (623933) | more than 3 years ago | (#34064306)

what's wrong with sandboxie?

Re:Not bad but.. (0)

Anonymous Coward | more than 3 years ago | (#34064368)

makes you sound like a vally girl tard...

Like you know... I gots this sandboxie thingy.. and it's all up in there and stuff....

Re:Not bad but.. (4, Informative)

tixxit (1107127) | more than 3 years ago | (#34064538)

Sandboxie is the name of a program for Windows that can create and run programs in sandboxes.

Re:Not bad but.. (3, Interesting)

HomelessInLaJolla (1026842) | more than 3 years ago | (#34064282)

Remember when the Pentium chip was first released and there was a flaw found in the processor? The flaw was most commonly demonstrated in something like the eleventh decimal place in a mathematical calculation which could be made inside an Excel spreadsheet. Intel released a firmware fix that compensated (obviously they were not about to recall, retool, and replace all of thsoe chips). That sort of hardware "flaw" exists in almost any hardware chip of sufficient complexity. I believe it is a mathematical nuance of binary logic gates; somewhat analogous to algorithms which purport to generate prime numbers or pythagorean triples--eventually the algorithm breaks down and it misses one, then it misses a few, then it begins missing a whole bunch, then eventually the algorithm is marginally useless and a new algorithm must be applied to reliably continue to find the (n+1)th prime number or pythagorean triple.

These hardware flaws exist in your routers, in your processors, in your sound cards, in your video cards, even in your monitors and the chips of your hard drives and, now that microchip technology is sufficiently advanced and complex, in darn near anything which does more than basic mathematical calculations presented on a mantissa.

No technology has ever been released to the mass public without first knowing its flaws--and there will be flaws. It is an unavoidable result of the mathematics behind binary logic. I believe that most programmers begin to come in contact with this premise when they are asked, in intermediate programming courses, to write code for multiplication and division, especially with floating point numbers, performed using binary registers.

If you think your internets are safe then think again. All your base belong to the people who wrote it.

Re:Not bad but.. (4, Informative)

MerlynEmrys67 (583469) | more than 3 years ago | (#34064406)

Ok - time for a few corrections
1) First Intel (after initially responding poorly to the bug) fully recalled the product without question. If you had a processor in question, you could ask for and recieve a replacement. Please see http://en.wikipedia.org/wiki/Pentium_FDIV_bug [wikipedia.org]
2) The flaw was caused by a bad division lookup table, not the mathematical nuance of binary logic gates. What I think you are trying to describe is the fact that floating point numbers are not percise, and you never compare them directly, only compare if they are within a small delta of each other.

Re:Not bad but.. (0)

Anonymous Coward | more than 3 years ago | (#34064988)

Infecting the router would be useful too.

you don't need to open the case to flash a rom (1)

Joe The Dragon (967727) | more than 3 years ago | (#34064086)

you don't need to open the case to flash a a rom.

Re:Not bad but.. (1)

Nikker (749551) | more than 3 years ago | (#34064278)

Just have to be on the same LAN after hardware exploits allow control via routable packets. http://it.slashdot.org/story/10/03/27/2145255/Remote-Malware-Injection-Via-Flaw-In-Network-Card?from=rss [slashdot.org]

So exploit NIC using routable packet, use DMA to grab CPU, use CPU to exploit ROM, use ROM to dupe packets with forged header to remote survey location, etc,etc.

Re:Not bad but.. (1)

Peeteriz (821290) | more than 3 years ago | (#34064534)

It sounds like something that's hard to do for an individual PC but trivial to do for millions of PC's - random guy in some factory in China, Indonesia, or Taiwan modifies the rom image that is put on some cheap device - say, some ethernet or sound chip that goes on generic motherboards, and voila - it's done.

    And nobody would know if that was done for some intelligence agency or simply to sell a botnet for cash..

