Security

Corporate espionage or fearmongering? The facts about hardware-level backdoors

Spying accusations against Chinese companies like Huawei have resulted in bans by US, UK, and Australian government agencies. Is there any technical merit to these charges?

Over the last few years, accusations of unlawful spying have been made against some of China’s largest technology firms. Among the people making the allegations are former NSA and CIA head Michael Hayden, as well as in a 2012 House Intelligence Committee report. Accordingly, various government agencies in the United States, Canada, Australia, the United Kingdom, India, and New Zealand have banned the use of equipment made by various Chinese manufacturers under fears that hardware-level backdoors could exist in these products.

But, how feasible could creating such a backdoor be? In the age of the Web, and with organizations like iFixIt tearing each new gadget they can get their hands on apart, typically within a day of launch, how could such a backdoor be deployed without anyone noticing? A closer look into the claims being made and their technical feasibility is vital to understand if the accusations have merit, or are just fear mongering.  

Lenovo

Out of the companies targeted, Lenovo Is the most visible to consumers and IT professionals. Lenovo largely became a household name across the world after buying up IBM’s PC business in 2005. Lenovo is partially owned by the PRC, through some abstraction: the state organization “Chinese Academy of Sciences” (CAS) owns 38% of Legend Holdings, which is Lenovo’s largest shareholder at 34%.

Lenovo hardware is reportedly banned from the US CIA, as well as the UK’s MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services.

On devices as open as computers, and especially with Lenovo’s ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren’t made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn’t be glaringly obvious to any engineer armed with a screwdriver.

Of note, it is important to remember that the BIOS/UEFI which ships on computers is controlled by either Phoenix Technologies, a California company, or American Megatrends, Inc., a Georgia company. The chances of a BIOS-level exploit are low, but it remains a technical possibility. For software-level exploits, best practice is always to wipe the drive of a new system and include a fresh installation of the operating system of your choice. This approach also does away with unhelpful crapware one typically finds on a new computer.

Huawei

The recent criticism of Huawei has come primarily from ex-CIA and NSA head Gen. Michael Hayden, where, in an interview, he stated that Huawei has engaged in espionage on behalf of China. It is vital here to note that Hayden currently serves as a Director of Motorola Solutions, a competitor to Huawei. It is similarly important to note that Huawei and Motorola Solutions have been in a lengthy Intellectual Property dispute, which was settled in 2011 with Motorola paying an undisclosed sum to Huawei.

Huawei’s statement on the comments made by Hayden called it “tired nonsense we’ve been hearing for years” and “politically-inspired and racist corporate defamation”.

The technical merit behind the argument of Huawei spying on users is given life from the frequently opaque and closed nature of telecommunications equipment. Mobile phones are as closed off to the user as is possible to prevent tampering or unauthorized modification to the software or firmware to prevent users from accessing things that carriers typically charge more money for, such as tethering to a laptop. In turn, networking equipment is as closed off to the user as is possible to prevent particularly enterprising individuals from modifying their modems to do any number of undesirable things to the detriment of other network users. In short, there isn’t a level of mutual trust between vendor and user, which has breathed life into claims of espionage.

Cognizant of those concerns, Huawei offered to disclose the source code to its products to be considered for a bid to build the Australian National Broadband Network (NBN), a process which it has been formally excluded from. This gesture has not dissuaded the NBN authority from barring Huawei the opportunity to submit a bid for building the network.

ZTE

The case against ZTE is quite a bit stronger than it is against Lenovo and Huawei; actual evidence has been produced of a backdoor existing in a ZTE product. Last May, a backdoor was identified in the ZTE Score M, a budget-minded smartphone for US prepaid mobile carriers MetroPCS and Cricket. ZTE released a patch for the phone shortly thereafter, calling the exploit a “technical defect” that exposes units to “potential third-party exploitation”.

