Schneier on Security

Clive Robinson • October 11, 2018 10:03 AM

@ Bruce,

My lone hesitation to believing this is not seeing a photo of the hardware implant. If these things were in servers all over the US, you’d think someone would have come up with a photograph by now.

Yes and no.

First of how many NSA / GCHQ and other SigInt agencies hardware implants have been found in the wild and photographed?

Now assume some have been found, consider the reasons they might not be publically exposed as photographs or anything else for that matter…

It boils down to the target and their motivations rather than those of the attacker.

As far as I’m aware the only hardware to get photographed and made public by the MSM was the UK’s Guardian newspaper, after GCHQ’s “Tweedle dee and Tweedle dum” show went up to London from Cheltenham on a shoping trip, then drop by the Guardian’s basment to over see the destruction of the laptop that the Ed Snowden trove of documents had been on. The Guardian only did this to embarrass a certain very senior UK civil servant that should have known better decided to get into a “pissing match” with the senior at the Guardian and lost. Thus made a fool not just of himself but GCHQ personnel and revealed what might well have been “secret information” with regards what chips on the motherboaed of the laptop could have either a hardware or software implant/persistant malware.

People talk a lot about hardware and software implants in the supply line. Yes there have been a few there was IBM PC malware put on Apple iPods, and a well known supermarket chain had hardware implants conyaoning a cellular phone insert put in ePOS terminals.

By and large though the majority of what might be classified as implants have been installed by the manufacturer. Sony with the stolen FOSS they put on audio CDs, US mobile phone companies with the CarrierIQ technical support software, Lenovo with their varient of BadBIOS and just about every supplier of Android OS, MS with Win8 and above telemetary, god alone knows how many “walled Garden” apps.

The common thread beying mostly, “software” from the first link” of the supply chain on every system. Which as I’ve previously pointed out is the best solution for indiscriminately gathering data, but just about the worst for covert data collection. Which is why SigInt agencies appear to go for the last link in the supply chain and highly targeted.

Whilst a large or custom order may be known to the manufacturer, it’s actually not in their interest to implant all the motherboards but actually just a tiny fraction of them.

This is because the level of “Goods Inward Test” (GIT) required to find hardware implants involves more or less the compleate destruction of the “Device Under Test” (DUT). Not only is such GIT very very explensive it destroys the DUT. Thus the customer is going to only test at best a very very small fraction of the boards to this level. Almost certainly a lot less than 1%.

Now if you installed an implant in only one or two boards in a large order or repeate order again say a lot less than 1% then the chance of the implant actually being found is corespondingly very slight.

If the purpose of the implant is just to establish a toe hold and then exploit the other motherboarfs sideways across the network then instal a Core Memory (RAM) only item of malware as part of an “insider attack” then providing a false trail to how the malware got on the systems would not be overly difficult.

So whilst the idea of “seeing is believing” via a photograph is appealing the odds of it happening are very very slight indead.

Certainly not something I would cross my fingers for, let alone hold my breath, because the odds of it happening are way way to small.

Oh another thing is software implants are very difficult to atrribute which gives a covert operation lots of deniability. Using a chain of three “software vectors” allows what apear as “bugs” not “implants”, with the actuall “malware upload” comming across the network just as you would expect with a zero day or two. Thus just one implant in a whole server farm would be sufficient and the actual infection of the other motherboards looking like the result of a phishing attack or similar, not an actuall implant.

It’s kind of the way I would do things, and I’ve been saying just that for nearly two decades, so other people jave had plenty of time to think the same thing up…

Clive Robinson • October 12, 2018 5:51 AM

@ tfb,

I’m sure someone has suggested this…

They have.

Have you ever noticed that the US only ever has on “existrntial thteat nation” at a time? And appears to select them from a short list of China, Iran, North Korea and Russia.

Well obviously those nations don’t say “OK fellers it’s my turn this month” to the others on the list, thus they are either all continuous threats or they are not. More likely than not they are actually not, they are nations that don’t think they should “toe the US line” and have built thrmselves up to the point where the US can not just “send in the boys”. Some years ago both India and Packistan were on the “US shit list” but by going nuclear they either got left alone or a seat on the “top table”. Other nations that started to look into gowing nuclear ended up getting invaded.