*giggle* *giggle* (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34063848)

*giggle* I farted in CmdrTaco's corn flakes. *giggle*

Undetectable? (5, Insightful)

countertrolling (1585477) | more than 3 years ago | (#34063850)

What, you can't sniff the traffic going in and out of your machine?

Re:Undetectable? (0)

Anonymous Coward | more than 3 years ago | (#34063958)

You would need a second machine, otherwise you are just asking an infected operating system to tell you about the infected traffic it is sending.

Re:Undetectable? (1, Funny)

Anonymous Coward | more than 3 years ago | (#34064012)

OMG, but what if THAT machine is infected, too?!

Re:Undetectable? (3, Funny)

Anonymous Coward | more than 3 years ago | (#34064116)

Then you need a turtle.

Re:Undetectable? (0)

Anonymous Coward | more than 3 years ago | (#34064160)

I like toitles.

Re:Undetectable? (1)

Worthless_Comments (987427) | more than 3 years ago | (#34064886)

All the way down...

Re:Undetectable? (0)

Anonymous Coward | more than 3 years ago | (#34064118)

Wow really? Pretty sure everyone around here has a router capable of that. That is if they cared enough to properly set it up.

Re:Undetectable? (2, Insightful)

noidentity (188756) | more than 3 years ago | (#34064242)

Not if it's hidden among legitimate traffic.

Re:Undetectable? (0)

Anonymous Coward | more than 3 years ago | (#34064488)

Unless it's tampering packets there's really no way to hide short of information overload. Although I guess it could use a legitimate service (e.g. Google) to somehow tunnel itself -- like keylogging to a Google Talk account using XMPP.

NSA Fabrication Plant... (4, Interesting)

Samantha Wright (1324923) | more than 3 years ago | (#34063868)

Wikipedia, as linked in the summary: "Its secure government communications work has involved the NSA in numerous technology areas, including the design of specialized communications hardware and software, production of dedicated semiconductors (at the Ft. Meade chip fabrication plant), and advanced cryptography research. The agency contracts with the private sector in the fields of research and equipment."

Spectrum IEEE: "The DOD also maintained its own chip-making plant at Fort Meade, near Washington, D.C., until the early 1980s, when costs became prohibitive." [ieee.org]

I'm betting this statement is now bullshit.

Re:NSA Fabrication Plant... (1)

Samantha Wright (1324923) | more than 3 years ago | (#34063888)

By which I mean the summary is in error.

Re:NSA Fabrication Plant... (4, Insightful)

mrsteveman1 (1010381) | more than 3 years ago | (#34064610)

By which I mean the summary is in error.

That's what they want you to think.

Re:NSA Fabrication Plant... (5, Interesting)

smellsofbikes (890263) | more than 3 years ago | (#34064290)

Wikipedia, as linked in the summary: "Its secure government communications work has involved the NSA in numerous technology areas, including the design of specialized communications hardware and software, production of dedicated semiconductors (at the Ft. Meade chip fabrication plant), and advanced cryptography research. The agency contracts with the private sector in the fields of research and equipment."

Spectrum IEEE: "The DOD also maintained its own chip-making plant at Fort Meade, near Washington, D.C., until the early 1980s, when costs became prohibitive." [ieee.org]

I'm betting this statement is now bullshit.

I dunno about the NSA, but I do know that *my* semiconductor fabrication company has a dedicated military fab line in California, and if the DoD orders a simple voltage regulator and is willing to pay for the extra cost, the fab goes through the layout, makes sure it's good, and runs it and packages it in a secure facility. I've not *seen* this, but coworkers have been in the fab and said that where most engineers in our company have Dilbert cartoons up, everyone in that facility has posters of military aircraft -- that it's like a military facility inside our company. Apparently they have full production capability: silicon design, fabrication, packaging, applications engineering, test engineering, and production engineering.

I know my company's aversion to spending money. They wouldn't *do* this unless it was economically profitable, which means we're actively pitching our secure fabrication capability to buyers, so anyone who is buying compromised hardware is doing so knowing the risk.

