Jump to content

Hardware backdoor: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Snarkyalyx (talk | contribs)
181 edits
m typo
 
(43 intermediate revisions by 29 users not shown)
Line 1: Line 1:
{{Short description|Hardware or firmware of computer chips}}
'''Hardware backdoors''' are [[Backdoor (computing)|backdoors]] in [[Computer hardware|hardware]], such as code inside hardware or [[firmware]] of computer chips.<ref name=ExtremeTech1>{{cite web|title=Rakshasa: The hardware backdoor that China could embed in every computer - ExtremeTech|url=https://www.extremetech.com/computing/133773-rakshasa-the-hardware-backdoor-that-china-could-embed-in-every-computer|publisher=ExtremeTech|accessdate=22 January 2017|date=1 August 2012}}</ref> The backdoors may be directly implemented as [[hardware Trojan]]s in the [[integrated circuit]].


Hardware backdoors are intended to undermine security in [[smartcard]]s and other [[cryptoprocessor]]s unless investment is made in anti-backdoor design methods.<ref>{{Citation| last1 = Waksman | first1 = Adam | title = Tamper Evident Microprocessors | volume = | pages = | periodical = Proceedings of the IEEE Symposium on Security and Privacy | location = Oakland, California | url = http://www.cs.columbia.edu/~waksman/PDFs/Oakland_2010.pdf | year = 2010 | issn = | doi = | isbn = }}</ref> They have also been considered for [[car hacking]].<ref>{{cite book|last1=Smith|first1=Craig|title=The Car Hacker's Handbook: A Guide for the Penetration Tester|publisher=No Starch Press|isbn=9781593277031|url=https://books.google.com/books?id=Ao_QCwAAQBAJ&pg=PA95|accessdate=22 January 2017|language=en}}</ref>
A '''hardware backdoor''' is a [[Backdoor (computing)|backdoor]] implemented within the physical components of a [[Computer|computer system]], also known as its [[Computer hardware|hardware]]. They can be created by introducing malicious code to a component's [[firmware]], or even during the manufacturing process of a [[integrated circuit]], known as a [[Hardware Trojan|hardware trojan]].<ref name=ExtremeTech1>{{cite web|title=Rakshasa: The hardware backdoor that China could embed in every computer - ExtremeTech|url=https://www.extremetech.com/computing/133773-rakshasa-the-hardware-backdoor-that-china-could-embed-in-every-computer|publisher=ExtremeTech|access-date=22 January 2017|date=1 August 2012}}</ref><ref>{{Cite web |date=2018-03-26 |title=Adding Backdoors at the Chip Level |url=https://www.schneier.com/blog/archives/2018/03/adding_backdoor.html |access-date=2024-12-23 |website=Schneier on Security |language=en-US}}</ref> Often, they are used to undermine security in [[smartcard]]s and [[cryptoprocessor]]s, unless investment is made in anti-backdoor design methods.<ref>{{Citation | last1 = Waksman | first1 = Adam | title = Tamper Evident Microprocessors | periodical = Proceedings of the IEEE Symposium on Security and Privacy | location = Oakland, California | url = https://www.cs.columbia.edu/~waksman/PDFs/Oakland_2010.pdf | year = 2010 | access-date = 2019-08-27 | archive-url = https://web.archive.org/web/20130921055451/https://www.cs.columbia.edu/~waksman/PDFs/Oakland_2010.pdf | archive-date = 2013-09-21 | url-status = dead }}</ref> They have also been considered for [[car hacking]].<ref>{{cite book|last1=Smith|first1=Craig|title=The Car Hacker's Handbook: A Guide for the Penetration Tester|publisher=No Starch Press|isbn=9781593277031|url=https://books.google.com/books?id=Ao_QCwAAQBAJ&pg=PA95|access-date=22 January 2017|language=en|date=2016-03-24}}</ref>


==Severity==
== Background ==
The existence of hardware backdoors poses significant security risks for several reasons. They are difficult to detect and are impossible to remove using conventional methods like [[antivirus software]]. They can also bypass other security measures, such as [[disk encryption]]. Hardware trojans can be introduced during manufacturing where the end-user lacks control over the production chain.<ref name="ExtremeTech1" />
Hardware backdoors are considered highly problematic because:<ref name=ExtremeTech1/>
# They can’t be removed by conventional means such as [[antivirus software]]
# They can circumvent other types of security such as [[disk encryption]]
# They can be injected at manufacturing time where the user has no degree of control