In this instance, it might be more prudent to rely on Hanlon’s razor: Never attribute to malice that which is adequately explained by stupidity. However, carelessness on the part of ZTE is all that a hacker—state-sponsored or not—requires to obtain sensitive information. If there is a reason to avoid ZTE products, it would be because of their lacking quality, or at least quality assurance procedures, not because of their complicity in spying. To their credit, the issue was patched quickly after it was discovered.

Final thoughts

The players in this debate appear all too willing to point fingers without providing hard evidence to support their claims. Surveillance activity has been a recurring topic in the news over the past several weeks, bringing worries of potential security threats to the forefront. The firms having accusations made against them are easy targets for their geographic location and business operations. However, hardware-level exploits are much more difficult to deploy without detection, and are more obvious than software exploits, which will likely continue to be the primary attack threat for the foreseeable future.



About

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware. James is currently a student at Wichita State University in Kansas.

53 comments
williama.willis
williama.willis

As a logical on the internet promotion information, do not give your individual e-mail to potential customers as you might end up mixing individual and company messages. http://www.3daydetoxplan.com/

williama.willis
williama.willis

SmartDeploy provides you the capability to use only one image to several endpoint control circumstances, guaranteeing a uncomplicated and dependable Glass windows activity while sparing efforts and minimizing complexness. https://tabletennisprice.wordpress.com/

williama.willis
williama.willis

After all this additional perform is done, you may want to look at including a landing web page to your weblog site, building an opt-in promotion via subsciber lists and creating e-mail promotions with the goal of motivating visitors to return to your weblog site and purchase your items. http://lawyeris.com/directions-paris-serrurier.html

Mandolinface
Mandolinface

.

Firstly: When you refer to a "California company" or a "Georgia company," you're only talking about where their headquarters are. How much of their work is outsourced?

Secondly: It's no longer merely a case of an exploit in the BIOS or mass storage. Significant processing power in the graphics subsystem, I/O controller, etc. provides fertile ground for someone with access down to the chip-design level.

Thirdly: In any case—between worker abuse, political repression, unfair trade practices, slave labor, and general unethical behavior—there are plenty of reasons to avoid Chinese products. 

.

JamesAltonSanders
JamesAltonSanders

@Mandolinface Your points are certainly all valid, though I'd like to point out I'm not defending the quality or trade practices of the PRC, I'm saying that the argument against these companies on grounds of security is blustery and specious (or, if you prefer, FUD). 

simone_oor
simone_oor

@Mandolinface

Reasons to avoid: Don't forget the cruel trade in dog and cat meat and other animal rights violations: in China dogs and cats are boiled and skinned alive, and tortured / killed slowly as they believe the fear hormones make the meat better. ALSO KOREA, so lots of tech stuff to avoid! www.notodogmeat.com

Yulin dog eating festival China

Bokdays Korea (Moran Meat Market=> thousands and thousands of live dogs and cats packed together, awaiting slaughter in the slowest and cruelest ways possible. Man, women and children laugh  and enjoy nearby, with 0 compassion)

cybershooters
cybershooters

The reason ASIS, MI5 etc don't use Chinese products is much wider than hardware backdoors - you don't want to be reliant on a non-allied country for anything critical to national security.  The DoD has over the last few years been looking for alternate non-Chinese sources for things like tungsten, used in bullets and various rare Earth elements used in night vision.

JamesAltonSanders
JamesAltonSanders

@cybershooters I thought the issue was rare earth metals is that the mining operations in the USA were closed down when it was being done so much cheaper in China, and now that they're the sole supplier, they decided to raise prices and control output.

I do recall hearing something about a large deposit of rare-earth metals being found off the coast of Japan, perhaps that will ease the supply chain once they've worked out how to mine for that underwater.