Umm (1)

trifish (826353) | more than 3 years ago | (#34063870)

So what exactly is new here? I thought most ./ readers already knew that you have to trust the hardware you use...

Nothing new, but somethings are worth repeating (4, Interesting)

SmallFurryCreature (593017) | more than 3 years ago | (#34064114)

Your right, this is well known... but not by everybody. Every minute new babies are born... grow up and have the told everything that everyone already knows, because they don't.

So every second, new slashdotters come on and have to learn that yes, you have to be able to trust the hardware you use for security to mean anything. See, you ALREADY left a IMPORTANT part out. You say "you have to trust your hardware", this implies that you just have no choice but to trust it. In reality, you got to ask yourself, who designed the hardware I am relying on and can they and their suppliers/contractors be trusted. Answer: rarely. Reality is that most of us just ain't intresting enough to monitor at high levels.

This always amuses me with people at say Freenet. All of them seem so pampered in our western nations they can't conceive of how a true dictarorship can work. Encrypt? Who sold you that CPU that is doing the encryption? Darknet? When all the traffic flows through a government router. This is naive as saying that when you plug your lights straight into the grid, before the meter, the electricity company (the state) won't know about the 100 watt light streaming out of your windows...

Fact: there are those who would like to spy. Fact: A good method is to get the place you want to spy on to have a device inside, you control and can use to get data out. Fact: Those who wish to spy, make PC's that are brought into the places that they want to spy on and contain the data they wish to get.

If the Chinese AIN'T doing this, they are either afraid the west (and their own people) check all their hardware, ain't all that intrested because there are methods less likely to risk their trade or they are really stupid.

The Chinese ain't stupid and the west doesn't check all the time. Leaves that China doesn't want to risk trade by making their products suspect if just one nerd with a packet sniffer finds something.

It is worth keeping in mind however that the risk is there. Can the US afford to loose more and more of its chip production? We already saw what happens with rare earth materials. This stuff is all over the globe, the US got piles of it, Russia is drowning in it BUT it all seemed so easy to have ONLY the Chinese invest in mining it. Now the rest of the world needs years to get their own production up to scratch.

Say China starts a war (against Russia for resources) today... how long can the US afford to get its war production up to speed without Chinese/Taiwanese goods? Goods that might at the flick of a switch all contain spyware?

Gosh, maybe some generals should play Civ a bit more. See how things can change on a single turn.

proprietary firmware (5, Insightful)

ArcRiley (737114) | more than 3 years ago | (#34063874)

You don't even have to go to this great of a length; if you want to root Linux machines, release a proprietary driver in the form of a binary Linux kernel module and watch as your customers blindly install it.

This is one reason why we should insist on the source code to all firmware - or reverse engineer write new firmware ourselves.

Re:proprietary firmware (4, Insightful)

Salamander (33735) | more than 3 years ago | (#34064018)

This is one reason why we should insist on the source code to all firmware - or reverse engineer write new firmware ourselves.

"We" should reverse-engineer more firmware "ourselves" eh? When I see them at lunch, I'll let the subset of "we" who actually do such things know that somebody with an Ubuntu address said so. That'll be good for a few laughs.

Re:proprietary firmware (2, Funny)

abigor (540274) | more than 3 years ago | (#34064298)

Yours is probably the best post I've read in a month.

Re:proprietary firmware (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34064344)

Why so snarky? I don't know who either of you are, but there are many ways to contribute to open-source computing. For instance, on the development, legal or political fronts. The GP's comment is wishful thinking, but that doesn't warrant getting your hate on.

Re:proprietary firmware (0, Troll)

swb (14022) | more than 3 years ago | (#34064028)

This is one reason why we should insist on the source code to all firmware - or reverse engineer write new firmware ourselves.

That makes management deadlines easier to meet and pleases vendors and other third party support. Sweet.

"I wonder whether China..." (0)

Anonymous Coward | more than 3 years ago | (#34063886)

"Bad, bad Chinks!" Yeah, because the CIA does not spy at all.

