Forgot your password?
typodupeerror
Security IT Hardware

Malicious Hardware Hacking May Be the Next Frontier 146

Posted by CmdrTaco
from the i-hide-it-in-my-pocket dept.
An anonymous reader writes "It's a given that hackers will target software, and that's enough for many people to worry about. But now there's the possibility that hackers would hide malicious code in the hardware itself. A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates. Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out."
This discussion has been archived. No new comments can be posted.

Malicious Hardware Hacking May Be the Next Frontier

Comments Filter:
  • lolwut? (Score:2, Insightful)

    by Pojut (1027544)

    From the title of the summary:

    Hardware Hackers May the Next Frontier

    May what....MAY WHAT?!?!?!??!?!?!?!??!?! Seriously...what's with the editors around here?

  • Uhm? (Score:1, Insightful)

    Nice headline.
  • by betterunixthanunix (980855) on Wednesday August 04, 2010 @10:19AM (#33137474)
    "A hardware hack could do [bad thing] or even [really bad thing]!" What about, "A hardware hack could free users from restriction systems?" or perhaps "A hardware hack could allow a mechanic to work on a transmission that was locked down by the manufacturer?"
    • Re: (Score:2, Interesting)

      by cygnwolf (601176)
      I have to agree. While I concede the point that someone can make malicious hardware, it seems like it would be -a lot- harder to infect someone's system with it than it would be to infect them with malicious code. Based on the headline, I would have thought this was an article about the people who call themselves hardware hackers who are trying to make hardware BETTER. Garage engineers, that sort. Unfortunately, these days, the word 'Hacker' carries a very negative connotation and it seems like, from this
      • 'Hacker' carries a very negative connotation and it seems like, from this article, that some people are trying to perpetuate it.

        "Some people?" More all, "almost everyone except hackers themselves." In a way, you can divide the population in four groups: hackers, non-hackers who respect hackers (a tiny minority), people who are annoyed by hackers and want to discredit them, and people who never knew what hacking was about and believed the mainstream media's attacks and propaganda about hackers. Even movies that have hackers as the protagonists seem to portray hackers as people who do nothing but break through security systems.

        • by cygnwolf (601176)
          You're right and I guess the point my scattered brain was trying to make (and did a poor job of it) was that the people who insist on calling themselves "hardware hackers" who are really "hardware tinkers" are causing a lot of confusion here. See the Apple charger hack article from yesterday.
          • > the people who insist on calling themselves "hardware hackers" who are
            > really "hardware tinkers" are causing a lot of confusion here

            Words can have more than one meaning, different meanings in different contexts, and language constantly evolves. Live with it. It's stupid for old-timers to gripe that "hacker" has taken on a new negative meaning, but it is equally stupid to complain that the old meaning is confusing.

            BTW, words also have connotations, and the connotation of "tinkerer" is very different

      • If you take a virgin mobo with virgin BIOS, and install Windows to the harddrive, and boot Windows, do you know if your BIOS has not been hacked? If the BIOS has been hacked, I would call that 'hacked hardware' at that point.
    • Re: (Score:1, Offtopic)

      by Yvanhoe (564877)
      Now THAT's scary !
    • Re: (Score:1, Offtopic)

      by elrous0 (869638) *
      Dogs and cats living together, MASS HYSTERIA!
    • by Alsee (515537)

      Don't forget.... CARS are made out of parts too!

      Someone could manufacture nuts or bolts that melt in the rain!
      OHMYGOD! Cars are as dangerous as electronics!

      -

  • CPLD? (Score:2, Interesting)

    IANAEE, but isn't this already a potential problem with CPLDs? Or would you consider that a software/firmware hack?
    • Re:CPLD? (Score:5, Interesting)

      by betterunixthanunix (980855) on Wednesday August 04, 2010 @10:25AM (#33137586)
      People have been hacking hardware for a really long time, longer than they have been hacking software. My security engineering textbook lists a number of hardware hacks that were used for espionage, particularly side channel attacks and other signals intelligence. Creating hardware trojan horses is an old trick; you might even say it dates back as far as the Trojan war.
      • Love your comment man :) Actually I think article is one of those "lets come with another fear and tell everybody this is really scary, may be some idiot will believe" :)
    • TFA isn't really about hacking at least in the sense of it being remotely done or altering the device to do something different. All it is about is the danger of outsourcing to companies far and wide and the potential of not truly knowing is received and sold to the public at large (which means it was designed exactly for what it does which may or may not be in the interests of the future owner).