It’s not just US Politics there is a plan behind it. The US is it’s self a “vassal nation” to the oil producing nations, if OPEC coughs then Washington gets the sweats. But unlike many politicians and citizens some policy wonks are looking to the time when fossil fuels will be scarce. Thus the next “energy security” step for a nation is “go nuclear” yes it’s expensive and yes it is dangerous but unlike green energy it is dependable over “political time scales”. Thus the wonks have worked out that if they stop countries going nuclear then they have control over them, just as Putin currently does with his hand on the “gas tap” in winter.

Energy is becoming the new “water” that history has shown us many bitter genocidal wars were fought over (look up the history of “water rights” and “water wars”).

At the end of the day mankinds needs don’t actually change that much, but the scale of them does as does which is the scarcity at the time. Thus we see patterns in history that happen time after time, often a bit bigger in size of conflict and the fire lighting spark will be different, but the general lead up and conflict follow recognisably the same paths…

But that “one existential threat nation at a time” gag is right out of the George Orwell “play book”, and it was not new to him or various Roman Observers two thoudand years before him.

Clive Robinson • October 12, 2018 7:14 AM

@ Phaete,

Then they stop any analysis, do not consult further specialists and somehow throw away the evidence?

That’s not actually what is said in what you quoted.

One reason might be they contacted the FBI or other US National Security entity (there are quite a few) and the investigation then got taken over by the entity along with documents and other findings as “evidence”[1].

I’m not saying this is what happened but those who have started in on computer forensics have got used to “investigations getting taken over” by others as part and parcel of the job.

As for the credability of the journalists, their emoloyers don’t actually have much credability either. So… Bad apples falling close to the trees etc etc.

[1] I’ve come across this “evidence” excuse by UK Police to take away equipment to stop any further investigation. Trying to get back your equipment becomes an impossible task… When it was tried on another occasion I was prepared and gave them “dummy equipment” as there was never any come back that tells you virtually everything you need to know about their investigation.

Clive Robinson • October 13, 2018 4:11 AM

Another view point

@AlanS posted this link on the current squid page,

https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/

Around the time the first Bloomberg story was starting Brian Krebs intetviewed Tony Sager, Senior Vice President at the Center for Internet Security.

Tony is currently seen as a cyber-security evangelist and was a reviewer of code at the NSA.

He makes several comments about why some of the “perceived wisdom” in the industry is wrong, and why it realy falls down to perception of probabilities.

That is we can not audit all code, so you audit some and when you find an abnormality you make a big noise about it thus in effect scaring other coders into better behaviour.

Likewise you can not audit all hardware so instead you implement strong auditing and the equivalent of the “Two Key Launch Protocol”, where no one individual can make changes to the production process.

There is actually not much new in this for anyone who has worked in an environment with high levels of Quality Assurance.

What also gets mentioned is the thorny problem of security economics as it applies to the Internet of Things. With the suggestion that a model along the lines of the US Food and Drugs administration be adopted.

However Tony does make this comment,

It’s now almost impossible to for consumers to buy electronics stuff that isn’t Internet-connected. The chipsets are so cheap and the ability for every device to have its own Wi-Fi chip built in means that [manufacturers] are adding them whether it makes sense to or not. I think we’ll see more security coming into the marketplace to manage devices. So for example you might define rules that say appliances can talk to the manufacturer only.

Actually demonstrates one of the major problems with “prescriptive” rule making. I for one see many problems with the “talk to the manufacturer only”.

Firstly but by no means the least, is I don’t want my potentially PII data going outside my defined perimeter. But more importantly it’s a form of unacceptable consumer lock in. We’ve seen similar with Amazon products, they sell to consumers and if there is insufficient income, not only do they stop supplying the product they turn off the “remote” asspect making all sold devices instantly useless.

But there is also the jurisdictional issue. Whilst a US rule might say “send to manufacturer only” the manufacturer might be in China which has an entirely different legal code. One of the reasons the EU brought out the EU-GDPR is because many US entities were cheating on the previous “safe harbour agreement”. The simple fact is though that unless another nation is prepared to honour the US or EU rules, once the data has left the jurisdiction there is little or no remedy.

The point is prescriptive rules have side effects many of which are undesirable, but worse are not seen at the time the rule is put in place. Thus you can end up over time with a veritable rabbit warren of tunnels made of exceptions before the original rule. Thus you end up with a great deal of complexity which we know will get exploited in one or more ways.