The NSA (1)

characterZer0 (138196) | more than 3 years ago | (#34063900)

undetectable backdoor inside hardware.

This perhaps explains why the NSA has its own chip fabrication plant.

If the NSA broke in and stuck a small device into an empty PCI slot in your computer, would you notice?

Re:The NSA (1)

coolsnowmen (695297) | more than 3 years ago | (#34064074)

In your scenario, the "broke in." Under everyday circumstances, I might not search my desktop for extra parts, but if I find a broken window/door. I might search my apt a little more rigorously.

Re:The NSA (3, Funny)

H0p313ss (811249) | more than 3 years ago | (#34064088)

undetectable backdoor inside hardware.

This perhaps explains why the NSA has its own chip fabrication plant.

If the NSA broke in and stuck a small device into an empty PCI slot in your computer, would you notice?

Now here's a good reason to use an iPad or macbook.

Re:The NSA (0)

Anonymous Coward | more than 3 years ago | (#34064520)

Surely, you are joking, Mister Bond?

Re:The NSA (1)

H0p313ss (811249) | more than 3 years ago | (#34065116)

Surely, you are joking, Mister Bond?

*slowly draws his Walther PPK from it's custom shoulder holster*

Some things I never joke about Mr. Gates...

*fade to black*

Re:The NSA (1)

Manfre (631065) | more than 3 years ago | (#34064096)

Yes. My case has a window and it has no empty pci slots.

Re:The NSA (1)

Lunix Nutcase (1092239) | more than 3 years ago | (#34064280)

If the NSA broke in and stuck a small device into an empty PCI slot in your computer, would you notice?

Protip: The NSA doesn't do any real field work such as what you describe. If such a scenario were to happen it would be done by the FBI or the CIA. You seem to have fallen for the wildly inaccurate portrayal of the NSA from Hollywood and TV.

Re:The NSA (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34064700)

Well, actually you can't prove they aren't directly involved in field work because the agency is exempt from publishing exactly what they do under joint domestic investigations with the FBI (which is probably more common than anybody would like to believe).

Certainly the feds aren't going to "break in" and plant such a device, but who's to say the hardware we buy doesn't contain such hidden malware from the production line? All hardware sold in the US was "bugged" during the cold war because 1% of it ended up in use by foreign powers... fax machines and CRT monitors were designed to facilitate remote data collection...

Re:The NSA (1)

Lunix Nutcase (1092239) | more than 3 years ago | (#34064814)

Well, actually you can't prove they aren't directly involved in field work

This is completely different to what I was saying. Sure, they may be helping in field work done by other agencies, but there aren't "NSA agents" going around as a law enforcement agency breaking into people's houses, etc. Such things are done by the FBI or the CIA. Sorry, but despite what movies, TV and over-dramatized books have told you, that is pure fiction.

Re:The NSA (1)

icebraining (1313345) | more than 3 years ago | (#34064366)

I carry my laptop with me almost always. Not because I'm paranoid, it's just useful.

Re:The NSA (0)

Anonymous Coward | more than 3 years ago | (#34064410)

If the NSA broke into Asus' president's house and pointed a gun at his wife, saying "you're adding this circuit to your motherboards," and then that manufacturer sold their board to newegg who sold it to you, would you notice?

Re:The NSA (1)

mrsteveman1 (1010381) | more than 3 years ago | (#34064830)

Yes, because most of my systems don't have PCI slots. It would definitely be noticeable.

Re:The NSA (1)

JWSmythe (446288) | more than 3 years ago | (#34065050)

    In my home machine? As a matter of fact, I would. It has a clear side, and an illuminated fan. I didn't get it for that purpose, it was just the cheapest case that the store had, that would do the job. It sits where I can see the inside of it while I'm using the computer. It only sits where I can see it, because it was the only place to put the machine. It is helpful to glance in to see if there is dust in the heatsinks or fans.