  • by The MAZZTer (911996) <megazzt@gmai[ ]om ['l.c' in gap]> on Wednesday August 04, 2010 @10:20AM (#33137500) Homepage
    ...this reminds me of the whole "Hackers can make your computer explode!" scare that went around in the early PC era...
    • by Abstrackt (609015)
      Yeah... the movie wasn't that bad.
  • by noidentity (188756) on Wednesday August 04, 2010 @10:21AM (#33137520)
    Someone hacked the article title, it seems. That's a bigger threat right there.
  • Ahem... (Score:4, Funny)

    by Anonymous Coward on Wednesday August 04, 2010 @10:23AM (#33137546)

    May. The Next Frontier. These are the failures of the Slashdot Editors. Their ongoing mission: To explore strange new URLs, to seek out new memes and new trending topics. To boldly fail where no man has failed before!

    • by Alsee (515537)

      Back when I was a kid, Kirk was dating green women and Goatse was the frontier of strange URLs.

      -

  • James May? (Score:1, Funny)

    by Anonymous Coward
    May [topgear.com] has modified cars as part of the show, but does that qualify as "hardware hacking"? Even then, so has Clarkson and Hammond.
  • Uhhh... (Score:5, Insightful)

    by The MAZZTer (911996) <megazzt@gmai[ ]om ['l.c' in gap]> on Wednesday August 04, 2010 @10:26AM (#33137594) Homepage

    Most of the defenses involve adding a kind of "policing" function to the chip's architecture. For example, one could design a block that would monitor the behavior of other blocks and make sure they fit certain patterns. If another block misbehaves, it would be "quarantined" and the monitoring hardware would take over the now-missing functions.

    Yeah, THAT sounds practical. The article author watches/reads too much science fiction.

    • It could be as simple as checking power consumption against the design of the hardware, and falling back on slower but logically equivalent hardware if something is wrong. When you can fit a billion transistors on a single microchip, that is not really asking too much.
      • Re: (Score:3, Insightful)

        by The MAZZTer (911996)
        My problem with the paragraph is, if they can make a block of hardware that can take over the functionality of another block, why outsource the block in the first place since they already have a block that can do those functions? Answer: they can't make a block of hardware like that, that's why they had to outsource it. Also, they have to make it in house. If they outsource it they can no longer trust it either!
        • Re: (Score:3, Insightful)

          by Pharmboy (216950)

          Or more importantly, whoever is adding the exploit to begin with obviously knows about the redundancy in hardware, which would be bypassed, in the same hardware if you are exploiting. It would add a false sense of security. This is like having TWO latches on your screen door.

          I like open source software just fine, but not preachy about it. However, when we are talking about critical infrastructure, this is a good argument for having the systems much, much more open and in plain view of many, many more eye

          • It is not too hard to create a block that is very difficult to route around, considering that the routing problem is NP-hard. It is one thing to tamper with a single block and hide something malicious in it, especially a large and complex block; it is something else entirely to try to rearrange in the interconnect between blocks without affecting the ability of the device to function. Your adversary in this case does not want to be obvious, and so they cannot ship devices that are less reliable as a resul
        • Re: (Score:3, Informative)

          There is a good bit of research on this topic, actually. I think the idea with the "block that takes over functionality" is that it is perhaps simple enough (and thus lower performance) that inserting malicious functions into it would be difficult to do without being detected. So, for example, you might have a very high performance DSP block that can do a 1024 point FFT in a few clock cycles, but that is going to be a lot of logic and leaves a lot of places for a malicious manufacturer to hide something;
          • Re: (Score:3, Insightful)

            by timholman (71886)

            It is not just about outsourcing; a chip fab in this country might have a worker who is on the payroll of the Chinese government, and who tampers with a chip layout just prior to manufacturing. It is pretty expensive to run a secure chip fab, and even if all chip fabs were domestic, you would still have a number of important computers (think of utilities, critical services, etc.) being manufactured at facilities where the employees might be engaging in sabotage of this sort.

            The problem with subverting a sin

        • Re: (Score:3, Interesting)

          Although it's not the solution mentioned in the article, one possibility is to have two competing outsourcers produce the same block, then add comparison logic that verifies that each block is doing the same thing.

          Of course, this more than doubles the chip area. Also, the checking logic could be very difficult or practically impossible depending on the complexity of the block.

    • by selven (1556643)

      The whole "quis custodiet ipsos custodes" [wikipedia.org] thing applies to that solution big time.