Adam_12345
Adam_12345

I'm not an expert in spying software or hardware solutions etc but this sentence makes me think: " stated that Huawei has engaged in espionage on behalf of China. It is vital here to note that Hayden currently serves as a Director of Motorola Solutions, a competitor to Huawei." Other thing, I live in a country whose law states clearly that if one company shows a product in a commercial and uses another company's product' name for comparison showing its disadvanteges and flaws in usefulness etc. may be suited for illegal actions and forced to pay huge fines. I don't believe that such law doesn't exist in US.

Reality Bites
Reality Bites

Since those in the NSA and USA government are without a doubt the dumbest most incompetent cretins the world has ever seen, what else could be expected from them.

The usa government couldn't recognize a security failure if it ran over them in broad daylight.


The entire USA government is composed completely of clowns, criminals and traitors, not any real Americans working for the entire huge waste of money and space.

knuthf
knuthf

@Reality Bites -- the US Administration may be a collection of silly individuals, but nothing compares to the American public.

bobmatch
bobmatch

From the movie Armageddon: Russian parts, American parts, all made in China.

Unless the chips are all source verified and then watched from cradle to grave there is a chance that any chip found in a computer (including tablets, phones, TVs, microwave, etc…) can compromise national security.

DarkHorseSki
DarkHorseSki

The writer of this article is clueless.  Hardware backdoors are actually very easy to create and hide as the chips would physically look no different than any that did not contain hidden code.  Besides, if the supplier is using that chip on every computer, there would be no way to know there was a different chip, let alone realize it is meaningful if a chip is changed (since chips do change on boards all the dang time.)  Hardware backdoors are old technology and they have not gotten harder to do but actually easier as the chips have gotten smaller and smaller.  James should stick to coding Java, where he might have some expertise, and stop writing articles in areas of technology where his inexperience produces flawed results.

Reality Bites
Reality Bites

@DarkHorseSki You have no clue have you?  Ever heard of a security scan.... I thought not.....   try reading up a little in google on network security scans...... you might not make such of fool out of yourself in the future.

therende
therende

The foreign exclusion has been going on for years. When I was employed at Lucent as a Channel Sales Engineer in the late '90's, we would regularly tell customers that they should buy Lucent's Firewall over Check Point's because the US DoD wouldn't approve it for Federal installations because Check Point was an Israeli-based company. It was simply marketing F.U.D.

Yes, there are backdoors built in, they are often euphemistically called "management interfaces" Often they are benign, something to rescue the customer when they've lock themselves out by mis-configuration or a vestigial interface left over from product development but they do exist and can be exploited.

Reality Bites
Reality Bites

@therende ... they can only be exploited if really stupid incompetent people do the installation and setup.


But that said, since 99.99999999% of all government workers meet the stupid and incompetent rating you are right, they will be exploited.

knuthf
knuthf

@Reality Bites @therende be careful hat you claim, all Microsoft tcp/ip can be hacked with just Sunday school in programming. The government workers rely on consultants that tell them what to do, and they recommend the use of this software. Consider all your banks, how these work with wide open doors. The problem is they believe they are safe, because they have invested so much in security. This is just like the Rifle Association that believe that guns only kill villains.

BCZ1
BCZ1

Mr. Sanders needs to gain a little experience and do more research before writing this type of article. The editors need to do a better review and vetting before release.

There have been back doors in hardware, firmware, and software systems since the 80s. I have personally seen back doors in operating systems that the manufacturer said were "left in accidentally" for "maintenance reasons". We had to disassemble the code to find it.

There is a code of practice called "supply chain risk management" or SCRM where components for secure equipment are designed, built, shipped, and certified according to a maturity model. This provides a reasonable level of assurance that the equipment does not present a security risk.

I cannot begin to enumerate the number of compromised systems that have been discovered over the past decade. Usually these breaches are not made public due to the sensitivity of the event. A compromised system has nothing to do with the size or nationality of the company, but there may be more activity within state-sponsored or connected firms. With the ability to store a virus payload on a graphics card, you can't just run an anti-virus program in the OS and declare a system safe.