    I know every wire and component that is suppose to be there, since I built it myself. They can install anything they'd like. Actually, I invite them to, but anything they leave on my property is considered a "gift" to me, to do with as I please. :)

   

Re:The NSA (1)

JonySuede (1908576) | more than 3 years ago | (#34065122)

I would but then I am a passively cooled open case kind of guy.

Yes They Are! (1)

hashish16 (1817982) | more than 3 years ago | (#34063912)

Chins is absolutely doing this and the DoD, NSA, and CIA are aware of the activity. Honestly, they don't care about regular consumers, but govt. officials and employees are banned from having Chinese manufacture equipment during official business/work.

Re:Yes They Are! (1)

mlts (1038732) | more than 3 years ago | (#34064050)

One probable answer to this is having the motherboards outsourced, but have a TPM-like daughterboard made in the US under tight working conditions and supervision. This won't protect against all hardware attacks, but at least there will be code in hardware to start with a chain of custody and tamper resistance.

Since TPM chips are not part of the active boot process, the BIOS doesn't know if its signature is valid or not. All it does is scan the next part, pass the hash of the result to the TPM, then call the next chunk of code in line. Finally, there is a point where the OS asks the TPM for the encryption keys, and if the BIOS, MBR, and other parts of the machine have not been touched, it will hand them over.

Re:Yes They Are! (0)

Anonymous Coward | more than 3 years ago | (#34064136)

but govt. officials and employees are banned from having Chinese manufacture equipment during official business/work.

This is total bull. I do "official" government work all the time on Dell computers with the same bog standard, Chinese-manufactured hardware as what every consumer buys. I doubt you can even cite a single official source for such a silly claim.

Re:Yes They Are! (0)

Anonymous Coward | more than 3 years ago | (#34064346)

I don't think you need to bother questioning the credibility of a poster named "hashhish16".

Re:Yes They Are! (1)

NatasRevol (731260) | more than 3 years ago | (#34064316)

The DoD, NSA and CIA are not only aware of the activity, they're doing the same thing.

Not again (0)

Anonymous Coward | more than 3 years ago | (#34063920)

These stories appear over and over, but this kind of trick is almost useless because the manufacturer does not know on which machine their device will be installed and so has no way of knowing how it's spying is going to work. If it appears on every device then you've got a logistical nightmare trying to figure it out. And, why would you put it in hardware when the trail of evidence will lead directly back to you if it is found out??? Entirely stupid.

well that's... brilliant... and fucking scary. (0)

Anonymous Coward | more than 3 years ago | (#34063956)

well that's... brilliant... and fucking scary.

Subject goes here (0)

Anonymous Coward | more than 3 years ago | (#34064728)

Content goes here

If you're close enough to install new hardware ... (0)

petes_PoV (912422) | more than 3 years ago | (#34063968)

... you're probably close enough to image the disk(s) and futz around with the data your hack is trying to access remotely. This is only a hack that would work to target a specific machine, runnning a specific O/S. Presumably before the expansion ROM tries to alter kernels it does a quick check to make sure the box is actually running the O/S and architecture it's intended for. Otherwise you'll have an awful lot of Windows users buying this card and returning it when it scrashes their PCs.

(Slashdot reply) Kind of old news (0)

Anonymous Coward | more than 3 years ago | (#34063990)

If no-one really saw this coming, blame you. In the 90's one could already mail order devices which would plug into the ISA/VESA bus, which could restore the system to the "original" state.

how do you hide it from QA? (4, Insightful)

alen (225700) | more than 3 years ago | (#34064024)

everyone knows it's easy to slip backdoors into hardware, but hiding it is the hard part. every fabless chip maker does spot checks of their products and will find these backdoors. at the very least they will find that the shipping products aren't like the ones they designed with extra circuits.

anyone with data that's worth keeping secret will have it behind firewalls and all kinds of security appliances that will start flashing alerts if there is traffic to a high risk geographic area

Re:how do you hide it from QA? (1)

Manfre (631065) | more than 3 years ago | (#34064144)

The same way viruses on usb keys slip past QA.

