The overarching theme is why isn't everyone using this tool. A few issues:
1) They might be, and it's being fooled. But...
2) ...they're likely not using it. Consider the following:
> "So why isn’t this system in widespread use? After all, much of it has been available since 2014."
With the compromised servers being purchased in 2015 it's assuming the ubiquitous implementation of the described system a year after "much of it" was available. Big companies don't move that fast to begin with (budgets, politics, entrenchment of current processes, etc.). Also, the article doesn't site anywhere this tech has been proven in the wild. Do you want to make that case to your boss that your job can be replaced (and maybe theirs) with this, probably expensive to purchase and implement, unproven tech? That's even if you've heard or thought of this system coming together in 2014 to prevent an attack that would've infiltrated your network by 2015.
The only defense they give for why it hasn't been used was they were waiting for a huge attack to help justify company's spend. That would help, but FICS would be better off taking on the initial capital costs and charging these big companies on a per server basis to use FICS's system (or spinning of a company to do so, idk how FICS could make this happen).
It's like saying a day after SpaceX's flight around the moon that if your company wants to get to the moon have your company purchase a BFR and send their own people up. Cool. Take a hike.
> The system uses optical scans, microscopy, X-ray tomography, and artificial intelligence to compare a printed circuit board and its chips and components with the intended design.
Could it detect a change within a chip? If not, then it makes such an attack harder to execute, but not impossible. Especially for a nation state.
They could do spot checks where they remove the cap and compare pictures, but it's rather eh.
Maybe testing could work? Hook it up to a testing device and have it run through a suite of tests not known by the manufacturer, as well as fuzzing tests. They might find additional bugs in their own design as well that way.
No, none of those will detect a change in silicon. Only options are signal analysis on working system and/or decapping, scanning and comparing all the masks.
This would still not pick up malicious surface-mount devices.
Imagine a subverted NOR FLASH device with malicious firmware booting your board-management device. Its still a SPI FLASH with the same (apparent) device id. The contents would just be different.
The technology shown here is working at a different level; is looking at the PCB, trace by trace and identifying components and connections, layer by layer and verifying it against the design.
It's purpose is to ensure that designs aren't modified in manufacture.
What you're talking about is a software problem, and should be carried out in addition to this.
The first idea that comes to mind is that I would sign the contents of the flash devices and have them verified once the board layout has been verified.
Essentially, you'd have your board schematic, and then a signature "schematic" of firmware to verify against. Of course, you'd also need a way of signing the schematic/signature list to verify those once they're updated.
Passive components like a line conditioning resistor or cap could be changed out with an identical looking malicious component. Such a chip could perform effective MITM attacks against anything that talks on a serial line such as I2C, SPI, etc. This is pretty much a universal zero day for on board controllers, FPGA's, and anything that loads its boot code unencrypted.
In this case, the technology would have identified this additional component added out-of-spec. Once you've identified that a component that doesn't belong has been added you don't need to bother identifying any software attacks, it's already compromised.
x-rays are useful to identify parts which don't belong in the original design, though it doesnt say anything about these parts. It can be manufacturing errors / design iterations not well documented or any number of things besides a malicious implant. more manual analysis will always be needed. But if you have tons of PCBs to go through it can give a quick overview what chips might be good initial targets.
some people noted that some 'hardware' attacks can't be seen because they use original parts. -> that's a silly statement, as that would make it a firmware attack, not a hardware attack (even though physical access might be needed to flash the chip, it's the firmware which is malicious, not the chip itsefl. i.e. other type of threat / use-case).
i think the problem with x-rays, apart from them being hazardous in themselves, the cost and availibility of equipment is not practical for reverse engineers and researchers apart from some highest tier companies doing this.
A question to NH about this which might be more interesting:
do you think you can get similar results using ultrasound? Because ultrasound devices are fairly cheap and can be made at home fairly easily compared to x-ray technology. It's also much less hazardous to the researchers....
>some people noted that some 'hardware' attacks can't be seen because they use original parts.
You can have original looking part. Imagine a 8Mbit SOIC SPI NOR flash chip. Looks the part, belongs in its spot, you decap it and it sure does look like a flash Die with its normal Flash controller. Now consider this: http://travisgoodspeed.blogspot.com/2012/07/emulating-usb-de...
I cant find it right now, but Afair Travis (or maybe it was hak5 RubberDucky folks) noticed early on that its pretty trivial to detect what is happening on the Host side of the interface - what operating system am I plugged into and at what phase of the operation are we on (bios query, OS loading drivers).
Imagine a Flash chip that is able to tell (power sequencing, timing and order of commands) if its booting a particular controller on the board, or if its being read in a flash programmer. Flash chips have processors running their own firmware nowadays, turtles all the way own.
The thing missing from this analysis is that on data bus lines like SPI, I2c and others there are "passive" components like resistors and capacitors used for signal conditioning and line bias. If one of these components were replaced with a highly integrated IC, it would be possible to mimic the function of the passive component most of the time, but sometimes hijack existing data streams as a MITM.
This can be used to insert alternative boot code, firmware, microcode, or even FPGA structures.
Note that the component would not have to generate its own signal source, because by merely inserting a lower than normal resistance or capacitance it could alter an existing bitstream to reflect the desired payload.
It would require a high degree of integration and power management finesse, but is certainly doable to replace an existing SMT resistor or Capacitor with such a device.
.
..... Such a device would not be detectable by xray (micrographic xray maybe?) , ultrasound, visual inspection, circuit analysis, or signal analysis until it was activated by a particular bitstream, possibly as part of a firmware update released by the manufacturer.
I see comments like that every once in a while, and I always come back to something that one of my professors told me a long time ago. If it took you like five minutes of thinking about it to come up with it, it's a safe bet that a) folks who are paid to work on this stuff full-time have already thought about it and b) that someone already figured out how to work around it.
That's great if you're looking for whole extra boards in a device with grams or tens of grams of additional mass.
These surface mount components are so small that the variation in the volume of solder on the joints alone would render your technique moot.
Add to that, the fact that manufacturers often use multiple suppliers for parts, they could have different materials, densities and casing designs, this particular problem is beyond weighing.
the article describe how to spot a supposed spying chip when it happens, but why they single China? Just replace it with Israel and the article would still valid.
This article is shameless self-promotion... "to compare a printed circuit board and its chips and components with the intended design..." So every company now has to design its own servers, routers and every other piece of hardware from the scratch to avoid "spy chips" ? Yeah... Sounds like a good idea...
I find the denials made by the companies involved to be substantive and credible. I'm inclined to believe them. Perhaps Bloomberg's reporters fell for a conspiracy theory this time.
If it were true that they found backdoored hardware, would you expect all of them to make statements confirming that? I wouldn't. and it is clear Apple is still lying about the events surrounding them dropping Super Micro (their current explanation makes as little sense as their shifting 2017 explanations: https://twitter.com/matthew_d_green/status/10478594450642411...).
If true, the attack described by Bloomberg would mean the US fell victim to one of the most spectacular attack, if not the most spectacular attack, in history and at the hand of the Chinese.
It's equally credible that they would never want to acknowledge that.
I'm not sure I see anything substantive or credible in the denials by the various companies. If they haven't been issued gag orders, which is quite likely for something of this scale, perhaps it's just in their best interests to deny this.
There is suggestion that at least one of the companies involved is lying about related goings-on.
"Bloomberg reporters receive bonuses based indirectly on how much they shift markets with their reporting. This story undoubtedly did that. The publisher employs roughly 2,000 journalists, who are encouraged to work together and share information through their Bloomberg Terminals, with many layers of editing and fact checking, and it has a zero tolerance on errors: it is inconceivable that it would publish a story this huge that wasn't watertight."
I do love how predictable news has gotten these days, I only had to see the headline mentioned somewhere to know what its all about and why it's being said.
It's almost like reading, a couple of days ago that Riz Ahmed taped over his parent's wedding video with an Eminem song a decade or so ago.
The best guess I've heard is that this attack pulls down the BMC's SPI flash lines in order to corrupt its code as it's loaded.
A proper chain of trust that starts on the BMC chip could absolutely protect against that. At that point any modification to the boot image would leave the BMC refusing to boot rather giving attacker control.
The same way secure-boot provides protection against hardware modification / evil maid type attacks in CPUs today: by verifying the integrity of the code that's about to be booted before the CPU boots it.
It would significantly raise the cost and difficulty of this sort of attack.
> It would significantly raise the cost and difficulty of this sort of attack.
In my opinion, modifying the board layout with the additional chip and modifying the production process for the server boards stealthily already has a pretty high cost and difficulty.
The most plausible hypothesis of how this attack works is by corrupting firmware loaded at power-on time over SPI. Secure boot would absolutely protect from that by rejecting the signature of the modified code.
By hey, I get that Newsy groupthink means secure boot bad.
>is by corrupting firmware loaded at power-on time over SPI.
>Secure boot would absolutely protect from that by rejecting the signature of the modified code.
Why couldn't you also change out the keys so the signature does match?
Doing so means compromising the TPM on the BMC module which is much harder to do. It's not something that can be done downstream in the supply chain, as this attack is purported to have been.
Secure boot is in no way bad :-) Ofcourse, it must in fact be the first point on any sane security checklist.
And one of the most common attacks aka. malicious firmware is prevented by using secure boot.
Many other classes of attacks like forcing the microcontroller to delete all its data, opening up the debug JTAG port of the microcontroller, preventing the log of certain security events etc. can be achieved with the right settings.
Though these are just remote possibilities with high levels of complexity, so is changing a production design of a board.
1) They might be, and it's being fooled. But...
2) ...they're likely not using it. Consider the following:
> "So why isn’t this system in widespread use? After all, much of it has been available since 2014."
With the compromised servers being purchased in 2015 it's assuming the ubiquitous implementation of the described system a year after "much of it" was available. Big companies don't move that fast to begin with (budgets, politics, entrenchment of current processes, etc.). Also, the article doesn't site anywhere this tech has been proven in the wild. Do you want to make that case to your boss that your job can be replaced (and maybe theirs) with this, probably expensive to purchase and implement, unproven tech? That's even if you've heard or thought of this system coming together in 2014 to prevent an attack that would've infiltrated your network by 2015.
The only defense they give for why it hasn't been used was they were waiting for a huge attack to help justify company's spend. That would help, but FICS would be better off taking on the initial capital costs and charging these big companies on a per server basis to use FICS's system (or spinning of a company to do so, idk how FICS could make this happen).
It's like saying a day after SpaceX's flight around the moon that if your company wants to get to the moon have your company purchase a BFR and send their own people up. Cool. Take a hike.