==Examples==
== History ==
In 2008, the [[FBI]] reported the discovery of approximately 3,500 counterfeit [[Cisco]] network components in the United States, some of which were introduced in military and government infrastructure.<ref>{{cite book|last1= Wagner|first1=David|title=Advances in Cryptology - CRYPTO 2008: 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008, Proceedings|publisher=Springer Science & Business Media|isbn=9783540851738|url= https://books.google.com/books?id=RiJ2qE8svEoC&pg=PA222|access-date= 22 January 2017|language=en|date=2008-07-30}}</ref>
<!--Pls order by time revealed/showcased-->
* Around 2008, the [[FBI]] reported that 3,500 counterfeit Cisco network components were discovered in the US with some of them having found their way into military and government facilities.<ref>{{cite book|last1=Wagner|first1=David|title=Advances in Cryptology - CRYPTO 2008: 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008, Proceedings|publisher=Springer Science & Business Media|isbn=9783540851738|url=https://books.google.com/books?id=RiJ2qE8svEoC&pg=PA222|accessdate=22 January 2017|language=en}}</ref>
* In 2011 Jonathan Brossard demonstrated a proof-of-concept hardware backdoor called "Rakshasa" which can be installed by anyone with physical access to hardware. It uses [[coreboot]] to re-flash the [[BIOS]] with a [[SeaBIOS]] and [[iPXE]] benign bootkit built of legitimate, open-source tools and can fetch malware over the web at boot time.<ref name=ExtremeTech1/>
* In 2012 Sergei Skorobogatov, from the University of Cambridge computer laboratory and Woods controversially stated that they found a backdoor in a military grade FPGA device which could be exploited to access/modify sensitive information.<ref>{{cite book|last1=Mishra|first1=Prabhat|last2=Bhunia|first2=Swarup|last3=Tehranipoor|first3=Mark|title=Hardware IP Security and Trust|publisher=Springer|isbn=9783319490250|url=https://books.google.com/books?id=vd3TDQAAQBAJ&pg=PA227|accessdate=22 January 2017|language=en}}</ref><ref>{{cite web|title=Hardware-Hack: Backdoor in China-Chips entdeckt?|url=http://www.chip.de/news/Hardware-Hack-Backdoor-in-China-Chips-entdeckt_56047005.html|publisher=CHIP Online|accessdate=22 January 2017|language=de}}</ref><ref>{{cite web|title=Hackers Could Access US Weapons Systems Through Chip|url=https://www.cnbc.com/id/47700647|publisher=CNBC|accessdate=22 January 2017|date=8 June 2012}}</ref> It has been said that this was proven to be a software problem and not a deliberate attempt at sabotage that still brought to light the need for equipment manufacturers to ensure microchips operate as intended.<ref name="techrepublic1">{{cite web|title=Self-checking chips could eliminate hardware security issues - TechRepublic|url=http://www.techrepublic.com/article/self-checking-chips-could-eliminate-hardware-security-issues/|publisher=Tech Republic|accessdate=22 January 2017|language=en}}</ref><ref name="businessinsider1"/>
* In 2012 two mobile phones developed by Chinese device manufacturer ZTE have been found to carry a backdoor to instantly gain root access via a password that has been hard-coded into the software. This was confirmed by security researcher [[Dmitri Alperovitch]].<ref>{{cite web|last1=Lee|first1=Michael|title=Researchers find backdoor on ZTE Android phones {{!}} ZDNet|url=http://www.zdnet.com/article/researchers-find-backdoor-on-zte-android-phones/|publisher=ZDNet|accessdate=22 January 2017|language=en}}</ref>