Re:how do you hide it from QA? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34064190)

Not to mention that it only has to be found in use once, and traffic is traffic. Something funny leaving the network gets a lot of attention in certain places - particularly the ones worth installing a hardware backdoor for.

Re:how do you hide it from QA? (0)

Anonymous Coward | more than 3 years ago | (#34065090)

"Something funny leaving the network gets a lot of attention in certain places"

It's the same thing in prisons, but if it's gone it's gone, no matter the attention it gets after the fact.

OTOH nobody beaks into prisons to install hardware.

Re:how do you hide it from QA? (2, Insightful)

Samantha Wright (1324923) | more than 3 years ago | (#34064202)

You don't: you own the whole chain. There are plenty of companies that are now wholly Chinese—consider, for example, that the NASA crew on the ISS uses Lenovo T61p Thinkpad laptops for all of their personal computing needs. There's no QA going on there that Lenovo can't control or manipulate if the Chinese government covertly asks them to. The chips involved in making the system never get shipped across the ocean prior to final assembly.

Furthermore, who says you can't slip the modified chip in at the last stage? A backdoor that's only shipped to your target is less likely to be found than one you ship to every customer in the US.

Re:how do you hide it from QA? (2, Informative)

alen (225700) | more than 3 years ago | (#34064508)

i've worked for Uncle Sam for 9 years. the government buys their IT crap from CDW and the same companies corporate america buys from. one time i tried to order laptops direct from Dell and it took months of getting special permission to get it done.

and the government buys their IT crap little by little like everyone else. a PC here, a server the next month. a few servers and storage a few months later when there is money. one time they bought layer 2 switches in the 1990's which sat around for over a year because there was no money for the contract to install them. at the end of the year a lot of the "unspent" money gets spent on wishlists and you may have hardware bought one year and the labor paid for the next year

Re:how do you hide it from QA? (0)

Anonymous Coward | more than 3 years ago | (#34064224)

therefore you bribe Microsoft and warn them to do their patriotic duty and make/leave some backdoors for you!

Re:how do you hide it from QA? (1)

TheLink (130905) | more than 3 years ago | (#34064258)

For many companies, QA is unleashing the product to unsuspecting customers.

Re:how do you hide it from QA? (1)

orasio (188021) | more than 3 years ago | (#34064626)

everyone knows it's easy to slip backdoors into hardware, but hiding it is the hard part. every fabless chip maker does spot checks of their products and will find these backdoors. at the very least they will find that the shipping products aren't like the ones they designed with extra circuits.

anyone with data that's worth keeping secret will have it behind firewalls and all kinds of security appliances that will start flashing alerts if there is traffic to a high risk geographic area

That's funny.
You mean that I shouldn't mind if my servers phones home to a low risk geographic area, but they should raise an alter if they ever get hits from Nigeria or some other foreign country? (Disclaimer: I live in foreignland, too)

Re:how do you hide it from QA? (1)

nospam007 (722110) | more than 3 years ago | (#34065148)

"they should raise an alter if they ever get hits from Nigeria or some other foreign country?"

Only if the royalty bit (at offset 419) is set in the case of Nigerian data.

Re:how do you hide it from QA? (0)

Anonymous Coward | more than 3 years ago | (#34064996)

No, it's called "Trusted Computing", and this level of capability was built right into it. It had many purposes: one of them, the one that paid the bills for the developers, was the implicit DRM. Another use, though, is control of the boot process: signed tools control the boot process and access to all hardware. But just because a tool is "signed", does not mean it's safe, especially from a malicious owner of the relevant software keys. This technology was becoming ubiquitous and was planned for integration into CPU's, It's also now required for all military PC's.

http://en.wikipedia.org/wiki/Trusted_Computing

No, this is *exactly* why... (1)

andymac (82298) | more than 3 years ago | (#34064032)

The NSA has their own chip fab plant - I bet they've been doing this for years (embedding their own backdoors in the h/w). How better to manage hardware assets that are compromised in the field?

