Researchers built devious, undetectable hardware-level backdoor in computer chips

University of Michigan researchers developed an “invisible” backdoor built into computer chip hardware which would be nearly impossible to detect.

hardware hacker
Credit: The Preiser Project

Oh goody, just what we need, more devious and undetectable surveillance in the form of an “invisible” backdoor built into computer chip hardware. I’m completely creeped out after reading “A2: Analog Malicious Hardware” (pdf), which won as “best paper” at the 37th IEEE Symposium on Security and Privacy.

University of Michigan Department of Electrical Engineering and Computer Science researchers didn’t just dream up this undetectable hardware-level backdoor; they built it.

Testing setup for undetectable hardware backdoor

The researchers don’t call it “surveillance,” but we’ll get back to that. A2 is a “new style of fabrication-time attack” which leverages “analog circuits to create a hardware attack” that is “small, stealthy, and controllable.” The “remotely-controllable privilege escalation” attack would be nearly impossible to detect.

In the words of Yonatan Zunger, Head of Infrastructure for the Google Assistant, “This is the most demonically clever computer security attack I’ve seen in years.”

This is not a hidden backdoor in software, but a malicious modification, a backdoor added to hardware, to a microchip. Tainted supply chains have long been a concern, since most chips are fabricated overseas by third-parties. If added to a chip, it works like a capacitor, storing energy, such as each time you visit a website that contains hidden, malicious code – perhaps JavaScript since it seems to be all over the interwebs.

Once triggered, after the capacitors store up enough electricity to be fully charged, it would “flip-flop,” or be switched on, to give an attacker complete access to whatever system or device that contains the backdoored chip – be that a PC in a corporation, a personal laptop, a smartphone or an IoT device.

“Once the trigger circuit is activated, payload circuits activate hidden state machines or overwrite digital values directly to cause failure or assist system-level attacks.” The researchers added, “Since the goal of this work is to achieve a Trojan that is nearly invisible while providing a powerful foothold for a software-level attacker, we couple our analog triggers to a privilege escalation attack. We propose a simple design to overwrite security critical registers directly.”

“Experimental results show that our attacks work, show that our attacks elude activation by a diverse set of benchmarks, and suggest that our attacks evade known defenses,” the researchers wrote.

Even if you know hardware, are comfortable taking electronic devices apart, it’s not like the modification is visually obvious; on the contrary, it’s virtually invisible.

analog malicious hardware test chip

If you think it would be detected by testing, then think again; the researchers said that “attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester.”

University of Michigan researcher Matthew Hicks told Wired that governments may have already come up with this attack. “By publishing this paper we can say it’s a real, imminent threat. Now we need to find a defense.”

With the feds wanting a backdoor into encryption, and basically any app and online site, this seemed like it could be leveraged for more than cyber-espionage by nation-state attackers. Couldn’t it also be used for surveillance?

Browsing history can land you onto the no-fly list?

Then again, surveillance may have come to mind based solely on the order of which I read news. Before reading the research paper, I found out that by researching ISIS, such as for an article, you could land on the no-fly list. Although President Obama was actually responding to a gun shop owner about Second Amendment rights during PBS NewsHour, he added:

I just came from a meeting today in the Situation Room in which I got people who we know have been on ISIL web sites, living here in the United States, U.S. citizens, and we’re allowed to put them on the no-fly list when it comes to airlines, but because of the National Rifle Association, I cannot prohibit those people from buying a gun.

This is somebody who is a known ISIL sympathizer. And if he wants to walk in to a gun store or a gun show right now and buy as much — as many weapons and ammo as he can, nothing’s prohibiting him from doing that, even though the FBI knows who that person is. 

Surely that doesn’t mean lurking, or even actively trolling ISIS puts you on some FBI watchlist as well as the no-fly list, but it would be nice for that to be more fully explained. You’d think there has to be more to it, but a person can land on the NSA’s radar and watchlists just by being privacy-conscious, using Tor or by visiting the Linux Journal which the feds consider to be an “extremist forum.”

The A2: Analog Malicious Hardware is a scary scenario

Although Google's Zunger suggested “state-level actors” would be most interested in the “demonically clever,” undetectable hardware-level backdoor, he added, “I don't know if I want to guess how many three-letter agencies have already had the same idea, or what fraction of chips in the wild already have such a backdoor in them.”

Whether it was used for insidious surveillance or a slick, sic attack, it’s a fairly scary scenario. The researchers outlined possible new testing technologies which could be developed to detect the “undetectable” analog malicious hardware backdoor.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.