* In 2013 Researchers with the University of Massachusetts have devised a method of breaking a CPU's internal cryptographic mechanisms by introducing specific impurities into the crystalline structure of transistors to change Intel's [[random number generator]].<ref>{{cite web|title=Researchers find new, ultra-low-level method of hacking CPUs - and there's no way to detect it - ExtremeTech|url=https://www.extremetech.com/extreme/166580-researchers-find-new-ultra-low-level-method-of-hacking-cpus-and-theres-no-way-to-detect-it|publisher=ExtremeTech|accessdate=22 January 2017|date=16 September 2013}}</ref>
* Documents revealed during [[Global surveillance disclosures (2013–present)|the surveillance disclosures]] initiated by [[Edward Snowden]] showed that the [[Tailored Access Operations]] (TAO) unit and other NSA employees intercepted servers, routers, and other network gear being shipped to organizations targeted for surveillance to install covert implant firmware onto them before delivery.<ref>{{cite web|title=Photos of an NSA "upgrade" factory show Cisco router getting implant|url=https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/|publisher=Ars Technica|accessdate=22 January 2017|language=en-us}}</ref><ref>{{cite web|title=NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need|url=http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html|publisher=SPIEGEL ONLINE|accessdate=22 January 2017}}</ref> These tools include custom BIOS exploits that survive the reinstallation of operating systems and USB cables with spy hardware and radio transceiver packed inside.<ref>{{cite web|title=Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic|url=https://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/|publisher=Ars Technica|accessdate=22 January 2017|language=en-us}}</ref>
* In June 2016 it was reported that [[University of Michigan]] Department of Electrical Engineering and Computer Science built a hardware backdoor that leverages "analog circuits to create a hardware attack" so that after the capacitors store up enough electricity to be fully charged, it would be switched on, to give an attacker complete access to whatever system or device − such as a PC − that contains the backdoored chip. In the study that won the "best paper" award at the IEEE Symposium on Privacy and Security they also note that microscopic hardware backdoor wouldn't be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory<ref>{{cite web|last1=Greenberg|first1=Andy|title=This ‘Demonically Clever’ Backdoor Hides In a Tiny Slice of a Computer Chip|url=https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/|publisher=WIRED|accessdate=22 January 2017}}</ref><ref>{{cite web|last1=Storm|first1=Darlene|title=Researchers built devious, undetectable hardware-level backdoor in computer chips|url=http://www.computerworld.com/article/3079417/security/researchers-built-devious-undetectable-hardware-level-backdoor-in-computer-chips.html|publisher=Computerworld|accessdate=22 January 2017|language=en}}</ref>
* In September 2016 Skorobogatov showed how he had removed a NAND chip from an [[iPhone 5C]] - the main memory storage system used on many Apple devices - and cloned it so that he can try out more incorrect combinations than allowed by the attempt-counter.<ref>{{cite web|title=Hardware hack defeats iPhone passcode security|url=https://www.bbc.com/news/technology-37407047|publisher=BBC News|accessdate=22 January 2017|date=19 September 2016}}</ref>
* In October 2018 [https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies Bloomberg reported] that an attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain.


