Hardware backdoorA hardware backdoor is a backdoor implemented within the physical components of a computer system, also known as its hardware. They can be created by introducing malicious code to a component's firmware, or even during the manufacturing process of a integrated circuit, known as a hardware trojan.[1][2] Often, they are used to undermine security in smartcards and cryptoprocessors, unless investment is made in anti-backdoor design methods.[3] They have also been considered for car hacking.[4] BackgroundThe existence of hardware backdoors poses significant security risks for several reasons. They are difficult to detect and are impossible to remove using conventional methods like antivirus software. They can also bypass other security measures, such as disk encryption. Hardware trojans can be introduced during manufacturing where the end-user lacks control over the production chain.[1] HistoryIn 2008, the FBI reported the discovery of approximately 3,500 counterfeit Cisco network components in the United States, some of which were introduced in military and government infrastructure.[5] A few years later, in 2011, Jonathan Brossard presented "Rakshasa", a proof-of-concept hardware backdoor. This backdoor could be installed by an individual with physical access to the hardware. It utilized coreboot to re-flash the BIOS with a SeaBIOS and iPXE-based bootkit composed of legitimate, open-source tools, allowing malware to be fetched from the internet during the boot process.[1] The following year, in 2012, Sergei Skorobogatov and Christopher Woods from the University of Cambridge Computer Laboratory reported the discovery of a backdoor in a military-grade FPGA device, which could be exploited to access and modify sensitive information.[6][7][8] It has been said that this was proven to be a software problem and not a deliberate attempt at sabotage. This still brought to attention that equipment manufacturers should ensure that microchips operate as intended.[9][10] Later that year, two mobile phones developed by the Chinese company ZTE were found to carry a root access backdoor. According to security researcher Dmitri Alperovitch, the exploit used a hard-coded password in its software.[11] Starting in 2012, the United States stated that Huawei might have backdoors present in their products.[12] In 2013, researchers at the University of Massachusetts devised a method of breaking a CPU's internal cryptographic mechanisms by introducing specific impurities into the crystalline structure of transistors to change Intel's random-number generator.[13] Documents revealed from 2013 onwards during the surveillance disclosures initiated by Edward Snowden showed that the Tailored Access Operations (TAO) unit and other NSA employees intercepted servers, routers, and other network gear being shipped to organizations targeted for surveillance to install covert implant firmware onto them before delivery.[14][15] These tools include custom BIOS exploits that survive the reinstallation of operating systems and USB cables with spy hardware and radio transceiver packed inside.[16] In June 2016 it was reported that University of Michigan Department of Electrical Engineering and Computer Science had built a hardware backdoor that leveraged "analog circuits to create a hardware attack" so that after the capacitors store up enough electricity to be fully charged, it would be switched on, to give an attacker complete access to whatever system or device − such as a PC − that contains the backdoored chip. In the study that won the "best paper" award at the IEEE Symposium on Privacy and Security they also note that microscopic hardware backdoor wouldn't be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory.[17][18] In September 2016 Skorobogatov showed how he had removed a NAND chip from an iPhone 5C - the main memory storage system used on many Apple devices - and cloned it so that he can try out more incorrect combinations than allowed by the attempt-counter.[19] In October 2018 Bloomberg reported that an attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America's technology supply chain.[20] Countermeasures
Skorobogatov has developed a technique capable of detecting malicious insertions into chips.[10] New York University Tandon School of Engineering researchers have developed a way to corroborate a chip's operation using verifiable computing whereby "manufactured for sale" chips contain an embedded verification module that proves the chip's calculations are correct and an associated external module validates the embedded verification module.[9] Another technique developed by researchers at University College London (UCL) relies on distributing trust between multiple identical chips from disjoint supply chains. Assuming that at least one of those chips remains honest the security of the device is preserved.[21] Researchers at the University of Southern California Ming Hsieh Department of Electrical and Computer Engineering and the Photonic Science Division at the Paul Scherrer Institute have developed a new technique called Ptychographic X-ray laminography.[22] This technique is the only current method that allows for verification of the chips blueprint and design without destroying or cutting the chip. It also does so in significantly less time than other current methods. Anthony F. J. Levi Professor of electrical and computer engineering at University of Southern California explains “It’s the only approach to non-destructive reverse engineering of electronic chips—[and] not just reverse engineering but assurance that chips are manufactured according to design. You can identify the foundry, aspects of the design, who did the design. It’s like a fingerprint.”[22] This method currently is able to scan chips in 3D and zoom in on sections and can accommodate chips up to 12 millimeters by 12 millimeters easily accommodating an Apple A12 chip but not yet able to scan a full Nvidia Volta GPU.[22] "Future versions of the laminography technique could reach a resolution of just 2 nanometers or reduce the time for a low-resolution inspection of that 300-by-300-micrometer segment to less than an hour, the researchers say."[22] See also
References
Further reading
|