Last week Kaspersky Lab (a virus and security company) alleged in a New York Times article that the U.S. government has gone on the offensive with respect to cyber tools. Specifically, Kaspersky Lab alleged that hackers associated with the U.S. government's National Security Agency have buried spy software in the low-level firmware which controls all aspects of a computer system.
Given our experiences in designing and engineering various ROM BIOS and Flash component, there are only two ways this purported activity could have happened. The first way would be the knowing cooperation, if not assistance, of the hardware device manufacturers; it is our opinion that post-manufacture firmware manipulation simply could not have happened. The second way would be surreptitious physical entry of the facilities of these hardware device manufacturers. This concept should come as no particular surprise. These are the kinds of things that intelligence services the world over do to in their view to protect and advance their country's cause, whether right or wrong as viewed in the eyes of others.
To understand why we believe one of these two methods to be the case, we should begin by reviewing the history of firmware flash procedure and components. Firmware flash attacks have been known for years. Here is a quick chronology of firmware flash incidents and responses:
- Flash parts were first introduced into mainstream computers back around 1991. During this time, it was discovered that a bad flash made the computer a brick. Of course the attack was simple. Corrupt the flash part with garbage, re-flash, and you had a great DoS attack.
- In order to prevent this attack, a soft switch was defined that enabled the re-flash only after a power cycle. The idea was that you would boot a floppy and the floppy would execute the flash. The attack evolved into a combined boot sector with a bad re-flash virus. Upon power cycle the flash part would get flashed with junk (as long as there was a floppy in the drive). Once done the system would execute a reboot - and become a brick.
- In order to prevent this attack the next generation products had a physical flash switch. The computer would need to be powered off, you would open the case and set the switch to enable flashing the system. When done, you would have to reset the switch to lock the flash or you would be susceptible to the earlier attacks. This was a pain in the neck, and people eventually would set the switch and never unset it. See previous attack...
- In order to get around this the next generation flash implemented a flash boot block. The boot block was a section of the flash part that, once written, could not be overwritten. This part had a flash bootstrap in it. If your machine was flashed improperly, it would enable you to re-flash it. In addition, the overall process was modified to copy the installed flash information to the flash disk. The flash of the new bios would then occur. As the last step of the flash the checksum would be calculated. If the checksum was not correct, the process would give you the option to revert the flash. This worked relatively well, but how could one tell if the flash was a valid manufacturer flash or not?
- The next generation of the flash process used a 'digital signature' which prevented the copying of an unsigned or modified bios into the flash part. This worked well, but took time to flash / re-flash.
- Hence the next generation used a larger flash part. The ROM was loaded onto the device and then validated. If it was valid, it would have a bit set, which would enable it for the next reboot.
With this background, lets talk about what needs to be done to enable the attack: the first question is where and how can this bad flash mechanism be introduced?
- Perhaps at the Manufacturer?
- If we look at computer manufacturers - everything is global. Parts are acquired from global manufacturers; they are assembled around the world, and shipped around the world. In general, a manufacturer does not know who the end users will be for the product. While they could say 'All product destined for XYZ country would contain this modification' that would not guarantee penetration as there is no way to guarantee where a user will buy a product. Thus there is no way to tell that a computer was bought in France used in Italy and re-sold to a T country. Without this knowledge how could it be modified with the bad flash? Would all computers have the bad flash?
- What if the computer manufactures created a 'broken' flash for T countries? This could be easily detected by downloading the flash and analyzing it; or by simply comparing it to multiple flash code from other countries.
- What if the manufacturer gave out their private signing key? This would have the same issue as above, in that targeting would be impossible and detection could be easily accomplished (via a flash compare to see if it was different from that which is provided elsewhere).
- Perhaps at the flash part manufacturers.
- If the flash part manufacturers had coopted components, this could provide a good in-road for the lack of end user knowledge. Lets assume the defect implementation could be as simple as requiring microcode on the chips with a backdoor that enabled flashing with an unsigned flash or unlocking with a 'special' code. Given that systems manufacturers are global and source flash chips from multiple vendors, all flash vendors would need to provide the same implementation issues. Given that most flash chips are manufactured outside of the U.S., and that the masks and information are pretty well exposed within a company, could this happen without anyone leaking it?
