Revolution Blog

Be Careful What Hardware You Trust

Published on 2012-05-30
Intentional design weaknesses found in milspec silicon chips

Everyone knows that application software and operating systems can have security issues, particularly if the name of the manufacturer is something like Microsoft. But one of the things we all tend to take for granted is that our hardware, the actual silicon IC chips that run our computers and phones and tablets, are naturally free of such vulnerabilities. This turns out to be an unwarranted and optimistic view.

This article(external link) describes a serious security backdoor in an embedded systems chip, the Actel ProASIC3, which is heavily marketed for use in military devices, and other mission-critical civilian applications such as power generation, aerospace, aviation, aerospace, public transport and automotive products. It turns out that this backdoor, which effectively bypasses any software-level encryption, was deliberately inserted by the manufacturer as an integral component of the chip design. An interesting and ground-breaking "PEA" technique was used to perform this investigation in only two weeks, as opposed to thousands of years that would be required for previous approaches (see this technical white paper(external link) for details.)

In a similar context ZTE, a major smartphone manufacturer, has recently been outed as having similar difficulties(external link). The point here is that via a "setuid root binary" backdoor, anyone who knew the secret password could access the user's phone and extract data from it, or even alter its programming.

This reminds us of how on old DEC VAXen, there was always a VMS superuser account, username FIELD password SERVICES, which was intended to let DEC service personnel access the system when on-site, without needing to obtain the local SYSTEM password from the customer. Very few installations actually disabled the FIELD account, or changed its password. Therefore anyone in-the-know could use this, at almost any VAX installation.

A similar strategy, albeit with a more nefarious purpose, was used years ago by a Swiss firm which sold diplomatic encryption systems to embassies around the world. Turned out the Swiss firm was a CIA front, and there was a backdoor into the system so that CIA agents who knew the passwords could quietly monitor the diplomatic exchanges of other governments with their embassies. (And then they complain about Wikileaks, lol.)

Consider also the story which broke late last year about a hidden "service" running on certain Android phones, which logged all keystrokes and uploaded them to the vendor periodically:

Busted! Secret app logs phone keystrokes(external link)

This is technically malware running in the phone's operating system rather than its firmware or chip BIOS, but the implications are similar.

We also know that modern Microsoft Windoze installations are designed to interface with USB keys, openly sold to law enforcement agencies, which capture all personal user data and stored passwords when plugged into any USB port. It would be surprising if the analogous behavior wasn't available on Apple products, including iOS devices, simply because Apple, like Microsoft, is a large US-based corporation with offices whose doors can easily be kicked in by federal goons.

In sum it is unwise to make assumptions about firmware, any more than about O/S or application software. It's good that people are checking out and finding these things. This is even more good reason to value open source products, not only for software and operating systems but also for firmware and even chip hardware.