Security

Corporate espionage or fearmongering? The facts about hardware-level backdoors

Spying accusations against Chinese companies like Huawei have resulted in bans by US, UK, and Australian government agencies. Is there any technical merit to these charges?

Over the last few years, accusations of unlawful spying have been made against some of China’s largest technology firms. Among the people making the allegations are former NSA and CIA head Michael Hayden, as well as in a 2012 House Intelligence Committee report. Accordingly, various government agencies in the United States, Canada, Australia, the United Kingdom, India, and New Zealand have banned the use of equipment made by various Chinese manufacturers under fears that hardware-level backdoors could exist in these products.

But, how feasible could creating such a backdoor be? In the age of the Web, and with organizations like iFixIt tearing each new gadget they can get their hands on apart, typically within a day of launch, how could such a backdoor be deployed without anyone noticing? A closer look into the claims being made and their technical feasibility is vital to understand if the accusations have merit, or are just fear mongering.  

Lenovo

Out of the companies targeted, Lenovo Is the most visible to consumers and IT professionals. Lenovo largely became a household name across the world after buying up IBM’s PC business in 2005. Lenovo is partially owned by the PRC, through some abstraction: the state organization “Chinese Academy of Sciences” (CAS) owns 38% of Legend Holdings, which is Lenovo’s largest shareholder at 34%.

Lenovo hardware is reportedly banned from the US CIA, as well as the UK’s MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services.

On devices as open as computers, and especially with Lenovo’s ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren’t made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn’t be glaringly obvious to any engineer armed with a screwdriver.

Of note, it is important to remember that the BIOS/UEFI which ships on computers is controlled by either Phoenix Technologies, a California company, or American Megatrends, Inc., a Georgia company. The chances of a BIOS-level exploit are low, but it remains a technical possibility. For software-level exploits, best practice is always to wipe the drive of a new system and include a fresh installation of the operating system of your choice. This approach also does away with unhelpful crapware one typically finds on a new computer.

Huawei

The recent criticism of Huawei has come primarily from ex-CIA and NSA head Gen. Michael Hayden, where, in an interview, he stated that Huawei has engaged in espionage on behalf of China. It is vital here to note that Hayden currently serves as a Director of Motorola Solutions, a competitor to Huawei. It is similarly important to note that Huawei and Motorola Solutions have been in a lengthy Intellectual Property dispute, which was settled in 2011 with Motorola paying an undisclosed sum to Huawei.

Huawei’s statement on the comments made by Hayden called it “tired nonsense we’ve been hearing for years” and “politically-inspired and racist corporate defamation”.

The technical merit behind the argument of Huawei spying on users is given life from the frequently opaque and closed nature of telecommunications equipment. Mobile phones are as closed off to the user as is possible to prevent tampering or unauthorized modification to the software or firmware to prevent users from accessing things that carriers typically charge more money for, such as tethering to a laptop. In turn, networking equipment is as closed off to the user as is possible to prevent particularly enterprising individuals from modifying their modems to do any number of undesirable things to the detriment of other network users. In short, there isn’t a level of mutual trust between vendor and user, which has breathed life into claims of espionage.

Cognizant of those concerns, Huawei offered to disclose the source code to its products to be considered for a bid to build the Australian National Broadband Network (NBN), a process which it has been formally excluded from. This gesture has not dissuaded the NBN authority from barring Huawei the opportunity to submit a bid for building the network.

ZTE

The case against ZTE is quite a bit stronger than it is against Lenovo and Huawei; actual evidence has been produced of a backdoor existing in a ZTE product. Last May, a backdoor was identified in the ZTE Score M, a budget-minded smartphone for US prepaid mobile carriers MetroPCS and Cricket. ZTE released a patch for the phone shortly thereafter, calling the exploit a “technical defect” that exposes units to “potential third-party exploitation”.

