Hiding Backdoors In Hardware 206
quartertime writes "Remember Reflections on Trusting Trust, the classic paper describing how to hide a nearly undetectable backdoor inside the C compiler? Here's an interesting piece about how to hide a nearly undetectable backdoor inside hardware. The post describes how to install a backdoor in the expansion ROM of a PCI card, which during the boot process patches the BIOS to patch grub to patch the kernel to give the controller remote root access. Because the backdoor is actually housed in the hardware, even if the victim reinstalls the operating system from a CD, they won't clear out the backdoor. I wonder whether China, with its dominant position in the computer hardware assembly business, has already used this technique for espionage. This perhaps explains why the NSA has its own chip fabrication plant."
Undetectable? (Score:5, Insightful)
What, you can't sniff the traffic going in and out of your machine?
proprietary firmware (Score:5, Insightful)
You don't even have to go to this great of a length; if you want to root Linux machines, release a proprietary driver in the form of a binary Linux kernel module and watch as your customers blindly install it.
This is one reason why we should insist on the source code to all firmware - or reverse engineer write new firmware ourselves.
Re:Not bad but.. (Score:3, Insightful)
You haven't dealt with the average end user much have you? Probably less than 1% would be worried/suspicious. Of those that said anything, the answer "Oh, the antivirus has a special piece of hardware that it uses to prevent it from being disabled by viruses..." would suffice.
Re:proprietary firmware (Score:4, Insightful)
"We" should reverse-engineer more firmware "ourselves" eh? When I see them at lunch, I'll let the subset of "we" who actually do such things know that somebody with an Ubuntu address said so. That'll be good for a few laughs.
how do you hide it from QA? (Score:5, Insightful)
everyone knows it's easy to slip backdoors into hardware, but hiding it is the hard part. every fabless chip maker does spot checks of their products and will find these backdoors. at the very least they will find that the shipping products aren't like the ones they designed with extra circuits.
anyone with data that's worth keeping secret will have it behind firewalls and all kinds of security appliances that will start flashing alerts if there is traffic to a high risk geographic area
Re:Not bad but.. (Score:1, Insightful)
"sandboxie"
Please don't do this. You'll regret it if you make it popular.
Re:how do you hide it from QA? (Score:1, Insightful)
Not to mention that it only has to be found in use once, and traffic is traffic. Something funny leaving the network gets a lot of attention in certain places - particularly the ones worth installing a hardware backdoor for.
Re:how do you hide it from QA? (Score:3, Insightful)
Furthermore, who says you can't slip the modified chip in at the last stage? A backdoor that's only shipped to your target is less likely to be found than one you ship to every customer in the US.
Re:Undetectable? (Score:2, Insightful)
Re:proprietary firmware (Score:3, Insightful)
Re:NSA Fabrication Plant... (Score:5, Insightful)
By which I mean the summary is in error.
That's what they want you to think.
Re:Not bad but.. (Score:3, Insightful)
... but I think this is why this is a non-story. ANYBODY with access to your hardware owns you. That's always been a given. If I can touch your bare silicon and metal, then I can put all kinds of things in all kinds of places for all kinds of reasons. Big fat Duh.
Maybe this is news to the public, but I'm not sure it is "news for nerds".