A few years later, in 2011, [[Jonathan Brossard]] presented "Rakshasa", a proof-of-concept hardware backdoor. This backdoor could be installed by an individual with physical access to the hardware. It utilized [[coreboot]] to re-flash the [[BIOS]] with a [[SeaBIOS]] and [[iPXE]]-based bootkit composed of legitimate, open-source tools, allowing malware to be fetched from the internet during the boot process.<ref name="ExtremeTech1" />
==Countermeasures==

The following year, in 2012, Sergei Skorobogatov and Christopher Woods from the University of [[University of Cambridge|Cambridge Computer Laboratory]] reported the discovery of a backdoor in a military-grade FPGA device, which could be exploited to access and modify sensitive information.<ref>{{cite book |last1=Mishra |first1=Prabhat |url=https://books.google.com/books?id=vd3TDQAAQBAJ&pg=PA227 |title=Hardware IP Security and Trust |last2=Bhunia |first2=Swarup |last3=Tehranipoor |first3=Mark |date=2017-01-02 |publisher=Springer |isbn=9783319490250 |language=en |access-date=22 January 2017}}</ref><ref>{{cite web |title=Hardware-Hack: Backdoor in China-Chips entdeckt? |url=http://www.chip.de/news/Hardware-Hack-Backdoor-in-China-Chips-entdeckt_56047005.html |url-status=dead |archive-url=https://web.archive.org/web/20170202014113/http://www.chip.de/news/Hardware-Hack-Backdoor-in-China-Chips-entdeckt_56047005.html |archive-date=2 February 2017 |access-date=22 January 2017 |publisher=CHIP Online |language=de}}</ref><ref>{{cite web |date=8 June 2012 |title=Hackers Could Access US Weapons Systems Through Chip |url=https://www.cnbc.com/id/47700647 |access-date=22 January 2017 |publisher=CNBC}}</ref> It has been said that this was proven to be a software problem and not a deliberate attempt at sabotage. This still brought to attention that equipment manufacturers should ensure that microchips operate as intended.<ref name="techrepublic1">{{cite web |date=31 August 2016 |title=Self-checking chips could eliminate hardware security issues - TechRepublic |url=http://www.techrepublic.com/article/self-checking-chips-could-eliminate-hardware-security-issues/ |access-date=22 January 2017 |publisher=Tech Republic |language=en}}</ref><ref name="businessinsider1" /> Later that year, two mobile phones developed by the Chinese company [[ZTE]] were found to carry a [[root access]] backdoor. According to security researcher [[Dmitri Alperovitch]], the exploit used a [[hard-coded]] password in its software.<ref>{{cite web|last1= Lee|first1=Michael|title=Researchers find backdoor on ZTE Android phones|url= https://www.zdnet.com/article/researchers-find-backdoor-on-zte-android-phones/|publisher=ZDNet|access-date=22 January 2017|language=en}}</ref>

Starting in 2012, the United States stated that [[Huawei]] might have backdoors present in their products.<ref>
{{cite book
| last1 = Schoen
| first1 = Douglas E.
| author-link1 = Douglas E. Schoen
| last2 = Kaylan
| first2 = Melik
| title = The Russia-China Axis: The New Cold War and America's Crisis of Leadership
| date = 9 September 2014
| url = https://books.google.com/books?id=q2ToBAAAQBAJ
| publisher = Encounter Books
| publication-date = 2014
| isbn = 9781594037573
| access-date = 2020-05-16
| quote = Hardware-encoded backdoors are more threatening than software-encoded ones [...] In October 2012, the U.S. House Permanent Select Committee on Intelligence recommended that U.S. companies avoid hardware made by Chinese telecom giants Huawei and ZTE, saying that its use constitutes a risk to national security. Huawei and ZTE manufacture network hardware for telecommunications systems.
}}
</ref>

In 2013, researchers at the [[University of Massachusetts]] devised a method of breaking a CPU's internal cryptographic mechanisms by introducing specific impurities into the crystalline structure of transistors to change Intel's [[random-number generator]].<ref>{{cite web|title=Researchers find new, ultra-low-level method of hacking CPUs - and there's no way to detect it - ExtremeTech|url=https://www.extremetech.com/extreme/166580-researchers-find-new-ultra-low-level-method-of-hacking-cpus-and-theres-no-way-to-detect-it|publisher=ExtremeTech|access-date=22 January 2017|date=16 September 2013}}</ref>

Documents revealed from 2013 onwards during [[Global surveillance disclosures (2013–present)|the surveillance disclosures]] initiated by [[Edward Snowden]] showed that the [[Tailored Access Operations]] (TAO) unit and other NSA employees intercepted servers, routers, and other network gear being shipped to organizations targeted for surveillance to install covert implant firmware onto them before delivery.<ref>{{cite web|title= Photos of an NSA "upgrade" factory show Cisco router getting implant|url= https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/|publisher=Ars Technica|access-date=22 January 2017|language= en-us|date=2014-05-14}}</ref><ref>{{cite news|title= NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need|newspaper=Der Spiegel|date=30 December 2013|url=http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html|publisher=SPIEGEL ONLINE|access-date=22 January 2017}}</ref> These tools include custom [[BIOS]] exploits that survive the reinstallation of operating systems and USB cables with spy hardware and radio transceiver packed inside.<ref>{{cite web|title= Your USB cable, the spy: Inside the NSA's catalog of surveillance magic|url=https://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/|publisher=Ars Technica|access-date=22 January 2017|language=en-us|date=2013-12-31}}</ref>