The problem with that... (1)

thewebsiteisdown (1397957) | more than 3 years ago | (#34064036)

The flaw in this otherwise sinister scheme would be: What kind of effort would it take, on the part of the would-be bad guys, to ensure that the components in question found their way into machines that were of any consequence? And once discovered, the retribution to the manufacturer would be harsh and most likely final, as in going out of business final. I am not saying that it would be impossible, only difficult in the extreme. I imagine that this kind of scenario would be so improbable (and since we are here talking about it, not likely to slip under the radar of people who need hardened machines, ergo the NSA chip factory) as to be a huge investment of time for the would be attacker without any real chance of success.

Re:The problem with that... (1)

Rockoon (1252108) | more than 3 years ago | (#34064372)

What kind of effort would it take, on the part of the would-be bad guys, to ensure that the components in question found their way into machines that were of any consequence?

I'm not sure you understand the goals of blackhats. Even as far back as the early 80's its always been a Law of Large Numbers game.

If you can land a million infections, then there is bound to be some value found somewhere within the set of infected machines. You don't look to achieve a specific goal (such as "infect a DOD network") .. instead, you try to infect as much as possible (and if there arent any DOD machines, there still might be FBI machines, SEC machine, etc..)

...and in THIS day and age, usually you would IGNORE those machines and go for the much more massive value of stealing banking info from a million soccer moms instead of the fuck-with-a-government stuff, where the leveraging of which requires all sorts of specialties (and risk.)

Seeing Peecees at the bank (1)

lotho brandybuck (720697) | more than 3 years ago | (#34064154)

Always terrifies me at the bank.. bunch of Lenovo Peecees, running windows. But when I think about it, what could China steal from us that we haven't been just throwing at them anyways?

Why not go USB? (1)

xiox (66483) | more than 3 years ago | (#34064156)

If you're going to the trouble of messing with PCI hardware, I'm sure one of these tiny circuits [macetech.com] , which can be hidden in a USB socket, could be used to take over a machine remotely much more easily. Adding radio remote access would be pretty easy.

Tivo signed kernel bypass? (0)

Anonymous Coward | more than 3 years ago | (#34064288)

Can this method be used to bypass Tivo's hardware security?

mod Bup (-1)

Anonymous Coward | more than 3 years ago | (#34064324)

Only in America NSA has its own chip plant (1)

moxsam (917470) | more than 3 years ago | (#34064326)

to use this technique against Soviet Russia!

Think again.. (1)

sosaited (1925622) | more than 3 years ago | (#34064370)

This perhaps explains why the NSA has its own chip fabrication plant."

If you are implying that all of the hardware used at NSA, even all of their computers contain semiconductors fabricated by themselves, I would say Yeah Right

I'm protected! (0)

Anonymous Coward | more than 3 years ago | (#34064440)

My computer says "Designed in California!"

Not the whole issue here... (1)

hesaigo999ca (786966) | more than 3 years ago | (#34064468)

The issue here is not just the fact that they make their own chips, but that there hardware can not come into contact with any other hardware that might be compromised, as it could propagate and therefor compromise their network....it takes only one computer with this hardware backdoor (even a router) that ends up on the network talking with other pcs, and then wow, like a virus ends up spreading this one has access root on a machine from behind a firewall...anything is now possible.

Seen this coming. (1)

Datamonstar (845886) | more than 3 years ago | (#34064470)

I've been talking about this possibility for a long time and it has fallen largely on deaf ears. Here, now, we have a proof of concept (or at least practically a POC) for a irremovable attack vector. I've stopped using 2nd hand hardware because I saw the possibility for these sort of shenanigans. I also remember reading a forum where people were attempting to "repair" bad DIMMS by overwriting the firmware with different revisions. If that is the case, then could this method be extended to utilize a SO-DIMM of DDR3 or similar? That's a scary thought, indeed.

Sounds like a game me and my girlfriend play (1)

tys90 (1123511) | more than 3 years ago | (#34064548)

Hide the hardware in the backdoor. Unfortunately, we stopped playing because she said it was too detectable.