In this instance, it might be more prudent to rely on Hanlon’s razor: Never attribute to malice that which is adequately explained by stupidity. However, carelessness on the part of ZTE is all that a hacker—state-sponsored or not—requires to obtain sensitive information. If there is a reason to avoid ZTE products, it would be because of their lacking quality, or at least quality assurance procedures, not because of their complicity in spying. To their credit, the issue was patched quickly after it was discovered.

Final thoughts

The players in this debate appear all too willing to point fingers without providing hard evidence to support their claims. Surveillance activity has been a recurring topic in the news over the past several weeks, bringing worries of potential security threats to the forefront. The firms having accusations made against them are easy targets for their geographic location and business operations. However, hardware-level exploits are much more difficult to deploy without detection, and are more obvious than software exploits, which will likely continue to be the primary attack threat for the foreseeable future.



About

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware. James is currently an education major at Wichita State University in Kansas.

43 comments
Mandolinface
Mandolinface

.

Firstly: When you refer to a "California company" or a "Georgia company," you're only talking about where their headquarters are. How much of their work is outsourced?

Secondly: It's no longer merely a case of an exploit in the BIOS or mass storage. Significant processing power in the graphics subsystem, I/O controller, etc. provides fertile ground for someone with access down to the chip-design level.

Thirdly: In any case—between worker abuse, political repression, unfair trade practices, slave labor, and general unethical behavior—there are plenty of reasons to avoid Chinese products. 

.

cybershooters
cybershooters

The reason ASIS, MI5 etc don't use Chinese products is much wider than hardware backdoors - you don't want to be reliant on a non-allied country for anything critical to national security.  The DoD has over the last few years been looking for alternate non-Chinese sources for things like tungsten, used in bullets and various rare Earth elements used in night vision.

Adam_12345
Adam_12345

I'm not an expert in spying software or hardware solutions etc but this sentence makes me think: " stated that Huawei has engaged in espionage on behalf of China. It is vital here to note that Hayden currently serves as a Director of Motorola Solutions, a competitor to Huawei." Other thing, I live in a country whose law states clearly that if one company shows a product in a commercial and uses another company's product' name for comparison showing its disadvanteges and flaws in usefulness etc. may be suited for illegal actions and forced to pay huge fines. I don't believe that such law doesn't exist in US.

Reality Bites
Reality Bites

Since those in the NSA and USA government are without a doubt the dumbest most incompetent cretins the world has ever seen, what else could be expected from them.

The usa government couldn't recognize a security failure if it ran over them in broad daylight.


The entire USA government is composed completely of clowns, criminals and traitors, not any real Americans working for the entire huge waste of money and space.

bobmatch
bobmatch

From the movie Armageddon: Russian parts, American parts, all made in China.

Unless the chips are all source verified and then watched from cradle to grave there is a chance that any chip found in a computer (including tablets, phones, TVs, microwave, etc…) can compromise national security.

DarkHorseSki
DarkHorseSki

The writer of this article is clueless.  Hardware backdoors are actually very easy to create and hide as the chips would physically look no different than any that did not contain hidden code.  Besides, if the supplier is using that chip on every computer, there would be no way to know there was a different chip, let alone realize it is meaningful if a chip is changed (since chips do change on boards all the dang time.)  Hardware backdoors are old technology and they have not gotten harder to do but actually easier as the chips have gotten smaller and smaller.  James should stick to coding Java, where he might have some expertise, and stop writing articles in areas of technology where his inexperience produces flawed results.

therende
therende

The foreign exclusion has been going on for years. When I was employed at Lucent as a Channel Sales Engineer in the late '90's, we would regularly tell customers that they should buy Lucent's Firewall over Check Point's because the US DoD wouldn't approve it for Federal installations because Check Point was an Israeli-based company. It was simply marketing F.U.D.

Yes, there are backdoors built in, they are often euphemistically called "management interfaces" Often they are benign, something to rescue the customer when they've lock themselves out by mis-configuration or a vestigial interface left over from product development but they do exist and can be exploited.

BCZ1
BCZ1

Mr. Sanders needs to gain a little experience and do more research before writing this type of article. The editors need to do a better review and vetting before release.