In June 2016 it was reported that [[University of Michigan]] Department of Electrical Engineering and Computer Science had built a hardware backdoor that leveraged "analog circuits to create a hardware attack" so that after the capacitors store up enough electricity to be fully charged, it would be switched on, to give an attacker complete access to whatever system or device − such as a PC − that contains the backdoored chip. In the study that won the "best paper" award at the IEEE Symposium on Privacy and Security they also note that microscopic hardware backdoor wouldn't be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory.<ref>{{cite magazine|last1= Greenberg|first1=Andy|title=This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip|url= https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/|magazine=WIRED|access-date=22 January 2017|date=June 2016}}</ref><ref>{{cite web|last1= Storm|first1=Darlene|title=Researchers built devious, undetectable hardware-level backdoor in computer chips|url=http://www.computerworld.com/article/3079417/security/researchers-built-devious-undetectable-hardware-level-backdoor-in-computer-chips.html|publisher=Computerworld|access-date=22 January 2017|language=en|date=2016-06-06}}</ref>

In September 2016 Skorobogatov showed how he had removed a [[NAND flash memory|NAND]] chip from an [[iPhone 5C]] - the main memory storage system used on many Apple devices - and cloned it so that he can try out more incorrect combinations than allowed by the attempt-counter.<ref>{{cite web|title= Hardware hack defeats iPhone passcode security|url= https://www.bbc.com/news/technology-37407047|publisher=BBC News|access-date=22 January 2017|date=19 September 2016}}</ref>

In October 2018 [[Bloomberg Businessweek#The Big Hack|Bloomberg reported]] that an attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America's technology supply chain.<ref name="Bloomberg 2018">{{cite web |website=Bloomberg |url=https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies |title=The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies |first1=Jordan |last1=Robertson |first2=Michael |last2=Riley |date=4 October 2018 |access-date=2022-03-06}}</ref>

== Countermeasures ==
{{Expand section|date=January 2017}}
{{Expand section|date=January 2017}}
Skorobogatov has developed a technique capable of detecting malicious insertions into chips.<ref name="businessinsider1">{{cite news|title=Cambridge Scientist Defends Claim That US Military Chips Made In China Have 'Backdoors'|url=http://www.businessinsider.com/sergei-skorobogatov-defends-backdoor-claims-2012-5?IR=T|newspaper=Business Insider|access-date=22 January 2017|language=en}}</ref>
{{See also|Trusted Platform Module|UEFI secure boot}}

Skorobogatov has developed a technique capable of detecting malicious insertions into chips.<ref name="businessinsider1">{{cite web|title=Cambridge Scientist Defends Claim That US Military Chips Made In China Have 'Backdoors'|url=http://www.businessinsider.com/sergei-skorobogatov-defends-backdoor-claims-2012-5?IR=T|publisher=Business Insider|accessdate=22 January 2017|language=en}}</ref>
[[New York University Tandon School of Engineering]] researchers have developed a way to corroborate a chip's operation using [[verifiable computing]] whereby "manufactured for sale" chips contain an embedded verification module that proves the chip's calculations are correct and an associated external module validates the embedded verification module.<ref name="techrepublic1"/> Another technique developed by researchers at [[University College London]] (UCL) relies on distributing trust between multiple identical chips from disjoint supply chains. Assuming that at least one of those chips remains honest the security of the device is preserved.<ref name="backdoortolerance">{{cite web|author = Vasilios Mavroudis|display-authors=etal|title=A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components|url=https://acmccs.github.io/papers/p1583-mavroudisA.pdf|website=backdoortolerance.org|publisher=Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security|language=en}}</ref>