  • Article about it (Score:3, Informative)

    by Black Parrot (19622) on Wednesday August 04, 2010 @10:27AM (#33137600)

    in the latest Scientific American, by the same guy.

  • Hackors (Score:4, Funny)

    by kaoshin (110328) on Wednesday August 04, 2010 @10:28AM (#33137612)
    I think it is possible that could hide malicious code in the. It could even potentially words from sentences. In Soviet Russia you.
  • ...with Taco's keyboard.
  • I wouldn't be too surprised if various intelligence services already did this. A service that puts moles in deep cover for decades would certainly be patient enough to put code in silicon and wait years for the right moment to execute it.

    • Neither would I, considering that intelligence agencies have done this sort of thing in the past. There was a pipeline in Russia that (supposedly) exploded because a microchip design that Russian spies had copied from the USA had a malicious block. The Israeli air force seemed to mysteriously not be fired upon from enemy computerized antiaircraft installations, although there was never any official confirmation.

      Hardware hacking is not new, and neither is malicious hardware hacking.
  • I really wish Slashdot headlines would stop using "Hacker" in the sense of "computer-oriented criminal." I clicked on this thinking it would be an interesting story about new hardware developments. It's just another boring story about what might be a problem for law enforcement. Who cares?

    • by gstoddart (321705)

      I really wish Slashdot headlines would stop using "Hacker" in the sense of "computer-oriented criminal."

      You know, I'm pretty sure we've lost that battle -- both within and outside of the geek community.

      In my 25+ years of computers, it has primarily referred to people who muck about with systems, with a strong connotation of people who are getting into things they shouldn't just because they can (but not always).

      It's only a specific generation who tried to get everybody else to use a different word after we

    • by Culture20 (968837)
      Give it up. The word is a pejorative now. The public has spoken. The Flintstones can't "have a gay old time" anymore without kids snickering at the lyrics. Words change over time. Hacker now means what cracker used to mean. Hardware hobbyist now means what hacker used to mean.
      • I just expect more from Slashdot; I expect Slashdot editors not to give in to "the public" you speak of. I'm getting pretty tired of Slashdot, so I'll just take my reading elsewhere.

        • by Culture20 (968837)
          So you can learn a new programming language every year, and learn about new hardware every month, but you can't learn how to use a new definition to an old word two or three times in a lifetime? Quetzalcoatl. (that's my new pejorative. I doubt any Aztecs will object)
    • by pclminion (145572)

      Isn't it possible to be both a hacker and a "computer oriented criminal" at the same time? I know it's distasteful, but the traditional definition of "hacker" doesn't make any reference to moral values. It's about having an affinity for the technology, an inquisitive nature, a willingness to press the edges of, or even break through, perceived boundaries of what is possible. I'd posit that anybody who is capable of altering the behavior of hardware through physical means is probably a hacker, regardless of

  • ... and so can you !

    (Stephen Colbert's next book ?)

  • All it takes is the ability to do a flash of a motherboard with a ROM that does everything, except adds a keylogger, and a driver that checks for Windows, and reinstalls the botnet client.

    Exact same mechanism that LoJack for Laptops uses to reinstall itself. Except done by the blackhats instead of the whitehats. With more and more machines having motherboards with independent network stacks, it would be trivial to enable two-way NAT and have botnet clients that are easily communicated with this way.

    Only r

    • Unless, of course, you can compromise the TPM too. The issue is that hardware can be compromised; the solution is to either design hardware that is difficult to compromise without creating faulty operation, or to have a secure manufacturing chain where everyone needs a minimum level of clearance to even enter the facilities.
      • by mlts (1038732) *

        Maybe this is a job for NIST, where they either make a chip fab, or have a contractor under strict guidelines do this exact type of thing.

        What I'd like to see is a chip with TPM-like functionality on it, but on a SIM card. This way, people concerned about DRM stacks don't have to worry because there is just a tray for the chip, while people who want additional assurance of their data can just buy a card, slide the card in and go from there. Perhaps stick a little bit of flash on it for encrypted storage s

        • by CaptnMArk (9003)

          The problem with DRM/TPM/... today is that the 'vendors' like Apple and Microsoft are taking
          the control of the machine away from the owner. This means that a lot of advanced users will be on the 'must break DRM' side of the debate instead of 'DRM increases security'.

          • by lgw (121541)

            Actually, the big problem is that people confuse TPM with DPM. TPM lets someone control the hardware. If you have the keys, that someone is you, no hacking necessary. If you don't have the keys, then presumably you bought a console or a toaster or an iSomething, where you knew what the deal was. Vendors can only take control to the extent you buy their crap.

