Open Source Code is not a cure-all

107

One of the speakers at the CCC meeting checked whether the use of open source equipment can solve known hardware problems.

Many people find that using open source software is more secure than using self-developed software. Now a similar theory is increasingly used when creating equipment. At the 36th edition of the Chaos Communication Congress (36C3) last month, experts Andrew „bunnie” Huang, Sean „xobs” Cross and Tom Marble questioned the idea that using open source is enough to solve problems. with confidence in the hardware area.

Differences between hardware and software in terms of trust

Not only is open source software safe to be secure, but also widely used tools ensure that the program run on the endpoint remains faithful to the published source code. For example, programmers sign their software with a digital certificate that is validated by the system before the software runs on the user’s computer.

When it comes to hardware, things are a bit different. Since there are no hardware hashes or digital signatures, users do not have the tools to authenticate their hardware against published information about it. The last time devices and chips are checked at the factory. And the longer it takes between checking in the factory and using the device, the greater the chance of a successful MITM attack.

Potential dangers

Generally speaking, anything can happen from the moment chips and devices leave the factory to the first time they are used. For example, the firmware can be changed (firmware is obviously software, so it can be checked, however you still have to rely on the hardware for verification). That’s why Huang focused on problems – such as component replacements, modifications, and implants – that are closely related to the hardware.

Adding components

Today, an unauthorized module can even be inserted into the USB charging cable . Naturally, the more complex the equipment, consisting of more components, the easier the manipulation is, as it allows many more options for placing implants. The only good news is that the chip you added is relatively easy to spot.

Replacing Components

The simplest substitution is to manipulate the marking. Real life example: a visual inspection of a malfunctioning microcontroller showed that the marking (from STMicroelectronics) is on a completely different chip. In this case, the scam was to replace a more expensive item with a cheaper one, but the replacement could just as well be anything else.

Chip modification

People usually think that chips cannot be modified outside the factory, but this is not true. In many cases, what we see as a single chip is actually several separate microcircuits connected together. An experienced attacker can thus include one more small element in such a package.

In fact, the equipment needed for this is relatively cheap and readily available (according to the speaker, a Chinese wire splicing device costs around $ 7,000), although the falsified results will be detectable by X-rays.

WL-CSP (Wafer-Level Chip-Scale Package) housings are much more expensive to modify, but X-rays will not reveal the fraud used in them.

Integrated circuit modification

Usually companies design the chips, but outsource their production, as only large market players can afford to produce their own chips. This situation means that there are many ways to modify the final product so that it still complies with the scope of the guidelines. Moreover, once a chip or device leaves the walls of the design studio, rarely does anyone bother to check that the resulting product conforms to the original specifications.

At which stage can hardware be changed?

The presenter discussed several swap scenarios, ranging from quite complicated ( intercepting cargo on the way – as an example of an extreme version) to relatively easy. In general, anyone can buy a product, make changes to it, and return it to the retailer who can resell it. At various stages of order fulfillment, the packaging team (at the manufacturer’s), customs agents and many others have access to the equipment, and each of them can make changes to it. So using open source hardware will not significantly improve security in all situations.

Conclusions

Towards the end of his presentation, Huang wondered what changes in hardware manufacturing could enable end users to verify the security of chips and devices. 

Not all ways of converting equipment into an unsafe variant are expensive or time-consuming. Importantly, there is no direct relationship between the complexity of an attack and the difficulty of detecting it. When it comes to business users, they should be aware of the risks and not rely solely on endpoint security products; corporate infrastructure protection systems repel advanced threats and targeted attacks .