Researchers at the [[University of Southern California]] [https://alevi.usc.edu/ Ming Hsieh Department of Electrical and Computer Engineering] and the Photonic Science Division at the [[Paul Scherrer Institute]] have developed a new technique called Ptychographic X-ray laminography.<ref name=":0">{{Cite web|url=https://spectrum.ieee.org/xray-tech-lays-chip-secrets-bare|title=X-Ray Tech Lays Chip Secrets Bare|last=Moore|first=Samuel|date=2019-10-07|website=IEEE Spectrum: Technology, Engineering, and Science News|language=en|access-date=2019-10-08}}</ref> This technique is the only current method that allows for verification of the chips blueprint and design without destroying or cutting the chip. It also does so in significantly less time than other current methods. [https://alevi.usc.edu/a-f-j-levi/ Anthony F. J. Levi] Professor of electrical and computer engineering at University of Southern California explains “It’s the only approach to non-destructive reverse engineering of electronic chips—[and] not just reverse engineering but assurance that chips are manufactured according to design. You can identify the foundry, aspects of the design, who did the design. It’s like a fingerprint.”<ref name=":0" /> This method currently is able to scan chips in 3D and zoom in on sections and can accommodate chips up to 12 millimeters by 12 millimeters easily accommodating an [[Apple A12]] chip but not yet able to scan a full [[Volta (microarchitecture)|Nvidia Volta GPU]].<ref name=":0" /> "Future versions of the laminography technique could reach a resolution of just 2 nanometers or reduce the time for a low-resolution inspection of that 300-by-300-micrometer segment to less than an hour, the researchers say."<ref name=":0" />
[[New York University Tandon School of Engineering]] researchers have developed a way to corroborate a chip's operation using [[verifiable computing]] whereby "manufactured for sale" chips contain an embedded verification module that proves the chip's calculations are correct and an associated external module validates the embedded verification module.<ref name="techrepublic1"/> Another technique developed by researchers at [[University College London]] (UCL) relies on distributing trust between multiple identical chips from disjoint supply chains. Assuming that at least one of those chips remains honest the security of the device is preserved.<ref name="backdoortolerance">{{cite web|author = Vasilios Mavroudis|display-authors=etal|title=A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components|url=https://acmccs.github.io/papers/p1583-mavroudisA.pdf|format=PDF|website=http://backdoortolerance.org/|publisher=Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security|language=en}}</ref>


==See also==
==See also==
Line 32: Line 53:
* [[FBI–Apple encryption dispute]]
* [[FBI–Apple encryption dispute]]
* [[Hardware security]]
* [[Hardware security]]
* [[Hardware security bugs]]
* [[Hardware security bug]]
* [[Hardware Trojan]]
* [[Hardware Trojan]]
* {{sectionlink|Intel Active Management Technology|Security}}
* {{sectionlink|Intel Active Management Technology|Security}}
Line 38: Line 59:
* [[Open hardware]]
* [[Open hardware]]
* [[Code signing]]
* [[Code signing]]
* [[Intel Management Engine]]
* [[AMD Platform Security Processor]]


==References==
==References==
Line 43: Line 66:


==Further reading==
==Further reading==
* {{cite book|last1=Krieg|first1=Christian|last2=Dabrowski|first2=Adrian|last3=Hobel|first3=Heidelinde|last4=Krombholz,|first4=Katharina|last5=Weippl|first5=Edgar|title=Hardware malware|date=2013|publisher=Morgan & Claypool|location=[S.l.]|isbn=9781627052528}}
* {{cite book|last1=Krieg|first1=Christian|last2=Dabrowski|first2=Adrian|last3=Hobel|first3=Heidelinde|last4=Krombholz|first4=Katharina|last5=Weippl|first5=Edgar|title=Hardware malware|date=2013|publisher=Morgan & Claypool|location=[S.l.]|isbn=9781627052528}}


{{Information security}}
==External links==
*[https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies] Bloomberg, 2018


[[Category:Espionage techniques]]
[[Category:Espionage techniques]]
[[Category:Computer hardware]]
[[Category:Computer hardware]]
[[Category:Computer security]]
[[Category:Surveillance]]
[[Category:Surveillance]]
[[Category:Cryptographic attacks]]
[[Category:Cryptographic attacks]]

Latest revision as of 07:10, 23 December 2024

A hardware backdoor is a backdoor implemented within the physical components of a computer system, also known as its hardware. They can be created by introducing malicious code to a component's firmware, or even during the manufacturing process of a integrated circuit, known as a hardware trojan.[1][2] Often, they are used to undermine security in smartcards and cryptoprocessors, unless investment is made in anti-backdoor design methods.[3] They have also been considered for car hacking.[4]

Background

[edit]

The existence of hardware backdoors poses significant security risks for several reasons. They are difficult to detect and are impossible to remove using conventional methods like antivirus software. They can also bypass other security measures, such as disk encryption. Hardware trojans can be introduced during manufacturing where the end-user lacks control over the production chain.[1]

History

[edit]

In 2008, the FBI reported the discovery of approximately 3,500 counterfeit Cisco network components in the United States, some of which were introduced in military and government infrastructure.[5]