There have been back doors in hardware, firmware, and software systems since the 80s. I have personally seen back doors in operating systems that the manufacturer said were "left in accidentally" for "maintenance reasons". We had to disassemble the code to find it.

There is a code of practice called "supply chain risk management" or SCRM where components for secure equipment are designed, built, shipped, and certified according to a maturity model. This provides a reasonable level of assurance that the equipment does not present a security risk.

I cannot begin to enumerate the number of compromised systems that have been discovered over the past decade. Usually these breaches are not made public due to the sensitivity of the event. A compromised system has nothing to do with the size or nationality of the company, but there may be more activity within state-sponsored or connected firms. With the ability to store a virus payload on a graphics card, you can't just run an anti-virus program in the OS and declare a system safe.

Government agencies that require a high level of security have adopted the SCRM model and will continue to assess manufacturers and suppliers in order to maintain the required level of information assurance.

p.vinnie
p.vinnie

As these are foreign manufacturers who do not fall under Patriot act or they refused to build backdoor for US security agencies; they are banned. 

PhilippeV
PhilippeV

You seem to be over-confident (or naive) that you're free of nay backdoor if you buy your hardware from an US-owned brand, as if the US government had not interests in some internal designs of these hardwares).

Do you know that US is also spying other countries? (The revelation of PRISM affair is still an severe and ongoing issue that demonstrates that US agencies are still very active, even against its own allies, and even against US citizens or residents and companies).

That processors now implement hardware accelerated AES encryptiion, which could as well include a backdoor that won't be detected by common software security suites, but that could still expose unencrypted data  in a place accessible without requiring special privileges (e.g. in an unprotected hidden memory-mapped segment, via some "custom" instruction easily insertable in software components? And that the instruction sets of processors already contain some instructions whose behavior or result is "unspecified", allowing things like predictable exceptions to be thrown or not, or some bits in a "performance counter" register to expose the unencypted data that passed through the AES encryption/decryption, notably the decryption key?

US also controls the "secure" distribution of DNS, ir can also approve some secret rogue doman CA in the PKI and shutdown some legitimate remote internet service, causing denial of service attacks on them. And how do we know how international internet links on major backbones don't have hidden backdoors "backuping" the data passing through it, with some sepecific router performing preselected filtering (controled remotely by a private link allowing them to change the filters), and then redirecting the trafic to some monitoring/recording platform?

All technics that have been used since longto monitor phone lines are used today to montor internet links and they are invisible.

Finallysome of the approved security algorithms may have been secretely designed with a backdoor whose reversal would be extremely difficulte to discover (because it requires cryptographically complex means to reverse it. Cryptanalyst may not be able to reverse the one-way mathematical formulas used in these cytographic algorithms.But the algorithms "approved" in US by the FIPS standard may have already contained this backdoor since the beginning, with the US government halding the decryption key or formula needed to decrypt, modify and reencrypt the modifed data secretly without breaking the algorithms.

Most internet trafic or services, when it is "secured", use a asingle algorithm, and notably authentication certificates : users are said that SHA1 for example is enough, or they are instructed to use SHA256 instead (but at the same time drop SHA1. This is a bad idea. hings should be more secure if data is secured using TWO algorithms (one approved by US FIPS standard such as SHA, DES, AES, and another designed completely outside US control. This shoud be true for authentication algortihms notably message digests, and for encryption: DES alone is most probably broken and reversible with a secret backdoor key+algorithm.

At the hardware elvels, it is significant to see that all US CPU brands are known to have internal reproducible "bugs" which may in fact be backdoors usable to target critical parts of many OSes (even free OSes). There are now billions of electronic doors in modern CPUs, or RAM components or storage devices. It is easy to hide some backdoors within them, directly in their design, even if they pass the minimal software validation tests without producing any error (and as time passes, the alwyas increasing complexity of our computing devices makes this possibility of introducing hidden backdoors even easier for designers, or for manufacturers).

