VANCOUVER--In the murky waters of hardware hacking, experts and facts are both in short supply. Joe FitzPatrick is one of the few experts and he has a lot of knowledge about what is and isn’t possible, but even he has plenty of questions.
FitzPatrick, a hardware security researcher and trainer, has been working on low-level security issues for many years, so his questions come from a place of informed curiosity. If he sees something in a hardware design or product that looks suspicious or potentially malicious, his instinct is to figure out what the most logical explanation for the feature is and then look more closely to see whether it has the potential to be malicious, and most importantly, whether it actually is.
“All the things we know about hardware and our infrastructure we’ve learned through observation. We understand it because we can see it. You can either go down the path of conspiracy theories or you can take a step back and test the claims,” FitzPatrick said during a talk at the CanSecWest security conference here Thursday in which he used Greek mythology to explain the myths and facts of hardware implants.
“Pandora’s crime was one of curiosity. That’s the core ethic of hacking. If we don’t have the courage to look inside our machines and the chips, we won’t learn anything.”
Although they’re sexier than everyday software vulnerabilities and backdoors, hardware implants and trojans are more difficult to identify and verify. And it’s also more difficult for researchers to determine whether a stray piece of hardware or extra instruction is malicious or whether it’s simply a feature. Indeed, many of the features that manufacturers put in chips and other low-level hardware could be used for dual purposes. Figuring out the intent and whether it’s been used for malicious purposes can be next to impossible.
“If we find a hardware bug, is it there intentionally? Is it functional? We can’t tell the difference between a debug feature and a backdoor because they fundamentally serve the same purpose,” FitzPatrick said.
“The only difference between the two is the actuality, how it’s being used. Debug features are backdoors that are designed to function even when everything else isn’t working.”
There are only a handful of public examples of hardware implants, and the details of several of those stories are disputed. The most recent example is the story by Bloomberg last fall that asserted Chinese intelligence officers were able to insert a tiny chip into the motherboards of some servers manufactured by Supermicro in order to spy on the American companies that bought those machines. The companies named as buyers of the servers all denied the story and hardware security researchers quickly raised questions about the technical details in the story.
“Yes, we have the capabilities. Yes, there are many ways to infiltrate the supply chain. But we can’t jump to any conclusions.”
But the concept of hardware implants is neither new nor mythical. There are certainly organizations with the expertise, motivation, and funding to execute that kind of operation, and intelligence agencies are at the top of that list. The National Security Agency is known to have built hardware implants as part of its signals intelligence mission, and that kind of work is well within the reach of other intelligence agencies, as well. But intelligence agencies generally aren’t in the business of announcing their successes, so where or whether those implants have been deployed isn’t public knowledge.
“We now have examples of people that are very well funded that are going to spend the money to develop hardware trojans. But I’m not a professional hardware implant designer, and anyone who is probably isn’t going to be allowed to stand up here and talk to you about it,” FitzPatrick said.
“Yes, we have the capabilities. Yes, there are many ways to infiltrate the supply chain. But we can’t jump to any conclusions.”
Instead, FitzPatrick suggested security teams go through the exercise of asking specific questions about any tales they hear about hardware implants. For example, what claim is being made? And what logical explanations could exist for this? Occam’s Razor is generally a good guide in those exercises, he said. The simplest explanation is probably the right one.
“Hardware has undocumented features and those features can be misunderstood and misunderstood features can have potent capabilities. I’ve gone down this path. What could I do with interdiction? What could I do with low-level access to the silicon?” he said.
“Separate the potentiality and the actuality. Make sure that the things we think could be malicious actually are malicious.”