Security

Researchers create nearly undetectable hardware backdoor

University of Massachusetts researchers have found a way to make hardware backdoors virtually undetectable.

security-access-620-465.jpg
With recent NSA leaks and surveillance tactics being uncovered, researchers have redoubled their scrutiny of things like network protocols, software programs, encryption methods, and software hacks. Most problems out there are caused by software issues, either from bugs or malware. But one group of researchers at the University of Massachusetts decided to investigate the hardware side, and they found a new way to hack a computer processor at such a low-level, it's almost impossible to detect it.

What are hardware backdoors?

Hardware backdoors aren't exactly new. We've known for a while that they are possible, and we have examples of them in the wild. They are rare, and require a very precise set of circumstances to implement, which is probably why they aren't talked about as often as software or network code. Even though hardware backdoors are rare and notoriously difficult to pull off, they are a cause of concern because the damage they could cause could be much greater than software-based threats. Stated simply, a hardware backdoor is a malicious piece of code placed in hardware so that it cannot be removed and is very hard to detect. This usually means the non-volatile memory in chips like the BIOS on a PC, or in the firmware of a router or other network device.

A hardware backdoor is very dangerous because it's so hard to detect, and because it typically has full access to the device it runs on, regardless of any password or access control system. But how realistic are these threats? Last year, a security consultant showcased a fully-functioning hardware backdoor. All that's required to implement that particular backdoor is flashing a BIOS with a malicious piece of code. This type of modification is one reason why Microsoft implemented Secure Boot in Windows 8, to ensure the booting process in a PC is trusted from the firmware all the way to the OS. Of course, that doesn't protect you from other chips on the motherboard being modified, or the firmware in your router, printer, smartphone, and so on.

New research

The University of Massachusetts researchers found an even more clever way to implement a hardware backdoor. Companies have taken various measures for years now to ensure their chips aren't modified without their knowledge. After all, most of our modern electronics are manufactured in a number of foreign factories. Visual inspections are commonly done, along with tests of the firmware code, to ensure nothing was changed. But in this latest hack, even those measures may not be enough. The way to do that is ingenious and quite complex.

The researchers used a technique called doping transistors. Basically, a transistor is made of a crystalline structure which provides the needed functionality to amplify or switch a current that goes through it. Doping a transistor means changing that crystalline structure to add impurities, and change the way it behaves. The Intel Random Number Generator (RNG) is the basic building block of any encryption system since it provides those important starting numbers with which to create encryption keys. By doping the RNG, the researchers can make the chip behave in a slightly different way. In this case, they simply changed the transistors so that one particular number became a constant instead of a variable. That means a number that was supposed to be random and impossible to predict, is now always the same.

By introducing these changes at the hardware level, it weakens the RNG, and in turn weakens any encryption that comes from keys created by that system, such as SSL connections, encrypted files, and so on. Intel chips contain self tests that are supposed to catch hardware modifications, but the researchers claim that this change is at such a low level in the hardware, that it doesn't get detected. Fixing this flaw isn't easy either, even if you could detect it. The RNG is part of the security process in a CPU, and for safety, it is isolated from the rest of the system. That means there is nothing a user or even administrator can do to correct the problem.

There's no sign that this particular hardware backdoor is being used in the wild, but if this type of change is possible, then it's likely that groups with a lot of technical expertise could find similar methods. This may lend more credence to moves from various countries to ban certain parts from some regions of the world. This summer Lenovo saw its systems being banned from defense networks in many countries after allegations that China may have added vulnerabilities in the hardware of some of its systems. Of course, with almost every major manufacturer having their electronics part made in China, that isn't much of a relief. It's quite likely that as hardware hacking becomes more cost effective and popular, we may see more of these types of low level hacks being performed, which could lead to new types of attacks, and new types of defense systems.


About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

10 comments
briant11
briant11

Hey, I was doing my own research on audio code masking and bit streaming and sequences of audio files via the Net but you're report on this new bug is putting me off online radio which by the way is widely promoted on our radio stations (e.g i-heart radio), it apparently increased the rating of on easy listening radio station. Although, what really is happening is like nothing at all, the songs are the same and the programs are the same but at least you get the sense that "we tried to make a difference" and that gives you some satisfaction but I can tell some virus is trying to break into my computer system, so I must go and try to protect my computer as best as I can.

igbabayo
igbabayo

The world of security is challenging.

