Malicious hardware may be next hacker tool

We wrote last week about how Chinese companies, controlled by the Chinese military, have manufactured counterfeit Cisco routers and switches and offered them at exceedingly low prices to U.S. vendors who had contracts to upgrade or replac U.S. government IT systems. These vendors, eager to improve their bottom line, used these counterfeit devices, and the FBI and other U.S. government agencies are now worried that the gear offers the Chinese undetectable back-doors into highly secure government and military computer system. If you thought your computer, and the network it is cnnected to, are at risk becasue of malicious software, then China shows us that we have something else to worry about: Malicious hardware. New Scientist’s Mason Inman writes that malicious hardware is more malicious in that it is much more difficult to detect. Today, computer viruses, which are programs downloaded either as an e-mail attachment or when someone visits a Web site, are responsible for most computer attacks. Hackers use them to gain control of a computer so that they can press-gang it into sending spam or downloading more malicious software, such as a keystroke logger, which can record credit card details and passwords typed in by the user. Antivirus (AV) software monitors a computer for signs of a virus, such as chunks of telltale code. To fight back, hackers write new viruses which use different code, or bury the code deeper in the operating system where the AV software is not programmed to look. AV firms and hackers are thus locked in an arms race, continually trying to outdo each other.

Soon hackers could up the ante even further. Samuel King and colleagues at the University of Illinois at Urbana-Champaign have shown that they could also gain control of a computer by adding malicious circuits to its processor. Because these circuits interfere with the computer at a deeper level than a virus, they effectively operate “below the radar” of AV software. To evaluate the risk from such hardware, King’s team designed their own malicious circuits. They used a processor called a field programmable gate array (FPGA), whose logic circuits can be rearranged, to create a replica of an existing open source processor called Leon3, which contains around 1.7 million circuits. They then added about 1000 malicious circuits not present in Leon3. The team found that the circuits allowed them to bypass security controls on Leon3 in a similar way to how a virus hands control of a computer to a hacker, but without requiring a flaw in a software application. When they hooked the FPGA up to another computer, they were able to steal passwords stored in its memory and install malicious software that would allow the operating system it was running to be remotely controlled. “Once you have this mechanism in place, you can do whatever you want,” says King, who presented the work at the Large-Scale Exploits and Emergent Threats conference in San Francisco last month.

Sneaking malicious hardware onto a chip is not as easy as installing a virus. The attacker must either have access to a chip during its design or manufacture, or be capable of manufacturing their own chips, which they would then have to sell to computer makers, or slip into computers during assembly. “It’s not something someone would carry out on weekends,” says King. Nonetheless, computer scientist Simha Sethumadhavan of Columbia University in New York says that chips and their design processes are becoming more complex, making it easier for a hacker to infiltrate. Recently, some Apple iPods and Seagate hard drives were found to have been sold with viruses pre-installed, demonstrating their vulnerability, says King.