Today when alsmot all brands are manufacturing their products in China, I fear that China already has the key to break into many systems all around the world. But US too... The targeted systems could be for example the systems within satellites (because it is almost impossible to inspect them after launch) or in large-scale routers of the internet backbone, or in the systems controling the DNS root, or in routing announcement protocols used between routers.

There's only one way to avoid this nightmare: open the competition, and don't allow any monopolistic position to occur in any technology. If you want security, use multiple independant providers and combine their different solutions so that they secure each other but don't allow any backdoor hidden in one solution to work also with the second solution.

Let's not be naive: there certainly exists backdoors within every electronic products or software solutions we use today. We cannot trust any one for all, we need to combine them using inventive ways. Users should learn how to make the best combinations of solutions and never trust the "one-fits-all" integrated solutions even if they are simpler to use and less costly. Getting secure has a cost (in money or performance) but this additional cost is now becoming small, notably at the hardware level. For software, we should not trust only the commercial providers but should work with innovative independantly developed opensource solutions as well. We should never use any product exactly the way it is preconfigured "out of the box".

Now there are suspect US brands, and I can list a few:

- Texas Instrument

- Google / Motorola (directly linked now to the DARPA)

- Intel (processors : many undocumented instrutions and control registers, or reproducible behaviors, including with reproducible and leasurable delays to execute some instructions, with unexplained additional clock cycles; strange "bugs" that are only partially corrected by specific patches ; plus a reprogrammable area with an undocumented internal firmware; also within its wellknown program compilers for C, C++)

- AMI (Bios: it configures your hardware and could be the backdoor to enter your system remotely)

- Microsoft (the implementation of the CLR/.Net environment, notably within its VM host)


lastchip
lastchip

Personally, I think it's all rubbish.

Those very same departments that ban Lenovo most likely have Dell's (or similar) jam packed with Chinese made components.  I assume those same departments have also banned iphones, as the same illogical thought process would apply.

It demonstrates politicians incompetency in understanding technology. 

The fact that we all surrendered manufacturing to other countries based on greed (profit), we only have ourselves to blame.

The truth is (I suspect), given enough time and motivation,  anything that can be made by man, can be disassembled by man. And nothing is more true than in technology. If the prize is big enough, it will be compromised at some point, with or without the manufacturers help.

The best one can hope for, is to make it as difficult as possible.


grh
grh

You know it's really all a load of rubbish. Scare-mongering for political or business ends. Both sides need their heads banging together to try and get some sense into them. Look at it this way. What is all this spying about? Oooo they may have bigger bombs than us, lets try and look. It keeps government agencies in business, pays wages, makes people fear the reds-under-the-beds (on both 'sides'). It's all an illusion. A trick to keep people occupied, scared or in some heightened state of emergency whilst the powers that be get on with some other underhanded stuff they would rather we didn't know about. Gawd sake, we are all just people; why can't we learn to get on and share the wealth. Yes, yes, I know, sandal wearing tree hugger, what are you doing on this serious technical-saving-the world site. Not true; but when you actually sit down and think and look at all this stuff, it just doesn't make any sense at all.

PaperworkDan
PaperworkDan

When was this written? The Australian government already said the ban on Lenovo was nothing but baseless rumour LAST MONTH! If you aren't even willing to read the news yourself or even do some simple fact checking why are you writing about tech news?

patrickarchibald
patrickarchibald

Got a new wireless router from my ISP recently which was made by Huawei. Logged into it and saw it had the master password to my account stored in plain text. Immediately uninstalled it. I don't know about built-in backdoors, but they clearly have a Google-like attitude to security.

MartinDay007
MartinDay007

It seems very likely a case of the kettle calling the pot black. It would not surprise me one bit to learn sometime in the future that Cisco, Intel and the majority of other prominent technical hardware companies are implementing surveillance facilities that feed various government black op departments. It is too much of a opportunity for over zealous 'security' organizations to pass up and they are not known for their restraint. 

randmart
randmart

Why would Tech Republic publish an article, on this subject, which was written by an undergraduate education major who obviously has no in-depth understanding of telecommunications hardware/software?