Government agencies that require a high level of security have adopted the SCRM model and will continue to assess manufacturers and suppliers in order to maintain the required level of information assurance.

JamesAltonSanders
JamesAltonSanders

@BCZ1 The exploit you give as an example is software-level, which I'm intentionally avoiding discussion of. Those are numerous and nothing really new, and it's still a problem today  - a "maintenance" backdoor was found in some HP storage server hardware a few weeks ago.
I was rather confident that SCRM was the name for strategies to prevent component manufacturing from being disrupted, thereby disrupting normal business operations. Namely, exactly what wasn't done when the flooding in Thailand disrupted the supply chain of disk drives so badly that spot prices quadrupled in a week. I can kind of see how it could be applied to this, but are you quite sure that's what it is called?

Thanks for your feedback, it's useful and important for me to become a better writer.

knuthf
knuthf

@BCZ1 Ok, lets start with the discussion of Unix 4.2 to 4.3 and subsequent revision of "Sockets()" - changes made in Unix that Microsoft elected not to provide. MS place all connection in a state "SO_DONTLINGER" to FALSE, so the connection remains available after the session has been terminated. This allows others to "Bind()" and "Connect()" to it, and resume the session - like transfer another file to the ftp client, or opening the email connection, and feel free what to do. It is really simple, but then the US DoD wanted it so they could "exploit" it, and wasted a lot of resources to can the OSI / ITU technology that was made to be secure. Well, they got what they wanted, but never considered the possibility that everyone else can exploit it just as well as them... For the options of connections see "Socket Options" in SVID vol.3.

p.vinnie
p.vinnie

As these are foreign manufacturers who do not fall under Patriot act or they refused to build backdoor for US security agencies; they are banned. 

knuthf
knuthf

@p.vinnie / yes they are. They are also, as Snoden told you, instructed to provide the information to the US agencies free of charge, NSA and the CIA and all the others do not have a CIC code that identifies where to send the bill. In some networks it is more than 20 percent of network traffic. They must have some systems to find sense in all of that given all the nonsense that is on the net. Publish the code should make them a candidate for more than one Nobel price (beside the peace price, being so busy prying into other people's business makes it impossible to wage war).

PhilippeV
PhilippeV

You seem to be over-confident (or naive) that you're free of nay backdoor if you buy your hardware from an US-owned brand, as if the US government had not interests in some internal designs of these hardwares).

Do you know that US is also spying other countries? (The revelation of PRISM affair is still an severe and ongoing issue that demonstrates that US agencies are still very active, even against its own allies, and even against US citizens or residents and companies).

That processors now implement hardware accelerated AES encryptiion, which could as well include a backdoor that won't be detected by common software security suites, but that could still expose unencrypted data  in a place accessible without requiring special privileges (e.g. in an unprotected hidden memory-mapped segment, via some "custom" instruction easily insertable in software components? And that the instruction sets of processors already contain some instructions whose behavior or result is "unspecified", allowing things like predictable exceptions to be thrown or not, or some bits in a "performance counter" register to expose the unencypted data that passed through the AES encryption/decryption, notably the decryption key?

US also controls the "secure" distribution of DNS, ir can also approve some secret rogue doman CA in the PKI and shutdown some legitimate remote internet service, causing denial of service attacks on them. And how do we know how international internet links on major backbones don't have hidden backdoors "backuping" the data passing through it, with some sepecific router performing preselected filtering (controled remotely by a private link allowing them to change the filters), and then redirecting the trafic to some monitoring/recording platform?

All technics that have been used since longto monitor phone lines are used today to montor internet links and they are invisible.

Finallysome of the approved security algorithms may have been secretely designed with a backdoor whose reversal would be extremely difficulte to discover (because it requires cryptographically complex means to reverse it. Cryptanalyst may not be able to reverse the one-way mathematical formulas used in these cytographic algorithms.But the algorithms "approved" in US by the FIPS standard may have already contained this backdoor since the beginning, with the US government halding the decryption key or formula needed to decrypt, modify and reencrypt the modifed data secretly without breaking the algorithms.