The "remote maintenance" risk. (1)

Animats (122034) | more than 3 years ago | (#34064604)

What's worried me for some time are the various "remote maintenance" schemes built into network controllers. See, for example, Intel's "Active Management Technology" [intel.com] . This is Intel's successor to the Intelligent Platform Management Interface. [wikipedia.org] These have a protocol stack built into the network board, with connections to other parts of the system strong enough to power the machine on and off, patch the disk, and do other drastic system changes. AMT is easier to attack from a distance than IPMI; it uses SOAP, HTTP, and TCP (on ports 16992 through 16995, which had better be blocked at your firewall), while IPMI used its own specialized protocol over UDP.

All that prevents taking over a machine with this mechanism is that the network controller is supposed to ship with no keys loaded. A "backdoor" would simply consist of pre-loading some crypto keys at the factory, or somewhere else in the supply chain. Considering the amount of hostile junk that routinely shows up on new USB sticks, that probably wouldn't be hard to accomplish.

A true "hardware level" attack for IPMI or AMT would be to ship a network controller which had keys pre-installed and enabled, but reported that remote management was disabled. There would be no way to find such a "backdoor", short of grinding open the network controller chip and reverse engineering it with a scanning electron microscope. There are special purpose systems for doing exactly that, used for reverse engineering IC designs, but this is e difficult and expensive process. [edn.com]

Resistance is futile. (1)

herojig (1625143) | more than 3 years ago | (#34064652)

Resistance is futile. It was true back then, and still true today.

hmm how about getting rid of bios (1)

sxpert (139117) | more than 3 years ago | (#34064666)

and use coreboot instead
there's no need to execute rombios to load drivers for dead OSes when the linux kernel has all required drivers.

This is not hiding in hardware (1)

darksabre (250838) | more than 3 years ago | (#34064838)

The software on the expansion ROM is just a low level driver. So the attack described is about compromised firmware, not hardware. No need for special chip fabs at NSA secret facilities or physical access to the machine. Any one using flashrom or similar can install such code in a flash expansion ROM.

remote root access (0)

Anonymous Coward | more than 3 years ago | (#34064874)

> The post describes how to install a backdoor in the expansion ROM of a PCI card, which during the boot process patches the BIOS to patch grub to patch the kernel to give the controller remote root access ..

Without physical access or remote root access how is this rootkit implanted in the first place?

Example from fiction (1)

domatic (1128127) | more than 3 years ago | (#34064908)

The second book of Donaldson's Gap Series had a subplot around such a hardware attack. Ships in this series actually had Data Officers who were in charge of shipboard I.T. The Data First of an outlaw vessel tried to extort the Captain with a logic bomb in the ship's systems that he had to periodically stave off. This was deadly because without the computers you had no way of knowing where you were among other problems. It turned out he had hidden his virus in doctored interface cards so that it would keep coming back even if you reloaded the computers from a protected store.

Thank you, IBM (0)

Anonymous Coward | more than 3 years ago | (#34064956)

Thank IBM for tossing China one of the best avenues for espionage and subterfuge: Lenovo.

And of course, we have Microsoft giving China access to Windows source code.

Whose idea was it to put Flash ROM in everything? (0)

Anonymous Coward | more than 3 years ago | (#34064998)

What the hell is wrong with good old PROM? It's not like any more than a tiny fraction of users are ever going to legitimately upgrade the firmware anyway. Making it modifiable accomplishes nothing other than adding a new place for malware to hide.

I miss the days when ROM actually meant read-only memory.

Diverse Double-Compiling counters "Trusting Trust" (5, Informative)

dwheeler (321049) | more than 3 years ago | (#34065136)

The "trusting trust" attack is a nasty attack, but there is a counter-measure. Diverse double-compiling [dwheeler.com] can detect compiler executables subverted by the "trusting trust" attack. See my paper for more, if you're curious.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>