1 / 20

Hardware Trojans

Hardware Trojans. Nathan Krussel. Overview. Definition of hardware Trojan Forms of hardware Trojan Current forms of detection Ties to current research Review of new hardware Trojans. What is a hardware trojan. Basics Software T rojan/virus Self acting piece of code Malicious intent

snowy
Download Presentation

Hardware Trojans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardware Trojans Nathan Krussel

  2. Overview • Definition of hardware Trojan • Forms of hardware Trojan • Current forms of detection • Ties to current research • Review of new hardware Trojans

  3. What is a hardware trojan • Basics • Software Trojan/virus • Self acting piece of code • Malicious intent • Can act unbeknownst to host user • Can morph and change • Hardware Trojan • Similar actions to software Trojan • In the hardware of a chip • Unchanging • Tied to specific hardware • Can be code(firmware), hardware design, or HDL

  4. Forms • Firmware • Motherboard BIOS • Hard drive firmware • Routers and firewalls • HDL (Hardware Description Language) • FPGA’s • Hardware • Additional Chips (secret 3G chip) • Changing circuitry • Dopant Trojan • Other creative ways that haven’t been discovered or announced yet.

  5. Current form of detection • Physical • All methods are currently destructive, the chip is no longer of use after analysis • Need to be an electrical engineer • Thermal patterns • Use thermal detection to see changes in circuitry • Gate analysis • Look at each individual gate to make sure it matches design • Software • Fuzzing to see if anything “weird” happens • Operational testing to see if the output is the same as it should be • Not very secure

  6. Current research into detection • Automated thermal analysis • Using computers to speed up thermal profiling • Automated gate inspection • Using computer to assist in the speed up of gate analysis • Will use the original design to compare too • Brute force software • Checks every possible combination of input and output to see if it matches • Only detect to see if the chip came back different than design, not if it was intentionally put there.

  7. Reviews of Suspected Hardware Trojans • Carmel Tunnels Toll Road – Israel • Intel RNG • Intel Secret 3G chip • Dell Motherboard Malware • BadBIOS • Defcon Presentation • Not quite Hardware Trojans

  8. Carmel Tunnels Toll Road • 2 main sides to the story • AP says it was a targeted cyber attack causing the road shut down. • Said the Trojan horse attack targeted the security camera system • Believe the attack was from unknown, sophisticated attackers, similar to anonymous. • Source was anonymous

  9. Carmel Tunnels Toll Road • 2 main sides to the story • The company that operates the tunnel, said on Israeli radio, was due to control-system flaws • Shutdown could be related to a glitch happening and losing video feed, thus shutting down the tunnel • “It feels more like another simple screw-up, the kind that happens every day with complex interconnected networks. Only this time the impact was felt and seen more widely.” – Steve Santorelli(Investigator Team Cymru)

  10. Carmel Tunnels Toll Road • Additional findings • In the beginning there were rumors of it being a hardware Trojan embedded in systems throughout the control structure of the tunnel • Santorelli later said • “It’s quite likely the problems stemmed from hacks/viruses, but that’s not evidence of a cyberattack” • Even if a traffic control systems gets infected with malware it doesn’t mean it’s a targeted attack, as they run on common platforms, such as windows or linux.

  11. Intel RNG • A circuit based hardware Trojan in the ivy bridge chipset specifically in the Random Number Generator portion. • Would directly impact cryptographic functions • Reduce random entropy from 128 to 32 bits • This isn’t detected by the built in self tests on the chip.

  12. Intel RNG

  13. Intel RNG

  14. Intel Secret 3G chip • A theory that all the new Intel core series chipsets produced after 2011 have a secret 3G chip built into the processor. • Many have denounced this as a misinterpretation of the Intel announcement of new vPRO processor features. • Allows remote management and locking of the device through hardware • Only available on the vPro processor series (not all) • vPro can use a 3G antenna because it acts just like any other network card to the cpu • Has to have a laptop with 3g antenna and active plan/sim for this function to be enabled. • This also appears to be something that you have to enable for it to work for remote management. • At least according to Intel’s video animation.

  15. Dell Motherborad Malware • In 2010 dell had a delivery of motherboards that may have contained the W32.spybot worm in its flash storage. • This was baked into the bios according to Gregory Wong (forward insights) • Dell quality management specialist wrote an email saying the code was accidentally introduced during the manufacturing of the server boards. • The malware was detected by the dell management firmware during its initial testing by Dell. • To have been infected you’d have to be running an unpatched version of windows 2008 or earlier.

  16. Bad Bios • “Meet BadBIOS, the mysterious Mac and PC malware that jumps airgaps” • Title for an article on Arstechnica during the early stages (Halloween) • What it could do • Infected BIOS of both Mac’s and PC’s • Infect USB keys • Avoid Antivirus detection • Spontaneously update firmware (and infect it) • Change configurations • Delete Data • Turn on and transmit on IPv6 • Disabling programs and CD boot • Used HFS to jump airgaps

  17. Bad Bios • Look to good to be true? • Appears to be fake, by several researchers, analysts, and professionals on the web. • While individual pieces of these are possible/plausible, all together across different platforms is incredibly unlikely. • BIOS in particular is incredibly finicky and precise. • Each minor revision has a different BIOS because of how BIOS is designed to work. • A Mac and a consumer built open BSD and windows machines are not likely to have the same bios. • Packing all of this ability and code into a BIOS flash memory while maintaining full boot would be very hard.

  18. Defcon Video • 11:40 • http://youtu.be/5tF3UrCL2x8?t=11m40s

  19. Not Quite Hardware Trojans • Digital Picture Frames • Best Buy, preloaded with malware • Stuxnet • Attacked enrichment centrifuges • Specifically targeted Iran’s program • Chinese Computer Preloaded with malware • Microsoft found 4 in a batch of 20 computers with “phone home” malware preloaded that loaded on startup • USB drives • Pre loaded with an assortment of “goodies”

  20. References • http://abcnews.go.com/Technology/wireStory/ap-exclusive-israeli-tunnel-hit-cyber-attack-20696798 • http://www.tomsguide.com/us/israel-tunnels-attack,news-17781.html • http://www.infosecurity-magazine.com/view/35289/cyberterrorism-shut-down-israels-carmel-tunnel/ • http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/ • http://securityaffairs.co/wordpress/17875/hacking/undetectable-hardware-trojan-reality.html • http://thehackernews.com/2013/09/Undetectable-hardware-Trojans.html • http://www.intel.com/content/www/us/en/enterprise-security/what-is-vpro-technology-video.html • http://www.infowars.com/91497/ • http://www.tomshardware.com/forum/id-1816242/secret-intel-chip-snoops-backdoor-access.html • http://www.pcworld.com/article/201692/dell_revamps_hardware_testing_in_wake_of_malware_issue.html • https://kc.mcafee.com/corporate/index?page=content&id=KB69538 • http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/ • http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ • http://www.reddit.com/r/netsec/comments/1o7jvr/bios_backdoor_bridges_airgapped_networks_using_sdr/ccpw67k • http://www.youtube.com/watch?v=5tF3UrCL2x8

More Related