From software attack to hardware, attackers and researchers are finding there way to expand there knowledge.but this seem we are  reaching a place where at all way round we are not safe.

Take it from the font-end or at back-end, which will result in vulnerable environment.For us to secure our network, mobile devices,and other device means that we are only trying our best but not totally away of attack.

It seems even the hardware you have or buy it may be exploited with some backdoor  activity or firmware that will exploit you security.

igbabayo
igbabayo

The world of securtiy is challenging.


As more of research are coming as it is is being compromise.hackers are always finding there way to attack and creating new way of attack.

So if this is another way of attack ,means that if you secure your Pc, mobile devices and network with software,you are not totally free from attack from the hardware part. i think the attarckers will find a way to learn this also .

This means that the hardware vendors should also find a way to secure there devices.

cesar
cesar

Excellent article.

We are living in a very craze moment; must to re-think and re-invent everything.

Cesar J.

jond4u
jond4u

My friend Scott was mainly talking about someone hacking "firmware in your router, printer, smartphone, and so on" to allow for malicious code that exists only off of the main bus, but can still infect your computer.  A stealthy malware could exploit known hardware flaws or vulnerabilities to hide in these kinds of devices.  However; it sounds like the UMass folks are speaking of creating something more subtle, which is a known and repeatable failure mode that can be exploited as a working feature of the hardware.  

Still; I think perhaps the standard features of a Security Suite should by now include the ability to scan the built-in controller memory of attached Printers and installed Video Cards or Drives, and to identify the firmware on other installed or attached devices, compare a checksum with a database, and so on.  Maybe this is a whole new category of software, but we can't just pretend it's not needed.  Now that a possible exploit is known, we can be on the lookout but the hackers have more to work with too.

mjd420nova
mjd420nova

The advent of FLASH BIOS chips was to allow changes to the system BIOS on the fly.  If that's not a backdoor, there will be none easier.  Malicious code has no other way to get into the unit.  The BIOS firmware could be corrupted but would take a secure insertion one only a few chips, a multiple run would surely be found.  Stranger things have happened, like rejected chips    recovered from a dumpster and eventualy found their way into military hardware. 

glnz
glnz

 

 Apologies for posting off-topic, but TR has no Contact Us page.  Please forward this as needed:

At the bottom of this article, there is a caption "You May Also Like" and photo-caption-links to four stories that LOOK LIKE TR- or at least CBS-created journalistic content.  But they're not - they're paid sponsor links leading to infomercial sponsor-owned pages - pushy ads dressed up as news articles.  That's no crime if they are so labeled at the start and throughout.  But TR is NOT so labeling them.  

This is a breach of journalistic ethics and very scuzzy behavior on the part of TR and CBS.    

Don't you care about your reputations?

  

SalSte
SalSte

If this kind of exploit is even remotely possible on a grand scale then it may truly be the death of security some experts have talked of. There are so many hands this type of thing would have to go through: component manufacturers, engineers, etc that its use will probably be very limited. Still, it is a potential concern.

bmerc
bmerc

@glnz Unfortunate but true, scumbag advertising like this is the main way web sites fund themselves these days. Complaining in these comments won't help, though. You can complain directly to the advertising broker who posts this crap by going to www.nrelate.com

jond4u
jond4u

@SalSte  

I was first alerted to the possibility for this sort of exploit almost 20 years ago by a programming consultant named Scott, and it is unfortunately all too easy to implement.  This problem is proliferated by the number of connected devices that now have System level access to machine resources, which makes it a mounting concern.  My guess is that there is reason for concern because the problem has been in the wild for at least 10 years now (despite all the scrutiny of independent testers), although I cannot explicitly verify that.  I doubt people were looking for some variations on this article's theme.

Perhaps the greater concern, which was since raised by another expert I know, is that this problem will appear in Bluetooth equipped motor vehicles, which will then be capable to compromise a cell phone undetectably, and so on.  This would lead to frightening possibilities where a hacker could break in to the OS of a moving car, perhaps by inserting a piece of malware, and create havoc by assuming control.  We need to be extra vigilant, if we are going to assure that this sort of thing does not someday affect the everyday lives of real people in adverse ways, or rather prevent it from getting worse.