Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Hardware Trojans Nathan Krussel
Overview • Definition of hardware Trojan • Forms of hardware Trojan • Current forms of detection • Ties to current research • Review of new hardware Trojans
What is a hardware trojan • Basics • Software Trojan/virus • Self acting piece of code • Malicious intent • Can act unbeknownst to host user • Can morph and change • Hardware Trojan • Similar actions to software Trojan • In the hardware of a chip • Unchanging • Tied to specific hardware • Can be code(firmware), hardware design, or HDL
Forms • Firmware • Motherboard BIOS • Hard drive firmware • Routers and firewalls • HDL (Hardware Description Language) • FPGA’s • Hardware • Additional Chips (secret 3G chip) • Changing circuitry • Dopant Trojan • Other creative ways that haven’t been discovered or announced yet.
Current form of detection • Physical • All methods are currently destructive, the chip is no longer of use after analysis • Need to be an electrical engineer • Thermal patterns • Use thermal detection to see changes in circuitry • Gate analysis • Look at each individual gate to make sure it matches design • Software • Fuzzing to see if anything “weird” happens • Operational testing to see if the output is the same as it should be • Not very secure
Current research into detection • Automated thermal analysis • Using computers to speed up thermal profiling • Automated gate inspection • Using computer to assist in the speed up of gate analysis • Will use the original design to compare too • Brute force software • Checks every possible combination of input and output to see if it matches • Only detect to see if the chip came back different than design, not if it was intentionally put there.
Reviews of Suspected Hardware Trojans • Carmel Tunnels Toll Road – Israel • Intel RNG • Intel Secret 3G chip • Dell Motherboard Malware • BadBIOS • Defcon Presentation • Not quite Hardware Trojans
Carmel Tunnels Toll Road • 2 main sides to the story • AP says it was a targeted cyber attack causing the road shut down. • Said the Trojan horse attack targeted the security camera system • Believe the attack was from unknown, sophisticated attackers, similar to anonymous. • Source was anonymous
Carmel Tunnels Toll Road • 2 main sides to the story • The company that operates the tunnel, said on Israeli radio, was due to control-system flaws • Shutdown could be related to a glitch happening and losing video feed, thus shutting down the tunnel • “It feels more like another simple screw-up, the kind that happens every day with complex interconnected networks. Only this time the impact was felt and seen more widely.” – Steve Santorelli(Investigator Team Cymru)
Carmel Tunnels Toll Road • Additional findings • In the beginning there were rumors of it being a hardware Trojan embedded in systems throughout the control structure of the tunnel • Santorelli later said • “It’s quite likely the problems stemmed from hacks/viruses, but that’s not evidence of a cyberattack” • Even if a traffic control systems gets infected with malware it doesn’t mean it’s a targeted attack, as they run on common platforms, such as windows or linux.
Intel RNG • A circuit based hardware Trojan in the ivy bridge chipset specifically in the Random Number Generator portion. • Would directly impact cryptographic functions • Reduce random entropy from 128 to 32 bits • This isn’t detected by the built in self tests on the chip.
Intel Secret 3G chip • A theory that all the new Intel core series chipsets produced after 2011 have a secret 3G chip built into the processor. • Many have denounced this as a misinterpretation of the Intel announcement of new vPRO processor features. • Allows remote management and locking of the device through hardware • Only available on the vPro processor series (not all) • vPro can use a 3G antenna because it acts just like any other network card to the cpu • Has to have a laptop with 3g antenna and active plan/sim for this function to be enabled. • This also appears to be something that you have to enable for it to work for remote management. • At least according to Intel’s video animation.
Dell Motherborad Malware • In 2010 dell had a delivery of motherboards that may have contained the W32.spybot worm in its flash storage. • This was baked into the bios according to Gregory Wong (forward insights) • Dell quality management specialist wrote an email saying the code was accidentally introduced during the manufacturing of the server boards. • The malware was detected by the dell management firmware during its initial testing by Dell. • To have been infected you’d have to be running an unpatched version of windows 2008 or earlier.
Bad Bios • “Meet BadBIOS, the mysterious Mac and PC malware that jumps airgaps” • Title for an article on Arstechnica during the early stages (Halloween) • What it could do • Infected BIOS of both Mac’s and PC’s • Infect USB keys • Avoid Antivirus detection • Spontaneously update firmware (and infect it) • Change configurations • Delete Data • Turn on and transmit on IPv6 • Disabling programs and CD boot • Used HFS to jump airgaps
Bad Bios • Look to good to be true? • Appears to be fake, by several researchers, analysts, and professionals on the web. • While individual pieces of these are possible/plausible, all together across different platforms is incredibly unlikely. • BIOS in particular is incredibly finicky and precise. • Each minor revision has a different BIOS because of how BIOS is designed to work. • A Mac and a consumer built open BSD and windows machines are not likely to have the same bios. • Packing all of this ability and code into a BIOS flash memory while maintaining full boot would be very hard.
Defcon Video • 11:40 • http://youtu.be/5tF3UrCL2x8?t=11m40s
Not Quite Hardware Trojans • Digital Picture Frames • Best Buy, preloaded with malware • Stuxnet • Attacked enrichment centrifuges • Specifically targeted Iran’s program • Chinese Computer Preloaded with malware • Microsoft found 4 in a batch of 20 computers with “phone home” malware preloaded that loaded on startup • USB drives • Pre loaded with an assortment of “goodies”
References • http://abcnews.go.com/Technology/wireStory/ap-exclusive-israeli-tunnel-hit-cyber-attack-20696798 • http://www.tomsguide.com/us/israel-tunnels-attack,news-17781.html • http://www.infosecurity-magazine.com/view/35289/cyberterrorism-shut-down-israels-carmel-tunnel/ • http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/ • http://securityaffairs.co/wordpress/17875/hacking/undetectable-hardware-trojan-reality.html • http://thehackernews.com/2013/09/Undetectable-hardware-Trojans.html • http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html • http://www.infowars.com/91497/ • http://www.tomshardware.com/forum/id-1816242/secret-intel-chip-snoops-backdoor-access.html • http://www.pcworld.com/article/201692/dell_revamps_hardware_testing_in_wake_of_malware_issue.html • https://kc.mcafee.com/corporate/index?page=content&id=KB69538 • http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/ • http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ • http://www.reddit.com/r/netsec/comments/1o7jvr/bios_backdoor_bridges_airgapped_networks_using_sdr/ccpw67k • http://www.youtube.com/watch?v=5tF3UrCL2x8