NSA’s Own Hardware Backdoors May Still Be a “Problem from Hell”
Revelations that the NSA has compromised hardware for surveillance highlights the vulnerability of computer systems to such attacks.
That a government agency has purposely sabotaged computer hardware makes the challenges of the tactic more relevant than ever.
In 2011, General Michael Hayden, who had earlier been director of both the National Security Agency and the Central Intelligence Agency, described the idea of computer hardware with hidden “backdoors” planted by an enemy as “the problem from hell.” This month, news reports based on leaked documents said that the NSA itself has used that tactic, working with U.S. companies to insert secret backdoors into chips and other hardware to aid its surveillance efforts.
That revelation particularly concerned security experts because Hayden’s assessment is widely held to be true. Compromised hardware is difficult, and often impossible, to detect. Hardware can do things such as access data in ways invisible to the software on a computer, even security software. The possibility that computer hardware in use around the world might be littered with NSA backdoors raises the prospect that other nations’ agencies are doing the same thing, or that groups other than the NSA might find and exploit the NSA’s backdoors. Critics of the NSA say the untraceable nature of hardware flaws, and the potential for building them into many systems, also increases the risk that intelligence agencies that place them will be tempted to exceed legal restrictions on surveillance.
“Hardware is like a public good because everybody has to rely on it,” says Simha Sethumadhavan, an associate professor at Columbia University who researches ways to detect backdoors in computer chips. “If hardware is compromised in some way, you lose security in a very fundamental way.”
Despite a few allegations against various governments, there are no publicly confirmed cases of backdoors in computer hardware being deployed. However, in recent years security researchers have repeatedly demonstrated the power and stealth of compromised hardware, mostly by embedding backdoors into the firmware of PC components. One presentation at the Black Hat security conference last year showed off a way to backdoor a new PC so that even switching the hard drive won’t close the door (see “A Computer Infection That Can Never Be Cured”).
U.S. officials and policy makers have also spoken strongly about the possibility that such tactics might be in use by China, citing that government’s attitude toward the U.S. and the fact that a large proportion of all computer hardware is manufactured in the country (see “Why the U.S. Is So Afraid of Huawei”). However, until the recent reports, including a major piece in the New York Times earlier this month, there had never been specific public claims that a government was inserting secret vulnerabilities into computer hardware.
The Times report says, however, that the NSA inserted backdoors into some encryption chips that businesses and governments use to secure their data, and that the agency worked with an unnamed U.S. manufacturer to add backdoors to computer hardware about to be shipped to an overseas target.
“There has always been a lot of speculation and hinting about hardware being backdoored,” says Steve Weis, CTO and cofounder of PrivateCore, a startup whose software for cloud servers can offer protection against some kinds of malicious hardware. “This builds the case for that being right.” Weis believes that many companies in the U.S. and elsewhere will now think again about where their hardware comes from, and who has access to it. But scoping out potential problems is not straightforward for many companies, which now put data, software, and hardware in third-party locations to be run by cloud-hosting providers.
PrivateCore’s software for servers powering cloud services offers some protection against malicious hardware by encrypting data in a system’s RAM, or short-term memory. Data there is not usually encrypted, making RAM a good place for bad hardware attached to a system to covertly copy data and send it back to an attacker.
Weis says that in internal tests his technology defeated hardware attached to a server that attempted to copy data and send it out over the Internet, and that these results have been validated by rigorous tests commissioned from an outside security firm. However, the protection has its limits. “The one component we trust is an Intel processor,” says Weis. “We can’t really get around that today.”
Compromised chips are the most covert of backdoors, says Columbia’s Sethumadhavan. There is essentially no way for the buyer of a completed chip to check that it doesn’t have a backdoor, he says, and there are a multitude of ways that a design can be compromised.
“Making a chip is a global process with hundreds of steps and many different companies involved,” says Sethumadhavan. “Each and every step in the process can be compromised.”
Chipmakers usually buy third-party IP blocks to integrate into a final design. Slipping extra circuits into one of those outside designs would be the easiest way to backdoor a chip, says Sethumadhavan, because tools don’t exist to screen for them. “Right now there’s relatively little security validation that’s going on,” he says. “You pretty much trust the IP vendor you’re working with.” He estimates that tweaking a design block to include a backdoor would cost in the vicinity of only tens of thousands of dollars.
The Columbia group is currently working with a commercial fab company to test software it designed that can scan designs for possible backdoors. “They are trying out the tool on their line,” Sethumadhavan explains. Called FANCI, the tool analyzes a chip design, simulates how its circuits would operate, and looks for connections or circuits that almost never become active.
Such circuits are suspected of being part of a backdoor, because chip designers avoid wasting space or circuitry in designs since manufacturing chips is expensive.
The tool shows that even the trickiest of hardware backdoors can be hunted for, says Sethumadhavan; despite that, organizations determined to spread backdoors continue to have many opportunities to do so.
The most advanced research on detecting backdoors is likely being conducted by the NSA itself, inasmuch as the agency is also tasked with defending U.S. government systems. But nothing has been publicly said, or leaked, about how much progress the NSA is making. A statement from defense research agency DARPA late last year, in which it announced a new program to develop ways to detect backdoors, suggests the problem remains hellish even for the Department of Defense.
“DoD relies on millions of devices to bring network access and functionality to its users,” said Tim Fraser, DARPA program manager. “Rigorously vetting software and firmware in each and every one of them is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread.”