WC.com

Sunday, November 11, 2018

Hardwired Hacking

There is a great deal of concern and angst about our privacy. I have written about DNA testing in Science, the Right to Privacy, and Big Brother (June 2018). Our interest in constitutionally recognized privacy, and the ignorant among us that neither appreciate its importance or the breadth of its implications in The Rash to Repeal our Rights (September 2018). Technology is invading our privacy, as noted in Assume Everyone is Watching (September 2015), and The Evolving Issue of Body Cameras (July 2018)

There is a great deal that Americans do to undermine their own privacy. In exchange for a small discount on some items, they agree to have their local supermarket or pharmacy track their every purchase. In fulfillment of some unmet need for "connection," or in search of some Dopamine high, Americans voluntarily post the most personal of details on social media: the food they eat, the friends they see, the trips they take, the news they read, and more. Vast quantities of data surreptitiously taken and eagerly given traverse the computers that Al Gore first wired together back in the 1960s when he invented the Internet in his twenties (Sarcasm - is there anything more laughable than his pompous claims he "took the initiative in creating the Internet?"). 

But we are all outwardly concerned with our Internet security. We hear of identity theft and computer viruses. We adjust our use of the Internet, and according to some estimates we spend about eight billion dollars annually on antivirus software that may be unnecessary. I more recently heard many are increasingly unwilling to share details on social media. Despite our personal concerns and our individual efforts, we may all remain exposed in ways that we are just beginning to understand. 

Bloomberg recently reported The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. It is a disturbing tale in light of the significant effort we all devote to avoiding viruses, malware, and other computer challenges. What if we do everything right, avoid all the potentially harmful exposures, and have our data hijacked despite our best efforts?

It appears that some hardware manufacturers have been including hardware hacks on circuit boards. This has been known for about three years according to Bloomberg, after a consultant working for Amazon discovered "a tiny microchip" had been "nested on the server's motherboards." That discovery led to further investigation because the producer of these motherboards supplies circuitry for computer servers used by the Department of Defense, the Central Intelligence Agency, U.S. Navy ships, and more. The manufacturer of those motherboards also makes components for devices "from MRI machines to weapons systems."

The purpose of these little (purportedly about the size of a grain of rice), chips was to allow "attackers to create a stealth doorway into any network that included the altered machines." Bloomberg notes that "hardware hacks are more difficult to pull off" than software hacks. But, the reward is "potentially more devastating." If successful, such hardware manipulation could provide "long-term, stealth access" to a variety of data that passes through such a server. Antivirus and other protective software are of no use against hardware, functioning as intended, that invades privacy.

The story says that hardware could be manipulated in two ways. If altered in the manufacturing process, it is called "seeding changes." And if altered after manufacture and shipping, is is called "interdiction." Bloomberg notes that China has a significant involvement in the production of chips and circuitry. Because of that, there is some belief that China also presents a risk of hardware implementation. Some computer security experts are quoted as being incredulous that "seeded" hardware could be effectively placed to produce data, as was recently discovered. 

According to the investigating officials, this attack "affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple Inc." However, some of those companies continue to deny discovering "malicious chips, hardware manipulations or vulnerabilities purposely planted in any server." And there are denials of awareness of even the U.S. investigation. While there is the suggestion that "corporate secrets and sensitive government networks" were exposed, Bloomberg concluded, "no consumer data is known to have been stolen."

This story purportedly began in 2006 with a company, Elemental, intent on leveraging the "demand for mobile video." It designed software distributed on its own "custom-built servers." Those sold for "as much as $100,000 each, at profit margins of as high as 70 percent." The company worked with the CIA, leading to its servers being used by various U.S. government institutions. The technology of these servers was allegedly employed by Apple in constructing server centers to facilitate the data search function that users know as Siri. 

The servers for Elemental were produced by Supermicro, a company "headquartered north of San Jose's airport." Its products are "engineered mostly in San Jose," but they "are nearly all manufactured by contractors in China." What else is manufactured in China? According to The Atlantic in 2013, China manufactured 90.6% of personal computers, 70.6% of cellular phones, and more. In the age of the "Internet of Things," all of our electronics have begun to "talk" to each other. They are collecting data, monitoring or even adjusting our lives, and are beyond ubiquitous. And we hear they will soon drive our cars, grow and prepare our food, and even more.

Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards "can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services," among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, "but its motherboards-its core product nearly all manufactured by contractors in China." One "former U.S. intelligence official" refers to "Supermicro as the Microsoft of the hardware world." Thus, "attacking Supermicro motherboards is like attacking Windows. It's like attacking the whole world." 

So, these motherboards were apparently distributed with very small and undisclosed additional chips. Those chips' size enhanced their secrecy but limited their function. It is believed that the purpose was essentially to override security protections like passwords, and to authorize the hardware-hacked computers to communicate with other malicious servers on the Internet, servers with more capability and therefore more threatening potential. 

China denies any state involvement in the hacking, and claims instead to be "a resolute defender of cybersecurity." It acknowledges that hardware hacking, or "seeding" has occurred, but claims to also be a victim of such efforts. Bloomberg reports that there is no reliable method for detecting a hardware hack like this. The conclusion is that the Supermicro motherboard discovery was due in part to luck.  

Across the World Wide Gore (sarcasm again, sorry Al), we send a multitude of facts, figures, preferences, purchases, and more. We bank, we buy, we share, and we communicate. Our communication may be mundane (how's the weather there?) or intensely private and privileged.  And we can now fear that, despite any efforts on our part, data can all be harvested by individuals or states that are intentionally manipulating the purpose and function of the very brains of various devices. The spy can exist on hardware we will never see, over which we have no control, and in locations that we will never visit. 

Or, such hardware hacking, "seeding," could occur right in our own home. It requires only that some microchip has access to a computer motherboard. That may mean the grain-of-rice-sized chip is embedded in the motherboard of our laptop or personal computer, or that it is embedded in something we choose to connect to the motherboard: a mouse, a memory stick, a webcam, a keyboard, you name it, and peripheral. Could we discover such a chip? Would we even know what to look for? 

If a manufacturer could implant such a spy chip in a PC, there is no reason that the same could not be implanted in our cellular phone, our refrigerator, automobile, or anything with a circuit board, including perhaps even a charger we buy for the device. 

In The Empire Strikes Back, young Luke says "I won't fail you, I'm not afraid." Yoda's response may be good advice to us all "You will be, you will be."