RealSecurity

Hey, where did you buy that router? Do you know who made the components, wrote the drivers, or the embedded code that makes it tick? Or how about the chipset in that new server or smart meter? Com'on, be honest, you know squat. Well, no biggie, right? It's just a chip, some basic instructions to process a few bits through a pile of transistors. Sorry to burst your bubble, but the bad guys know better.

Processors are not mindless pieces of substrate; they have what you could loosely call software that governs activities and how it interacts with other components. In many cases, these are very sophisticated sets of instructions that work to bring to surface the inherent capabilities of the hardware.

I've always been fascinated with "chip-level" or embedded software. I recall many years ago installing Adaptec SCSI cards in systems to support RAID options in early PC-based servers. You'd drop in the expansion card, boot the system and receive an option to configure the hard drive controller. Pretty straightforward stuff and even at that time the technology had been around for a while. But the geek in me just thought... well, it was cool that the software was embedded in the card's chips and did what you wanted. It was purpose built and interacted with the operating system to ensure it worked the way you wanted it to. It was like the hardware was alive... you felt more in control of the system, more connected to it somehow.

Well, compared to today's standards, what I was messing around with in data centers is nothing compared to the level of integration and capability – and responsibility – embedded code and instructions have in system we live with now. Just like any code or system that runs software, it can be manipulated to do things that you don't want. Malware is showing up more and more in chips and embedded code.

In short, hackers (cyber criminals all the way to state sanctioned attacks) are resonating with the advantages of incorporating malware deep within a system. I should preface this with the fact that this isn't exactly new, it's been going on for years, decades in fact. However, no one can deny it is clearly trending in recent times, just look at the news. A few days ago Dell announced that some of their server management, motherboard-embedded software was "infected" with malware, the W32.Spybot worm that hit the Internet in 2003 used for setting up IRC channels for file sharing.

Of course there is evidence to how some are responding to the reality of the threat, such as India recently banning 26 technology firms, 25 of them Chinese, from providing products as part of the country's telecommunications system. Why? Because they are concerned of embedded malware and "trap doors". Why do you think many of the chips used in US military applications are designed and manufactured at Sandia Labs? The US government wants to be as sure as reasonably possible that there is nothing unwanted embedded in their military equipment.

There are a couple characteristics that are contributing to this trend.

First, more and more development is being outsourced. Keep in mind this is a complex ecosystem of corporate and government interactions. I'm not simply talking about US companies outsourcing to China or India, but rather the reality of most countries and companies in some form or another leveraging others from different regions to supply and provide components in various forms. To build a computer part, such as an expansion board, the greenboard may be manufactured in country A, the chip's substrate in country B, the design from country C, the software in country D, the chip in country E, and assembled in country F. Obviously, not all of these points are opportunities for injecting malware, but they do exist. Moreover, some of these points of entry are in regions that are, shall we say, open to this form of influence.

The next contributor is counterfeiting. A 21st century trend where less scrupulous producers dismantle and reverse engineer quality systems to build a copy. The attraction to such activities spans time. If you have something of value and I can copy it for a fraction of the cost and sell it for what you're getting, I'm making a pile of money without all the initial development investment. In the world of technology products, I also tap into your market share and brand. Why invest in making a router to compete with Cisco when I simply make my own box to look and act just like Cisco and sell it for a highly competitive price? That's an easy one.

Now, you're making a ton of money and big companies are buying your stuff. With that install base you start embedding malware so you can gain access to the company to steal money or information. Not only are you making money in the sale, but you can now sell the information you're collecting. Who knows, the government likes that your stuff is being used by huge and globally influential companies and decides to employ them in a spy network. Or better yet, create a foundational capability to launch a synchronized offensive?

Lastly, is trust and validation. Chips and other hardware is produce in huge amounts and it's not an easy task to validate or invalidate a system. In virtually all cases when a motherboard or the like is produced it's ultimately placed in a testing tray or gig to be run through a set of tests – tests designed to ensure its functioning as designed, not necessarily if it has other nefarious capabilities. Moreover, the people who inject malware into these devices know that it will be tested and in many cases how the test is performed. They develop the code to avoid such trivial exposure and only activate when it is assured it's running in a completed system.

This type of intelligence should be no surprise. There are many forms of malware and botnet programs that know when they are in a lab or on a virtual system and simply don't do anything to attack attention. They are not always easily tricked into working their ways when an obvious opportunity is placed before them.

Trust is a big one, of course. You trust that your vendor acquired the equipment you are buying from a reputable source, but how can you be certain. Documentation can be forged, tamper stickers can be fabricated, and producer markings can be replicated fooling you and your vendor. Also, as introduced above, components can come from many places and then brought together in a single system. While the system may be validated and trustworthy, that can't be necessarily the case with every part and chipset in the system.

Another version of trust is many companies that have outsourced development will perform regular audits and reviews of their providers. Most of these activities are based on quality assurance and ensuring processes are executed as designed. However, these audit and review practices may not be comprehensive regarding security. Moreover, the reality is that unscrupulous providers know the audit and review process and will manipulate results to satisfy their customer needs and interpretations.

Of course, the hardware may be validated, but what of the embedded software? This is far more difficult for the same reasons root kits are hard to find in operating systems – they are designed not to be discovered.

So, the problem is – in a nutshell – how do you know that the systems in your environment aren't harboring malware that can be used against you or used against others? The short answer is it's really hard. Most organizations will not have the time or resources to test and monitor each system they integrate into their environment, much less effectively designing methods to do so. In reality, it is, for the most part, hit and miss. There are things companies can do to reduce the potential for such things to be introduced, but the pressure to facilitate tight deadline projects combined with the lack of overall security focus makes them generally infeasible. Of course, there's not exactly off-the-shelf products available to discover embedded malware. Overall, it's an accepted risk, but I suspect this will change significantly over time and more and more environments are deeply and broadly impacted due to pervasive hidden malware in key systems.