Chip hacking you say? That's right. This was quite a surprise to me but apparently some folks have started to explore the concept of making malicious semiconductors. The concept here is that a specially designed chip would be able to function just as the standard chip but would also allow back doors and access to data that would be undetectable from software. Of course, if you can access someone's physical computer, security has already been compromised. The danger here is not that someone will do a 'sneak and peek' and replace a systems microprocessors (though in theory this could happen; in reality it is far more likely that someone would take a copy of the hard drive to look at; install spy-ware or just plug in a key logger to be retrieved at a latter date).
What is of concern is that someone would put these chips into the commercial stream (or even target it at specific customers). If that sounds outlandish; you may be in for a surprise that some of the computer communications routers (the devices that send messages around the net) have already been hit by counterfeit chips. Indeed; in this case the routers that were purchased went to the US military. Although there is no proof at the moment that these chips were compromised (in terms of having a back door installed) no-one really knows. This has sent the Department of Defense scrambling to inspect all of it's routers for these phony chips (for those who think this sounds like overkill; it may be given that the US (and Chinese) governments have already insisted that communications equipment makers design their equipment to be able to allow transmission monitoring (Cisco documentation).
The interesting part here is that this is forcing government agencies to flip the usual "privacy for security" trade-off" discussion on its head. In this case, the way they can ensure the security of their populations, is though increased privacy (this is the same argument that people make about anonymity being important to avoid governmental tyranny). Although governments are likely to do a two-step about how what's good for them is bad for you; the real danger here is that chips coming from unidentified sources (say Fabs (fabrications facilities) outside of the US) and then put in products to be resold could have back doors waiting to be unlocked (or have the machines disabled at a critical time). The fear for governments here is obvious but the impact to business and users is also important. I'd love to see a solution for how to protect against malicious hardware (somewhat akin to the challenge of sending secret messages across monitored channels that encryption faced until public key encryption was discovered).
What is of concern is that someone would put these chips into the commercial stream (or even target it at specific customers). If that sounds outlandish; you may be in for a surprise that some of the computer communications routers (the devices that send messages around the net) have already been hit by counterfeit chips. Indeed; in this case the routers that were purchased went to the US military. Although there is no proof at the moment that these chips were compromised (in terms of having a back door installed) no-one really knows. This has sent the Department of Defense scrambling to inspect all of it's routers for these phony chips (for those who think this sounds like overkill; it may be given that the US (and Chinese) governments have already insisted that communications equipment makers design their equipment to be able to allow transmission monitoring (Cisco documentation).
The interesting part here is that this is forcing government agencies to flip the usual "privacy for security" trade-off" discussion on its head. In this case, the way they can ensure the security of their populations, is though increased privacy (this is the same argument that people make about anonymity being important to avoid governmental tyranny). Although governments are likely to do a two-step about how what's good for them is bad for you; the real danger here is that chips coming from unidentified sources (say Fabs (fabrications facilities) outside of the US) and then put in products to be resold could have back doors waiting to be unlocked (or have the machines disabled at a critical time). The fear for governments here is obvious but the impact to business and users is also important. I'd love to see a solution for how to protect against malicious hardware (somewhat akin to the challenge of sending secret messages across monitored channels that encryption faced until public key encryption was discovered).
No comments:
Post a Comment