A few years later, in 2011, Jonathan Brossard presented "Rakshasa", a proof-of-concept hardware backdoor. This backdoor could be installed by an individual with physical access to the hardware. It utilized coreboot to re-flash the BIOS with a SeaBIOS and iPXE-based bootkit composed of legitimate, open-source tools, allowing malware to be fetched from the internet during the boot process.[1]

The following year, in 2012, Sergei Skorobogatov and Christopher Woods from the University of Cambridge Computer Laboratory reported the discovery of a backdoor in a military-grade FPGA device, which could be exploited to access and modify sensitive information.[6][7][8] It has been said that this was proven to be a software problem and not a deliberate attempt at sabotage. This still brought to attention that equipment manufacturers should ensure that microchips operate as intended.[9][10] Later that year, two mobile phones developed by the Chinese company ZTE were found to carry a root access backdoor. According to security researcher Dmitri Alperovitch, the exploit used a hard-coded password in its software.[11]

Starting in 2012, the United States stated that Huawei might have backdoors present in their products.[12]

In 2013, researchers at the University of Massachusetts devised a method of breaking a CPU's internal cryptographic mechanisms by introducing specific impurities into the crystalline structure of transistors to change Intel's random-number generator.[13]

Documents revealed from 2013 onwards during the surveillance disclosures initiated by Edward Snowden showed that the Tailored Access Operations (TAO) unit and other NSA employees intercepted servers, routers, and other network gear being shipped to organizations targeted for surveillance to install covert implant firmware onto them before delivery.[14][15] These tools include custom BIOS exploits that survive the reinstallation of operating systems and USB cables with spy hardware and radio transceiver packed inside.[16]

In June 2016 it was reported that University of Michigan Department of Electrical Engineering and Computer Science had built a hardware backdoor that leveraged "analog circuits to create a hardware attack" so that after the capacitors store up enough electricity to be fully charged, it would be switched on, to give an attacker complete access to whatever system or device − such as a PC − that contains the backdoored chip. In the study that won the "best paper" award at the IEEE Symposium on Privacy and Security they also note that microscopic hardware backdoor wouldn't be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory.[17][18]

In September 2016 Skorobogatov showed how he had removed a NAND chip from an iPhone 5C - the main memory storage system used on many Apple devices - and cloned it so that he can try out more incorrect combinations than allowed by the attempt-counter.[19]

In October 2018 Bloomberg reported that an attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America's technology supply chain.[20]

Countermeasures

[edit]

Skorobogatov has developed a technique capable of detecting malicious insertions into chips.[10]

New York University Tandon School of Engineering researchers have developed a way to corroborate a chip's operation using verifiable computing whereby "manufactured for sale" chips contain an embedded verification module that proves the chip's calculations are correct and an associated external module validates the embedded verification module.[9] Another technique developed by researchers at University College London (UCL) relies on distributing trust between multiple identical chips from disjoint supply chains. Assuming that at least one of those chips remains honest the security of the device is preserved.[21]

Researchers at the University of Southern California Ming Hsieh Department of Electrical and Computer Engineering and the Photonic Science Division at the Paul Scherrer Institute have developed a new technique called Ptychographic X-ray laminography.[22] This technique is the only current method that allows for verification of the chips blueprint and design without destroying or cutting the chip. It also does so in significantly less time than other current methods. Anthony F. J. Levi Professor of electrical and computer engineering at University of Southern California explains “It’s the only approach to non-destructive reverse engineering of electronic chips—[and] not just reverse engineering but assurance that chips are manufactured according to design. You can identify the foundry, aspects of the design, who did the design. It’s like a fingerprint.”[22] This method currently is able to scan chips in 3D and zoom in on sections and can accommodate chips up to 12 millimeters by 12 millimeters easily accommodating an Apple A12 chip but not yet able to scan a full Nvidia Volta GPU.[22] "Future versions of the laminography technique could reach a resolution of just 2 nanometers or reduce the time for a low-resolution inspection of that 300-by-300-micrometer segment to less than an hour, the researchers say."[22]

See also

[edit]

