We Have Met The Enemy

We are reminded once again that chips from foreign sources are at best a risky business and at worse are the components of a classic approach to war that deals death to its enemies not by a single blow but rather by a thousand little cuts.

And now we learn from this week’s Wall Street Journal’s report that Intel notified some of its customers of the security flaws in its processors, but left out the U.S. government as part of that notification. Some of the customers that Intel did notify included major Chinese technology companies.

This might imply that Intel is more concerned about the value of its equity on the NASDAQ than they are about the national security of the US or US businesses in general, but of course that can’t be true, can it?

Researchers who have been working on a test system so that users can determine whether their systems have been affected by the most recent hardware vulnerabilities known as "Meltdown" and "Spectre," report that almost every system manufactured since 1995, including most computers and almost every phone is affected by these two bugs.

They finished verifying their findings on Intel chips that date back to 2011 and concluded that the vulnerabilities affect operating systems and devices running on Intel processors developed anytime during the past 12 years, including Windows, Macs, and Linux systems.

While inadvertent bugs in software are tough to find and the purposely planted ones are even tougher, a backdoor planted in the hardware of the processor that runs a computer is nearly impossible. These particular vulns are invisible not just to the software operating systems, but to the chip’s designer as well. These bad boys can be added by the manufacturer as a single component hidden among hundreds of millions or billions, each less than a thousandth of the width of a human hair.

Two years ago a group of researchers at the University of Michigan built an insidious microscopic hardware backdoor proof-of-concept and then demonstrated that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. But the bigger “Aha” was proof that the microscopic backdoor couldn’t be caught by any modern method of hardware or software security analysis, and could be planted by a single employee operating independently in a chip factory.

This most recent discovery should not be surprising to anyone in the Cybersecurity community. Countries like China, Iran, and North Korea have been hacking into some of the most important businesses and government agencies for years now and we’ve heard what seems like countless reports of sensitive and confidential data being stolen from the Pentagon, NSA, CIA and various defense contractors’ networks. I am beginning to conclude that the lack of critical reporting about these events has less to do with the complexity involved and more to do with a reluctance to shine a light on our national vulnerabilities.

Think about it. We just learned that every laptop and phone manufactured in the last decade has a hardware backdoor that allows malicious actors to spy on and steal any information they want. Isn’t that sort of a big deal?

Back in 2012, our former U.S. counter-terrorism czar, Richard Clarke flatly stated that all electronics made in China may well have built-in trapdoors allowing malware to infect American systems on command. The malware could do everything from take over a device to disabling it to secretly siphoning information off of it.

Many of our military electronics parts are also sourced from China. U.S.-based defense contractors routinely buy things like processors and circuit boards from brokers in China, and those components end up on the Pentagon's most advanced weapons, including fighter jets and nuclear submarines.

So, the really interesting feature in the Michigan researchers’ backdoor project wasn’t its size, or the fact that it was hidden in hardware rather than software, but instead it was the fact that it easily violated the security industry’s most basic assumptions about a chip’s digital functions and how they could be sabotaged. Instead of merely changing the digital properties of a chip’s logical computing functions, the Michigan researchers created an analog backdoor that hijacks the actual electricity flowing through the chip’s transistors and uses it to trigger an unexpected outcome.

In their proof of concept, they added a single component to the mask (electronic data that define some basic steps of semiconductor fabrication) after the chip was fully designed and ready to be fabricated, which was a cell designed to act as a capacitor which could (and did) hold a temporary electric charge.

Every time some malicious code like a script on a website runs a certain obscure command, that capacitor cell steals a tiny amount of electric charge and stores it in the cell’s wiring without otherwise affecting the chip’s functions. With every repetition of that command, the capacitor gains a little more charge. After the trigger command is sent thousands of times, the charge hits a threshold and the cell switches on a logical function in the processor to give that malicious code full operating system access.

That capacitor-based trigger means it’s nearly impossible for anyone testing the chip’s security to discover the long, obscure series of commands that opens the backdoor. In addition, the capacitor will wait for a pre-determined time period and then repeat the charge leak again, closing the backdoor and completely removing any evidence that an event had occurred.

"Meltdown" and "Spectre" are designed to attack the fundamental isolation that separates kernel memory (the core of the operating system) from user processes, letting an attacker access whatever is in the affected device's memory, and trick applications into leaking their data. This would enable a low-privileged user account to run Javascript on a web-page and gain access to protected memory content.

All of the technology vendors and cloud service providers are of course scrambling to create and distribute critical patches and scheduling downtime to prevent would-be attackers from reading other processes on the same shared cloud server. 

I don’t know about you but this response doesn’t give me the warm and cozies. These patches that cause operating systems to change how they process data at the kernel level can often cause unintended headaches for security point solutions that depend on OS-level access.

And while these patches may be soon available, Intel and Apple and the others have publicly acknowledged that new processors will need to be completely re-engineered to avoid a similar problem in the future. This leaves existing affected devices with the after-effects of these vulnerabilities forever. Perhaps they are unaware of the U. Michigan research.

In that same interview back in 2012, Clark said “My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness is by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it ....

.... That it’s always just below our pain threshold ....

.... That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China. After a while you can’t compete.”

It appears we have met the enemy again, and it is still ourselves.