            The big problem with TPM is that it's not an oen standard. Something very TPM-like (but an ISO standard) would allow some simple open source anti-m

  • Most of the defenses involve adding a kind of "policing" function to the chip's architecture. For example, one could design a block that would monitor the behavior of other blocks and make sure they fit certain patterns. If another block misbehaves, it would be "quarantined" and the monitoring hardware would take over the now-missing functions.

    it's about time this kind of thing makes it to peecees. mainframes have this buit-in for eons now. of course, they use this for realiability, but having mainframe class reliability on desktop machines would't be bad, for a few extra bucks

  • Seriously? /. editors can't tell the difference between Hardware and Firmware??
    • by gstoddart (321705)

      Seriously? /. editors can't tell the difference between Hardware and Firmware??

      Can you??

      TFA is talking about someone embedding extra functionality at the chip-level which can later be accessed to achieve some desired result. It is not talking about injecting an update into the firmware of a running system. He's literally talking about hiding something at the circuit board level so by the time the chips are manufactured, they already have the embedded functionality.

      So, before you start complaining about th

      • TFS literally refers to "hiding malicious code in the hardware", and it was the summary I referred to.
        • by gstoddart (321705)

          TFS literally refers to "hiding malicious code in the hardware", and it was the summary I referred to.

          I see what you're saying, but my understanding of something at the chip-level is that while it still may be 'code', it's immutable because it's printed on/embedded in the chip (whatever the correct term is) and implements the logic, but it can't be changed.

          Firmware is static, but can be modified. It's not clear to me that what is being described is firmware, but true, fixed, unchanging hardware. It just h

  • This story is so good...
    ...that 90% of the discussion is about the typo.
    Nice QA as usual.
  • Seems like we almost need to add an "again" to the end of the title. Full circle, it has come.
  • by timholman (71886) on Wednesday August 04, 2010 @11:07AM (#33138116)

    Disclaimer: I've been involved in some research in verification of ASICs to uncover trojan hardware. Frankly, I think the threat of hardware hacks tends to be overblown.

    The problem with planting Trojan circuits in hardware is that they're traceable. Given a compromised chip, you can locate the manufacturer and the fab it came from, and work backwards to the people who had access to the layout. It would be a financial and P.R. disaster for any third party vendor that allowed such a thing to happen. Who would ever trust them again with a design? These companies want to make money, and allowing government or criminal organizations to compromise the manufacturing process is too big a risk.

    On top of that, using a hardware hack is equivalent to firing a shotgun into a swarm of gnats. How can you know that a hacked chip is going to make it into a box that just might happen to be used by a competitor you care about? It's an insane risk with a ridiculously small hope of payoff.

    The way to compromise systems is the way that has worked extremely well so far - via software. You can target the attack, you can cover your tracks, and you have plausible deniability if you're caught. If you bribe someone inside the organization, you can place the software you want right on the machines you care about. And as long as organizations keep using Windows, you'll never run out of attack vectors.

    • Re: (Score:3, Insightful)

      by QX-Mat (460729)

      A good point, except when small businesses try to extract the best value for money in an expensive IT purchase, counterfeit products can be very tempting - whether you know you're buying fake goods or not is irrelevent when the price is cheap. Cheap counterfeits are [arguabley] not traceable enough. Check out the Reg article on a recent Cisco raid [theregister.co.uk]

      I remember reading another article on the Chinese fakes, where it was said that the only outward difference was the type of screw used. Scary to think that a spec

    • by Alsee (515537)

      firing a shotgun into a swarm of gnats

      Well ya gotta have something to do for entertainment after sex with the family gets boring and everyone runs out of "you might be a redneck" jokes.

      -

    • OK, so how about the recent articles about Dell servers with infected hardware (I think it was in the monitoring firmware?). Is it Dell's fault, the company that did their refurbs/repairs, or what?

      How about all the times when a device with USB-storage came preloaded with malware. Or how about the Intel CPU's that were actually big chunks of useless metal.

      So a third-party steals a chip/board design, makes a clone, and then sneaks it in somewhere along the line. It doesn't have to be at the manufacturer, they

  • Villasenor says there are several types of attacks. Broadly they would fall into two categories: one is when a block stops a chip from functioning, while the other involves shipping data out.

    There are lots of other possibilites. Some examples:

    • Silently change data to something else
    • Enable unauthorized access
    • " * Enable unauthorized access"

      And how exactly are you going to do that in microcode or even hardwired circuits? Its the same BS as when he talks about "shipping data out". Yeah , sure you could do it , if you took up half the chip die with "secret" ROM code that ran its own networking stack, hardware drivers etc etc. If you're thinking about modifying the BIOS thats not hardware hacking, thats software.