Most internet trafic or services, when it is "secured", use a asingle algorithm, and notably authentication certificates : users are said that SHA1 for example is enough, or they are instructed to use SHA256 instead (but at the same time drop SHA1. This is a bad idea. hings should be more secure if data is secured using TWO algorithms (one approved by US FIPS standard such as SHA, DES, AES, and another designed completely outside US control. This shoud be true for authentication algortihms notably message digests, and for encryption: DES alone is most probably broken and reversible with a secret backdoor key+algorithm.

At the hardware elvels, it is significant to see that all US CPU brands are known to have internal reproducible "bugs" which may in fact be backdoors usable to target critical parts of many OSes (even free OSes). There are now billions of electronic doors in modern CPUs, or RAM components or storage devices. It is easy to hide some backdoors within them, directly in their design, even if they pass the minimal software validation tests without producing any error (and as time passes, the alwyas increasing complexity of our computing devices makes this possibility of introducing hidden backdoors even easier for designers, or for manufacturers).

Today when alsmot all brands are manufacturing their products in China, I fear that China already has the key to break into many systems all around the world. But US too... The targeted systems could be for example the systems within satellites (because it is almost impossible to inspect them after launch) or in large-scale routers of the internet backbone, or in the systems controling the DNS root, or in routing announcement protocols used between routers.

There's only one way to avoid this nightmare: open the competition, and don't allow any monopolistic position to occur in any technology. If you want security, use multiple independant providers and combine their different solutions so that they secure each other but don't allow any backdoor hidden in one solution to work also with the second solution.

Let's not be naive: there certainly exists backdoors within every electronic products or software solutions we use today. We cannot trust any one for all, we need to combine them using inventive ways. Users should learn how to make the best combinations of solutions and never trust the "one-fits-all" integrated solutions even if they are simpler to use and less costly. Getting secure has a cost (in money or performance) but this additional cost is now becoming small, notably at the hardware level. For software, we should not trust only the commercial providers but should work with innovative independantly developed opensource solutions as well. We should never use any product exactly the way it is preconfigured "out of the box".

Now there are suspect US brands, and I can list a few:

- Texas Instrument

- Google / Motorola (directly linked now to the DARPA)

- Intel (processors : many undocumented instrutions and control registers, or reproducible behaviors, including with reproducible and leasurable delays to execute some instructions, with unexplained additional clock cycles; strange "bugs" that are only partially corrected by specific patches ; plus a reprogrammable area with an undocumented internal firmware; also within its wellknown program compilers for C, C++)

- AMI (Bios: it configures your hardware and could be the backdoor to enter your system remotely)

- Microsoft (the implementation of the CLR/.Net environment, notably within its VM host)


JamesAltonSanders
JamesAltonSanders

@PhilippeV I'm intentionally sidestepping anything to do with American spying, including PRISM, this article isn't about that, and I'm not that interested in writing about that. What is going on here seems mostly like corporate fear-mongering.


I agree wholeheartedly with your solution: diversity in brands and avoiding vendor lock-in is important.

lastchip
lastchip

Personally, I think it's all rubbish.

Those very same departments that ban Lenovo most likely have Dell's (or similar) jam packed with Chinese made components.  I assume those same departments have also banned iphones, as the same illogical thought process would apply.

It demonstrates politicians incompetency in understanding technology. 

The fact that we all surrendered manufacturing to other countries based on greed (profit), we only have ourselves to blame.

The truth is (I suspect), given enough time and motivation,  anything that can be made by man, can be disassembled by man. And nothing is more true than in technology. If the prize is big enough, it will be compromised at some point, with or without the manufacturers help.

The best one can hope for, is to make it as difficult as possible.


Editor's Picks