Hardware Exploits and Bugs

These are attacks on computer systems and networks based on exploiting hardware design or manufacturing bugs, or "not playing by the rules" in dealing with the hardware. The idea of violating the "rules" by freezing the semiconductors or overwriting Ethernet firmware data seems analogous to the very common software vulnerabilities caused by not fully validating user input. Well, maybe not just analogous, maybe we should consider frigid liquids or Firewire signals or Ethernet signals as user-supplied input just like packet contents or form data submitted to web servers.

What makes these different is that we don't generally have control of the hardware design and manufacturing. Yes, you could choose to buy an Ethernet card or CPU or motherboard from a different manufacturer, but you have to choose from what the existing market.

Furthermore, while there are some interesting open-source hardware projects, they are the exception and do not generally provide the features and performance needed. Enthusiasts must not forget that the features required by corporations and government agencies include a well-known and trusted hardware manufacturer.

Hardware Exploits

Modify the TPM (Trusted Platform Module) chip:

• In February, 2010, Christopher Tarnovsky announced a successful hardware exploit of an Infineon TPM chip.
  • Background: What is TPM?
  • Short overview at hackaday.com
  • Associated Press story
  • More technical article at Dark Reading, with links to more detail

Modify the processing hardware:

• University of Illinois researchers exploited a system by modifying its processing hardware. With Linux running on a programmable LEON processor, based on Sun's Sparc design, they changed 1,341 of the over 1 million logic gates. A carefully crafted network packet injected the malicious firmware, and the attacker could then login as a legitimate user. Note that this would require a processor programmed with an OS with malicious hooks — this seems far-fetched but US DOD warned of this very attack in February 2005 because a shift toward overseas integrated circuit manufacturing could present a security problem. This was reported at the Usenix Workshop on Large-Scale Exploits and Emergent Threats in April 2008, and described at http://www.techworld.com/security/news/index.cfm?newsID=11993

Freeze the memory:

• Princeton researchers reported cold boot attacks — literally cold boot. The problem — sensitive information such as passwords used for file system encryption and some file contents themselves may remain in RAM for surprising amounts of time, especially if the RAM is chilled.
  • Original work — http://citp.princeton.edu/memory/
  • Discussion —
    • New York Times 22 Feb 2008 — http://www.nytimes.com/2008/02/22/technology/22chip.html?_r=1
    • http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html
    • http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html

Break in through the Firewire port:

• Winlockpwn is a tool where the attacker connects a Linux machine to the Firewire port. The attacker gets full read-write access to memory and the tool deactivates Window's password protection residing in local memory. Steal passwords, drop malware on the system, and so on. Similar hacks have been demonstrated against Linux and MacOS X.
  • Story — http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=211201211
  • Winlockpwn — http://storm.net.nz/projects/16

Break in through the network interface hardware:

• There's been some work on attacking the firmware on network interface cards, some of which focuses on permanently damaging the card. But more interesting work looks at attacking the NICs on a firewall so they do PCI-to-PCI data transfers, moving information down at a hardware level where firewalls don't look. There is speculation this might allow reading the disk device through its PCI-based controller. See the discussion at http://lwn.net/Articles/284162/, referencing an excerpt from the Robust Open Source mailing list.

Is Your Hardware Really What You Think It Is?

There have been stories of counterfeit hardware from Cisco modules down to integrated circuits for some time. The first thing I noticed explaining just how these parts get into the parts supply stream was this Business Week article, "Dangerous Fakes", subtitled "How counterfeit, defective computer components from China are getting into U.S. warplanes and ships":
http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm

Given the horror stories it contains of entirely unmonitored suppliers chosen for U.S. military parts based largely if not entirely on their status as "disadvantaged", "woman and minority owned", and so on, I can see why the government didn't explain the details immediately....

Hardware Bugs

If the hardware won't even do what it's supposed to, there are big problems!

• Here is an interesting post about Intel Core 2 bugs: http://kerneltrap.org/node/8472
• Historical notes:
  • Remember the Pentium CPU's that were bad at floating-point division?
  • For some Pentium CPU's, a block of machine code starting 0xF00F will just plain halt it.

For a list of 80x86 bugs, see:

• Intel 80x86 bugs: http://www.x86.org
• CPU bugs: http://www.computerhope.com/help/cpu.htm

Security Page

Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact