Ghosts in the Machine: Attacks May Come From Inside Computers
The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning.
Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va.
Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice.
"You can never really test every single combination on the chip. Testing a billion transistors would take a very long time. It would be very difficult to detect hardware Trojans without having some idea of what you're looking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University of Arkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for Trustable Integrated Circuits."
Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a system into a bugged phone that steals and relays vital information, the experts say.
While fabricating a Trojan horse directly into the design of a microchip is a realm where few can play--foreign intelligence services, for instance, or perhaps the most well-funded and sophisticated criminal organizations--there are simpler ways to infiltrate hardware, they say. Attackers of financial systems could, for instance, attach a tiny wireless modem to a shredder at a wire transfer firm, bug a bank card reader at a European grocery store, or plant a chip in a projector at an overseas business conference that can infect an attached laptop with spyware.
To combat the threat, the National Institute of Standards and Technology (NIST), the federal government's technical standards laboratory, is releasing in September an inter-agency report meant to serve as the first set of best practices for government and industry to mitigate security risks to hardware included in the IT supply chain.
Originally inspired by the Department of Defense and spy agencies concerned about protecting from hardware tampering by foreign intelligence, the effort to promote awareness of the threat has filtered into the public realm. NIST is rewriting an original set of 25 best practices based on lessons learned in a pilot program underway with Defense. The Department of Homeland Security and Department of State are involved, as well, parties interviewed for this story say.
The inter-agency report will be used to inform mandatory guidelines NIST expects to release by 2011, which the federal government will be required follow to ensure its own supply chain security.
The best practices "can be used by financial services, the energy sector, health, all kinds of sectors," said Marianne Swanson, NIST's senior advisor for information system security.
The key to mitigate hardware as a malware vector is to establish methods for evaluating trustworthiness of equipment, suppliers and manufacturers, Swanson said. The military and intelligence agencies have done this by establishing a "trusted access program," began in 2004, whereby organizations including the DoD and National Security Agency only purchase circuitry from trusted foundries, like those run by IBM or Honeywell. To be considered trusted, the chip fabrication facilities must be based in the U.S., owned and operated by U.S. companies, and staffed with U.S. citizens with security clearances.
Right now, only government agencies use the trusted foundries; they currently lack the capacity to add commercial, private-sector business. Because they are not outsourced, the programs are also expensive. However, investment banks and private utilities joining the trusted foundry program via the chip and network hardware manufacturers that serve them "will probably happen in the next 10 years or so," says Smith, particularly if hardware hacking "becomes more prevalent, like software viruses have become."
What has experts worried is that much of commercial circuit-building is done by contractors overseas. So the chance that bad actors can subvert the supply chain and add spyware into hardware has risen.
To get a sense of the potential problems, open up your laptop: Inside you'll find parts manufactured or supplied from as many as 10 countries, which compete strategically and economically. Plus, as technology becomes more and more miniaturized, so will its exploits. Economic or corporate espionage, while seldom talked about, likely will escalate, the experts warm. Thus, financial firms should adjust their level of concern and awareness as the vectors for exploits get more sophisticated.
Reported hardware security practices at financial firms seem spotty at best, according to a June survey by the Financial Services Information Sharing and Analysis Center (FS-ISAC), a public-private group created by presidential decree to protect operations of financial services firms, as critical infrastructure. The group sought to measure the level of awareness that financial firms have regarding the importance of hardware security; the report includes 16 best practices meant to mitigate hardware threats.
More than 55 percent of firms surveyed said they verified the sources of their hardware components delivered to offices or loading docks by cross-checking the bill of lading with purchase orders. But fewer than 15 percent inspected the boards inside their routers for tampering prior to functional testing. None of them weighed their equipment. Although weighing wouldn't catch something as miniscule as microchip tampering, it might flag hardware with unwanted equipment attached to it, like a wireless modem.
Physical inspection of hardware is recommended by FS-ISAC, a suggestion also included among NIST's best upcoming practices, Swanson said.
Smith and his colleague Jia Di, an associate professor at University of Arkansas' department of computer science and engineering, are working on a tool that could detect hardware sabotage in chip design. They are building a system that aims to flag and warn of abnormalities found either in the circuit design software, or in chip blueprints, based on a model that intends to identify and rank the most likely scenarios for circuit manipulation.
Smith said the reason that they're basing the system on assessing the chip designs, versus testing the chip itself, is because doing the former is the only feasible method that could successfully detect circuit exploits.
This is for two reasons: Because chip manufacturing is highly automated and follows explicitly the directions of the design program. And because the transistors themselves are too many to actively and fully test.
Smith expects there will "be a big industry" for chip security tools in the next decade. "This will be part of the chip design flow that will be running through malicious logic to make sure that nothing's been added onto your chip before fabricating it."
Tamper-resistant chips are also coming to the commercial market. Pleasanton, Calif.-based CPU Tech has offered the private sector since 2008 the Acalis CPU872 MultiCore chip, which the firm says protects from hardware-based Trojans for high-performance processing within vital applications. It scatters separate parts of the encryption key needed to boot the hardware across different pieces of the chip and also embeds memory onto the chip, so vital data can't be accessed externally. Financial firms have expressed interest in purchasing systems with the chip installed, said Robert Beanland, vice president of marketing for CPU Technology.
According to the Cyberspace Policy Review released by the White House in May, "documented examples exist of unambiguous, deliberate subversions" of the IT supply chain. While counterfeit products have created "the most visible" problems to date for hardware, the global nature of IT manufacturing has made subversion of computers and networks through supply chain sabotage via subtle hardware or software manipulations, more feasible.
Law enforcement in Europe uncovered a scam late last year whereby criminals had rigged credit card readers installed at Tesco and other retail outlets there with what was essentially a tiny cell phone that was capturing all the PINs from customers who used their cards on the readers in stores and sending the data through Pakistan; though its ultimate destination remains unknown. Criminals often choose nations with porous security or limited digital forensics practices to route their booty.
"What was interesting about this is that some portion of it really was a supply chain corruption," said Scott Borg, director and chief economist (CEO) at the U.S. Cyber Consequences Unit (US-CCU), an independent, non-profit research institute. Borg's work on securing IT supply chains was cited in the president's cyber policy review.
Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says. Plus, the risk is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it was shown that the supply chain was compromised. The main danger here is hardware bargain hunting."
Purchasing used routers from any source other than their branded manufacturer, say a Cisco or Juniper, for instance, is considered risky because of the increased likelihood that the purchaser could receive counterfeit parts. In a 2008 report detailing a scam involving counterfeit Cisco equipment made in China, the FBI warned that the fake hardware could enable foreign agents to crack codes and bug secure networks.
This article can also be found at SecuritiesIndustry.com.