      • by Smallpond (221300)

        Maybe you lack imagination.

        Let's suppose I'm Cisco making a new large enterprise switch. I outsource the design of, I don't know, let's say a large Content Addressable Memory used for IPv6 router tables, to Malco, a Chinese design firm that made a very low bid.

        I plop the design in there and run the test suite -- all is perfect so I put the switch into production. Unfortunately, a Russian gang paid Malco to include a circuit that reroutes access to your IP address to their site so they can do MITM attacks

        • by Viol8 (599362)

          "Maybe you lack imagination."

          I'm thinking you lack a clue.

          "reroutes access to your IP address to their site so they can do MITM attacks and access all of your data"

          And how does it decide when to re-route? Or does it for every single network connection you try to make? Yeah , that'll
          go unnoticed for , oh , 30 seconds, when nothing works properly. And how do they decode encryption? Include another
          100 gates for that? Please.

  • A hardware hack could be an annoyance, by stopping a mobile phone from functioning. Or it could be more dangerous, if it damages the way a critical system operates.

    They wanted their BIOS-corrupting viruses back [wikipedia.org]

    BTW, I remember an urban legend circulating that there was a virus that changed some low-level instructions in 3.5 floppy drives making them keep reading discs... which made the drives get on fire. Anyone has got more info on that?

  • by erroneus (253617) on Wednesday August 04, 2010 @11:22AM (#33138290) Homepage

    Let's get this "Microsoft is the most used and therefore the most targeted" bit out of the way. Yes, being ubiquitous is a factor, but not in the internet server arena because Microsoft Windows is not the leader in that market -- Linux is. So at least two factors make a hacking target worthwhile on a large scale:

    1. Ubiquity
    2. Vulnerability (ease of hacking)

    One of the reasons Linux isn't an internet target is that there are so many of them and they are nearly all different. There are many distributions, many versions of many distributions, many custom applications on many versions of many distributions... all with different components installed and configured in different ways. (With Windows, things are all pretty much done the same way.)

    But why am I talking about this? Seems off-topic yes? Well I wanted to establish some background before going into the hardware situation.

    With regards to hardware, we have little in the way of ubiquity. Yes, an increasing number of devices are actually running Linux in the firmware. That makes Linux increasingly ubiquitous in hardware. We have seen exploits associated with HP printers in the past where SNMP was exploited even when it is "disabled." This is an issue because HP printers in the office are quite ubiquitous. We have also seen the news story about certain Dell server system boards were compromised out of the box. Dell is quite common in the office and the data center as well.

    But on the whole, the hardware market is still widely varied. We should all be concerned as additional commoditization of hardware components make hardware devices less differentiated. This makes predicting the hardware targets all the more possible. (Although "guessing" the hardware is less of a concern where external exploits will still largely be a software issue and once entry is gained, listing the hardware components would be trivial... processing that list to select from a list of exploit packages would then be trivial as well.)

    All of this says "yes, hardware is vulnerable, but never as vulnerable as the software running on it." Keep the software doors tight and you have less to worry about with hardware.

  • Since nobody seems to have mentioned it yet: Reflections on trusting trust. [uwaterloo.ca]
    Note that he already mentions planting exploits into microcode, which is already quite close to the hardware. Do you know for sure there's no exploit planted in the microcode of your CPU? Maybe someone manipulated the compiler for the microcode? The compiler on which the compiler for the microcode was compiled?

    But even with the actual hardware, that's possible: Just as you can place an exploit in the C compiler, you can also place an

  • "American planes will always be superior as long as there are wonderful young men like you in the cockpit.....and German^H^H^H^H^H^H Chinese parts."
    • by Shadyman (939863)
      Obligatory Armageddon quote:

      Lev Andropov: It's stuck, yes?
      Watts: Back off! You don't know the components!
      Lev Andropov: [annoyed] Components. American components, Russian Components, ALL MADE IN TAIWAN!
  • A couple of years ago there was a news story about how Chip and Pin devices had been hacked in the factory to send information overseas:

    http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html [telegraph.co.uk]

    This definitely falls into Villasenor's "shipping data out" category.

    There was also a story recently of someone convicted of modifying these devices.

  • If it's built in at the hardware level by some jerk, isn't that more of a backdoor?

  • The answer is simple: Don't buy mission critical components from China.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...