Why hardware hacks are more insidious
The first PC class malware, the Jerusalem Virus discovered in 1987, was very appropriately classified as a virus. Biological viruses are small organic hardware containers designed to deliver software payloads effectively. The RNA payload of the virus is a list of instructions that execute much like software as it attacks the hardware of their host in an attempt to alter the execution of host tasks. There have been many types of malware discovered over the past few decades, but since the vast majority of them are delivered as software they can be thwarted by equally bright software and process-based counter-measures.
Server-based hardware hacks are analogous to genetic flaws in the host itself which can lie dormant for months or years before being triggered. These could be processor architecture flaws, as we’ve seen with the reporting of Meltdown and Spectre earlier this year, or supply chain compromises as suggested recently by Bloomberg. When we unbox a new server, we trust that the supply chain up to that point has been secured, and that what we’ve purchased is what it claims to be. How do we know that’s true? Do we have to prove it by analysing every packet of data exiting every port on every server we’ve purchased looking for out of policy traffic? Or should we take off the covers, tear the servers down to their component parts, then carefully inspect every part under a magnifying glass looking for anomalies?
The recent Bloomberg article hinted at a supply chain hardware hack where the RJ45 connector on the motherboard had been replaced with one that had been compromised. The hacked connector was shielded in metal to both hide the alteration and to also act as a heat sink for the added chip. While this sounds somewhat ridiculous on the surface, shielded RJ45 connectors are nothing new so a change like this could easily go unoticed. Low power, or even no power, network taps have also been around for a while. This past weekend I stumbled across the above four port RJ45 board for sale at the Hacker Warehouse that requires no power yet provides a pass-through port and two break-out tap ports. This product is less than $20USD, and it demonstrates how very possible it is for someone to build a simple network hacking tool. A shielded RJ45 connector containing an additional micro-controller offering remote command and control over the system is not much of a jump from here as chips offering these capabilities already exist.
There are only four ways for a server buyer to discover the above class of supply chain hardware hack:
- Watch all the traffic exiting the suspect port looking for out of policy packets and network flows. This could take months or even years. Also, it will require an additional system to collect and analyse the network traffic, not very cost effective.
- Monitor the heat this connector gives off and compare that to similar parts from other vendors. More heat would indicate a possible active component, even one passively waiting will draw some power.
- A covert spy chip of this nature may rely on Power over Ethernet, so perhaps with the motherboard removed from the system check the resistance between pins 4 and 7 along with 5 and 8 to see if something is looking to draw power.
- Then there’s always the destructive means of desoldering the connector and carefully disassembling it to determine if it’s the proper component.
My point here is that unlike software vulnerabilities merely diagnosing this class of hardware hack can be both challenging and physically destructive. So what do most enterprises buying servers do? We rack them up, install the OS and applications, press them into service, and pray our other counter-measures and security appliances keep us safe.
How about hardware suppliers? This series of Bloomberg articles, and responses to them, should have us all rethinking the trusted elements within our supply chain, and how we might explore opportunities to insert additional checks into our processes to prevent such supply chain vulnerabilities.