References

[edit]
  1. ^ a b c "Rakshasa: The hardware backdoor that China could embed in every computer - ExtremeTech". ExtremeTech. 1 August 2012. Retrieved 22 January 2017.
  2. ^ "Adding Backdoors at the Chip Level". Schneier on Security. 2018-03-26. Retrieved 2024-12-23.
  3. ^ Waksman, Adam (2010), "Tamper Evident Microprocessors" (PDF), Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, archived from the original (PDF) on 2013-09-21, retrieved 2019-08-27
  4. ^ Smith, Craig (2016-03-24). The Car Hacker's Handbook: A Guide for the Penetration Tester. No Starch Press. ISBN 9781593277031. Retrieved 22 January 2017.
  5. ^ Wagner, David (2008-07-30). Advances in Cryptology - CRYPTO 2008: 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008, Proceedings. Springer Science & Business Media. ISBN 9783540851738. Retrieved 22 January 2017.
  6. ^ Mishra, Prabhat; Bhunia, Swarup; Tehranipoor, Mark (2017-01-02). Hardware IP Security and Trust. Springer. ISBN 9783319490250. Retrieved 22 January 2017.
  7. ^ "Hardware-Hack: Backdoor in China-Chips entdeckt?" (in German). CHIP Online. Archived from the original on 2 February 2017. Retrieved 22 January 2017.
  8. ^ "Hackers Could Access US Weapons Systems Through Chip". CNBC. 8 June 2012. Retrieved 22 January 2017.
  9. ^ a b "Self-checking chips could eliminate hardware security issues - TechRepublic". Tech Republic. 31 August 2016. Retrieved 22 January 2017.
  10. ^ a b "Cambridge Scientist Defends Claim That US Military Chips Made In China Have 'Backdoors'". Business Insider. Retrieved 22 January 2017.
  11. ^ Lee, Michael. "Researchers find backdoor on ZTE Android phones". ZDNet. Retrieved 22 January 2017.
  12. ^ Schoen, Douglas E.; Kaylan, Melik (9 September 2014). The Russia-China Axis: The New Cold War and America's Crisis of Leadership. Encounter Books (published 2014). ISBN 9781594037573. Retrieved 2020-05-16. Hardware-encoded backdoors are more threatening than software-encoded ones [...] In October 2012, the U.S. House Permanent Select Committee on Intelligence recommended that U.S. companies avoid hardware made by Chinese telecom giants Huawei and ZTE, saying that its use constitutes a risk to national security. Huawei and ZTE manufacture network hardware for telecommunications systems.
  13. ^ "Researchers find new, ultra-low-level method of hacking CPUs - and there's no way to detect it - ExtremeTech". ExtremeTech. 16 September 2013. Retrieved 22 January 2017.
  14. ^ "Photos of an NSA "upgrade" factory show Cisco router getting implant". Ars Technica. 2014-05-14. Retrieved 22 January 2017.
  15. ^ "NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need". Der Spiegel. SPIEGEL ONLINE. 30 December 2013. Retrieved 22 January 2017.
  16. ^ "Your USB cable, the spy: Inside the NSA's catalog of surveillance magic". Ars Technica. 2013-12-31. Retrieved 22 January 2017.
  17. ^ Greenberg, Andy (June 2016). "This 'Demonically Clever' Backdoor Hides In a Tiny Slice of a Computer Chip". WIRED. Retrieved 22 January 2017.
  18. ^ Storm, Darlene (2016-06-06). "Researchers built devious, undetectable hardware-level backdoor in computer chips". Computerworld. Retrieved 22 January 2017.
  19. ^ "Hardware hack defeats iPhone passcode security". BBC News. 19 September 2016. Retrieved 22 January 2017.
  20. ^ Robertson, Jordan; Riley, Michael (4 October 2018). "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies". Bloomberg. Retrieved 2022-03-06.
  21. ^ Vasilios Mavroudis; et al. "A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components" (PDF). backdoortolerance.org. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.
  22. ^ a b c d Moore, Samuel (2019-10-07). "X-Ray Tech Lays Chip Secrets Bare". IEEE Spectrum: Technology, Engineering, and Science News. Retrieved 2019-10-08.

Further reading

[edit]
  • Krieg, Christian; Dabrowski, Adrian; Hobel, Heidelinde; Krombholz, Katharina; Weippl, Edgar (2013). Hardware malware. [S.l.]: Morgan & Claypool. ISBN 9781627052528.
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Hardware_backdoor&oldid=1264733984"