Hardware backdoor

Hardware backdoors are backdoors in hardware.

In most cases hardware backdoors involve code inside hardware − such may reside in the firmware of computer chips.^[1]

Hardware backdoors can undermine security in smartcards and other cryptoprocessors unless investment is made in anti-backdoor design methods.^[2] They have also been considered for car hacking.^[3]

Severity

Hardware backdoors are considered highly problematic because:^[1]

They can’t be removed by conventional means such as antivirus software
They can circumvent other types of security such as disk encryption
They can be injected at manufacturing time where the user has no degree of control

Examples

The FBI reported that 3,500 counterfeit Cisco network components were discovered in the US with some of them having found their way into military and government facilities.^[4]
In 2011 Jonathan Brossard demonstrated a proof-of-concept hardware backdoor called "Rakshasa" which can be installed by anyone with physical access to hardware. It uses coreboot to re-flash the BIOS with a SeaBIOS and iPXE benign bootkit built of legitimate, open-source tools and can fetch malware over the web at boot time.^[1]
In 2012 Dr Sergei Skorobogatov, from the University of Cambridge computer laboratory and Woods controversially stated that they found a backdoor in a military grade FPGA device which could be exploited to access/modify sensitive information.^[5]^[6]^[7] It has been said that this was proven to be a software problem and not a deliberate attempt at sabotage that still brought to light the need for equipment manufacturers to ensure microchips operate as intended.^[8]^[9]
In 2012 two mobile phones developed by Chinese device manufacturer ZTE have been found to carry a backdoor to instantly gain root access via a password that has been hard-coded into the software. This was confirmed by security researcher Dmitri Alperovitch.^[10]
In 2013 Researchers with the University of Massachusetts have devised a method of breaking a CPU's internal cryptographic mechanisms by introducing specific impurities into the crystalline structure of transistors to change Intel's random number generator.^[11]
Documents revealed during the surveillance disclosures initiated by Edward Snowden showed that the Tailored Access Operations (TAO) unit and other NSA employees intercepted servers, routers, and other network gear being shipped to organizations targeted for surveillance to install covert implant firmware onto them before delivery.^[12]^[13] These tools include custom BIOS exploits that survive the reinstallation of operating systems and USB cables with spy hardware and radio transceiver packed inside.^[14]
In June 2016 it was reported that University of Michigan Department of Electrical Engineering and Computer Science built a hardware backdoor that leverages "analog circuits to create a hardware attack" so that after the capacitors store up enough electricity to be fully charged, it would be switched on, to give an attacker complete access to whatever system or device − such as a PC − that contains the backdoored chip. In the study that won the "best paper" award at at IEEE Symposium on Privacy and Security they also note that microscopic hardware backdoor wouldn't be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory^[15]^[16]
In September 2016 Dr Skorobogatov showed how he had removed a NAND chip from an iPhone 5C - the main memory storage system used on many Apple devices - and cloned it so that he can try out more incorrect combinations than allowed by the attempt-counter.^[17]

Countermeasures

Dr Skorobogatov has developed a technique capable of detecting malicious insertions into chips.^[9]

New York University Tandon School of Engineering researchers have developed a way to corroborate a chip's operation using verifiable computing whereby "manufactured for sale" chips contain an embedded verification module that proves the chip's calculations are correct and an associated external module validates the embedded verification module.^[8]

China

The world's largest manufacturer of hardware is China which gives it unequaled capabilities for hardware backdoors.^[1] Michael Maloof, a former senior security policy analyst in the Office of the Secretary of Defense, states the Chinese government ordered backdoors to be installed in devices made by Huawei and ZTE Corporation and also sources this with a recent passage of China's new anti-terrorism law that requires telecommunications operators and Internet service providers to provide the Chinese government with "backdoor" access to their products.^[8]^[18]

References

1 2 3 4 "Rakshasa: The hardware backdoor that China could embed in every computer - ExtremeTech". ExtremeTech. 1 August 2012. Retrieved 22 January 2017.
↑ Waksman, Adam (2010), "Tamper Evident Microprocessors" (PDF), Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California
↑ Smith, Craig. The Car Hacker's Handbook: A Guide for the Penetration Tester. No Starch Press. ISBN 9781593277031. Retrieved 22 January 2017.
↑ Wagner, David. Advances in Cryptology - CRYPTO 2008: 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008, Proceedings. Springer Science & Business Media. ISBN 9783540851738. Retrieved 22 January 2017.
↑ Mishra, Prabhat; Bhunia, Swarup; Tehranipoor, Mark. Hardware IP Security and Trust. Springer. ISBN 9783319490250. Retrieved 22 January 2017.
↑ "Hardware-Hack: Backdoor in China-Chips entdeckt?" (in German). CHIP Online. Retrieved 22 January 2017.
↑ "Hackers Could Access US Weapons Systems Through Chip". CNBC. 8 June 2012. Retrieved 22 January 2017.
1 2 3 "Self-checking chips could eliminate hardware security issues - TechRepublic". Tech Republic. Retrieved 22 January 2017.
1 2 "Cambridge Scientist Defends Claim That US Military Chips Made In China Have 'Backdoors'". Business Insider. Retrieved 22 January 2017.
↑ Lee, Michael. "Researchers find backdoor on ZTE Android phones | ZDNet". ZDNet. Retrieved 22 January 2017.
↑ "Researchers find new, ultra-low-level method of hacking CPUs - and there's no way to detect it - ExtremeTech". ExtremeTech. 16 September 2013. Retrieved 22 January 2017.
↑ "Photos of an NSA "upgrade" factory show Cisco router getting implant". Ars Technica. Retrieved 22 January 2017.
↑ "NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need". SPIEGEL ONLINE. Retrieved 22 January 2017.
↑ "Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic". Ars Technica. Retrieved 22 January 2017.
↑ Greenberg, Andy. "This ‘Demonically Clever’ Backdoor Hides In a Tiny Slice of a Computer Chip". WIRED. Retrieved 22 January 2017.
↑ Storm, Darlene. "Researchers built devious, undetectable hardware-level backdoor in computer chips". Computerworld. Retrieved 22 January 2017.
↑ "Hardware hack defeats iPhone passcode security". BBC News. 19 September 2016. Retrieved 22 January 2017.
↑ "China: ‘Pervasive access’ to 80% of telecoms". WND. Retrieved 22 January 2017.