- If this was done on all flash parts, that would mean any products with flash would be attackable. Hence anyone with a ROM reader / burner could dump the part, disassemble it and find the weakness.
- Could someone manufacture a few chips with this 'feature' yes, but how would they deliver them into their target if they don't know what machine will be bought by whom?
Net / Net - Without actual knowledge of who is getting the system, it becomes impossible to target a facility from the outside.
Now lets look at the attack from the hard drive manufacturer's perspective. First, lets assume that they are talking about the three major hard drive manufacturers - Seagate Technology (including Maxtor and Samsung), Toshiba, and Western Digital (including HGST). If we assume that the hard drives were the vector for the malware, we still have the issues of the flash controls, lack of end user knowledge, and shear volume of hard drives being made and sold (estimated to be .6B to 1B units in 2014) to get past. So can this really be a viable vector mechanism?
Kaspersky goes on to say 'In many cases, it also allows the American intelligence agencies to grab the encryption keys off a machine, unnoticed, and unlock scrambled contents'. This statement is interesting in that it raises the question of 'how can this be done.' Some drives enable hard drive encryption at the drive level. In this case, the key may be stored in the NVRAM on the drive or re-constituted when the system is booted. If the key is stored in the NVRAM then this makes sense. However if it is not, then can we assume that the back door enables direct access to the files on the hard disk. While this sounds reasonable, they still need to scrape the key from the drive. Of course this could be done except for the technical issue of locating and identifying encryption keys on a file-system.
Kaspersky's researchers then go onto say 'what makes these attacks particularly remarkable is their way of attacking the actual firmware of the computers. But if the firmware becomes infected, security experts say, it can turn even the most sophisticated computer into a useless piece of metal.' Given the boot block and other mechanisms above, this may be an overstatement, but then again without the backups, it could be really difficult to repair.
That kind of attack also makes for a powerful encryption-cracking tool, Mr. Raiu of Kaspersky Lab noted, because it gives attackers the ability to capture a machine's encryption password, store it in "an invisible area inside the computer's hard drive" and unscramble a machine's contents. From a security perspective, if you have the key, you do not have an encryption cracking tool, you have the key. Of course, a key without knowing the algorithm that was used to encrypt data is worthless. This having been said, a recent article alleges the malware resides on the hard drive and can be squirted into the drive rom part. While this may be true and data can be hidden in partitions that are marked bad or irrecoverable, the real question is how can the drive logic know what data it wants to capture and then capture it (from either the drive or memory)? Phrased a different way, how can the drive know when valuable data is decrypted in memory and then capture that? In this case the malware author would need to be able to overcome this issue and be aware of the data and or environment to capture it.
While we may not agree with some of the statements by Kaspersky's article, this is another illustration of just how advanced and sophisticated nation-state cyberwarfare is compared to the cyberattacks widely known in the public information security community. Of course, it should be noted that Moscow-based Kaspersky Lab is only pointing fingers at the moment at American intelligence. Kaspersky Lab is silent about the fact that their own government's intelligence services are conducting sophisticated hardware and software cyberattacks of their own, even possibly the very same attacks that Kaspersky blamed last week on the NSA.
Cyberwar between nation state adversaries is ramping up. Both sides use an array of sophisticated attacks, and the battle ebbs and flows. All of us should remember when reading such news reports that is every reason for foreign investigators such as Moscow-based Kaspersky Lab to slam the American NSA every chance it gets, while remaining silent on what their own intelligence services are up to.
One thing all of us should be able to readily agree on: cybersecurity in the unclassified domain remains as elusive as always. It will be many years if not decades before true cybersecurity becomes mainstream for most commercial organizations.
--------------------
Michael F. Angelo is the Chief Security Architect at NetIQ. Michael has been active in security for over 30 years, and is a named inventor for pre-boot bios authentication mechanisms infrastructures. Currently he spends his time generating threat models and certifying products for common criteria as well as presenting on low tech attacks.
Paul Williams is the Chief Technology Officer of Pennsylvania-based White Badger Group. Paul has decades of innovation in the fields of cyber security, artificial intelligence, high speed databases, software quality test engineering, and defense related technologies. Paul is an active public speaker nationally and internationally on the subject of information security.