His unsupported statement that hardware back doors are easier to detect than software is laughable because modern communications hardware largely consists of a complex system of firmware/software.


Michael Kassner
Michael Kassner

Curious to learn where you think the RAM, processors, and other components are made? 

simone_oor
simone_oor

@Mandolinface

Reasons to avoid: Don't forget the cruel trade in dog and cat meat and other animal rights violations: in China dogs and cats are boiled and skinned alive, and tortured / killed slowly as they believe the fear hormones make the meat better. ALSO KOREA, so lots of tech stuff to avoid! www.notodogmeat.com

Yulin dog eating festival China

Bokdays Korea (Moran Meat Market=> thousands and thousands of live dogs and cats packed together, awaiting slaughter in the slowest and cruelest ways possible. Man, women and children laugh  and enjoy nearby, with 0 compassion)

JamesAltonSanders
JamesAltonSanders

@Mandolinface Your points are certainly all valid, though I'd like to point out I'm not defending the quality or trade practices of the PRC, I'm saying that the argument against these companies on grounds of security is blustery and specious (or, if you prefer, FUD). 

JamesAltonSanders
JamesAltonSanders

@cybershooters I thought the issue was rare earth metals is that the mining operations in the USA were closed down when it was being done so much cheaper in China, and now that they're the sole supplier, they decided to raise prices and control output.

I do recall hearing something about a large deposit of rare-earth metals being found off the coast of Japan, perhaps that will ease the supply chain once they've worked out how to mine for that underwater.

knuthf
knuthf

@Reality Bites -- the US Administration may be a collection of silly individuals, but nothing compares to the American public.

Reality Bites
Reality Bites

@DarkHorseSki You have no clue have you?  Ever heard of a security scan.... I thought not.....   try reading up a little in google on network security scans...... you might not make such of fool out of yourself in the future.

Reality Bites
Reality Bites

@therende ... they can only be exploited if really stupid incompetent people do the installation and setup.


But that said, since 99.99999999% of all government workers meet the stupid and incompetent rating you are right, they will be exploited.

knuthf
knuthf

@BCZ1 Ok, lets start with the discussion of Unix 4.2 to 4.3 and subsequent revision of "Sockets()" - changes made in Unix that Microsoft elected not to provide. MS place all connection in a state "SO_DONTLINGER" to FALSE, so the connection remains available after the session has been terminated. This allows others to "Bind()" and "Connect()" to it, and resume the session - like transfer another file to the ftp client, or opening the email connection, and feel free what to do. It is really simple, but then the US DoD wanted it so they could "exploit" it, and wasted a lot of resources to can the OSI / ITU technology that was made to be secure. Well, they got what they wanted, but never considered the possibility that everyone else can exploit it just as well as them... For the options of connections see "Socket Options" in SVID vol.3.

JamesAltonSanders
JamesAltonSanders

@BCZ1 The exploit you give as an example is software-level, which I'm intentionally avoiding discussion of. Those are numerous and nothing really new, and it's still a problem today  - a "maintenance" backdoor was found in some HP storage server hardware a few weeks ago.
I was rather confident that SCRM was the name for strategies to prevent component manufacturing from being disrupted, thereby disrupting normal business operations. Namely, exactly what wasn't done when the flooding in Thailand disrupted the supply chain of disk drives so badly that spot prices quadrupled in a week. I can kind of see how it could be applied to this, but are you quite sure that's what it is called?

Thanks for your feedback, it's useful and important for me to become a better writer.

knuthf
knuthf

@p.vinnie / yes they are. They are also, as Snoden told you, instructed to provide the information to the US agencies free of charge, NSA and the CIA and all the others do not have a CIC code that identifies where to send the bill. In some networks it is more than 20 percent of network traffic. They must have some systems to find sense in all of that given all the nonsense that is on the net. Publish the code should make them a candidate for more than one Nobel price (beside the peace price, being so busy prying into other people's business makes it impossible to wage war).

JamesAltonSanders
JamesAltonSanders

@PhilippeV I'm intentionally sidestepping anything to do with American spying, including PRISM, this article isn't about that, and I'm not that interested in writing about that. What is going on here seems mostly like corporate fear-mongering.


I agree wholeheartedly with your solution: diversity in brands and avoiding vendor lock-in is important.

JamesAltonSanders
JamesAltonSanders

@PaperworkDan I'd love to see the source on that. I tried to be through under a deadline, but there's always room for improvement.

knuthf
knuthf

@patrickarchibald ... I wonder if you have one clue about how it stores the password. It runs Linux, and the passwords are stored encrypted in /etc/passwd. You can access this by Telnet to the router. Usually this file will be empty, and passwords protected in another account somewhere else, unless some Americans has modified the Web interface and implemented their own "users". I suggest that you instead disable access to the admin module (port 80) and telnet from outside the LAN. Also disable Microsoft packets like remote log-in and desktop sharing. That should stop 80% of the attacks.

JamesAltonSanders
JamesAltonSanders

@randmart Consumer PCs and telecommunications equipment are different enough that I probably should have stuck to discussing the Lenovo ban.

Communications equipment being mostly a complex system of firmware/software would indicate that an exploit would be on the software level, which is beyond the scope of this article. It's technically correct, but not particularly helpful.

knuthf
knuthf

@Michael Kassner The Americans are up to making some hardware that run super-high high (1). The DEA is studying this in a covert operation, since they believe its on drugs.  I know of half-bit, this is used in the GSM radio link, so it is high time they come up with a double bit. But, do you like me, wonder what they will use it for? Maybe the editor here can help...

JamesAltonSanders
JamesAltonSanders

@Michael Kassner AMD processors are manufactured in Dresden, Germany, and Intel processors are manufactured in Malaysia, though Intel is building a foundry in (I think) Arizona. Crucial RAM is manufactured in the US, and my laptop has ram by Hynix, made in South Korea. 

knuthf
knuthf

@Reality Bites @therende be careful hat you claim, all Microsoft tcp/ip can be hacked with just Sunday school in programming. The government workers rely on consultants that tell them what to do, and they recommend the use of this software. Consider all your banks, how these work with wide open doors. The problem is they believe they are safe, because they have invested so much in security. This is just like the Rifle Association that believe that guns only kill villains.

knuthf
knuthf

@JamesAltonSanders @PaperworkDan // yes make a bit that is on, be a little higher on. Then they will most likely involve the DEA over the high one, claiming it was abusing substance. Take to your senses, a bit is either on and off, and once it is not connected to something, it cannot participate in telepathy.

knuthf
knuthf

@JamesAltonSanders @Michael Kassner .. where do they manufacture RAM in the US? And the factory in Dresden has been closed. The Malaysian plant is an assembly plant, just as the US plant. 

Michael Kassner
Michael Kassner

@JamesAltonSanders @Michael Kassner 

That's great, are those the components used in the equipment you mentioned above? It seems doubtful that China is using RAM made in the US. 

xvart
xvart

@JamesAltonSanders @Michael Kassner I think this is more in the jungle of junk in a PC. you could imagine the lan chip having an embedded core that could copy packets out to an IP or IP range with a spoofed MAC so if you found some gov tard using a notebook with this in you ping the book with a key and now you have all packets sent to you as well. would be very little silicon in this, just replace the dest IP

Michael Kassner
Michael Kassner

@JamesAltonSanders @Michael Kassner

My concern is that you reached conclusions without any backing from data or sources who are experts. 

I am not a hardware specialist by any means, and I gather from your bio you aren't either.So who are we to say what is possible or not. That's my point. 

JamesAltonSanders
JamesAltonSanders

@Michael Kassner If someone managed to engineer a way to implement a surveillance device on a stick of RAM, which putting something (self-contained?) useful on a DIMM board for surveillance would be a feat of engineering, wouldn't it be obvious to anyone who took off the heat spreader?


Lenovo does use AMD and Intel processors, for whatever that's worth.