Hardware backdoors



  • How much of an issue are hardware backdoors in relation to firewalls/routers, especially when the firewall is running an open source OS and open source drivers (like pfSense) to control the hardware?



  • Its more of an issue when running commercial solutions I'd imagine.
    I'd think one would go open source OS to escape that issue  ;)


  • Netgate Administrator

    I would only worry about that (at all) if your system has some sort of out of band access like HPs iLO. Not that I'm implying anything about iLO.  ;)
    It's possible to imagine a rouge firmware that mirrored an internal port on the out of band port for example.
    You would think something like this would be reported fairly quick though.

    Steve



  • I might worry for all major / popular commercial US and Chinese brands of equipment and OSs.

    I like open-source because its open-code and can be audited by anyone with eyes.

    (I also prefer older Motherboards that have no support for remote diagnostics or administration of BIOS features etc)

    And…  I wouldn't use virtualization at all if security and privacy are to be the words of the day.

    If 100% reasonable paranoia guided me I'd also want no managed switches and a minimum of packages and add-ins.



  • @kejianshi:

    I wouldn't use virtualization at all if security and privacy are to be the words of the day.

    Hmmm.. I wonder where you base your info from .. :o

    If configured correctly virtualization is safe and secure ;)

    Like any hardware.. even if its from the 90's .. if not configured correctly will pose a security risk.



  • Hmmmmm…  I'm just guessing.  ::)
    Its more of a feeling than a fact.  I'm sticking with that story.

    "If configured correctly virtualization is safe and secure" - Depends on who you want to be safe and secure from, but basically, I disagree.

    I run virtualized machines at home BTW, but if I was hosting a server for political activists, for example, I wouldn't.

    I'm extremely distrustful of machines that have layer upon layer of complexity.



  • @senser:

    How much of an issue are hardware backdoors in relation to firewalls/routers, especially when the firewall is running an open source OS and open source drivers (like pfSense) to control the hardware?

    :)

    https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

    Open source is insecure myth

    Some people are of the mindset that because the source is open, it's insecure because everyone can see how it works. Anyone who has paid any attention to security over the past 20 years knows the absurdity of that statement. No software relies on the obscurity of source code for security. If there was any truth in that, Microsoft Windows would be the most secure OS ever created, when the reality is all of the open source operating systems (all the BSDs and Linux) have security track records that are worlds better than Windows'. History proves the same applies to any software. Internet Explorer is continually hit with major security holes that many times take weeks to patch while they're being exploited in the wild, while open source browsers Firefox, Chrome and others have had significantly better security track records.

    The widespread UPnP vulnerabilities announced in 2013 affecting over 300 commercial products is another good example. The vendors of hundreds of commercial products made extremely basic security mistakes, shipping with absurdly insecure defaults, and shipping outdated software. That's never been an issue with pfSense. That's just one example of where we've done a better job than many commercial vendors.



  • And that just the accidental security holes.  Never mind the hidden intentional ones to facilitate law enforcement and others. 
    But I guess if you have nothing to hide you have nothing to worry about - or so I've heard.



  • @kejianshi:

    And that just the accidental security holes.  Never mind the hidden intentional ones to facilitate law enforcement and others. 
    But I guess if you have nothing to hide you have nothing to worry about - or so I've heard.

    In that case Id imagine that Open Source stuff that is continually under scrutiny by the community would be the first to be found out if their was something to find.

    Otherwise its all about how much access you allow- either via config or physical contact such as from an employee plugging something in on the LAN side.



  • Correct - My point exactly.



  • I have never understood FOSS to be a security problem in any way! To the contrary. Me mentioning open source in the original question was sort of the result of me not yet understanding what I really wanted to ask. Sorry for the confusion.

    My question is probably more like: how much can hardware have a life on it's own, without the OS being in control of the ressources being accessed by the hardware? For example, take DMA:

    Direct memory access (DMA) is a feature of modern computers that allows certain hardware subsystems within the computer to access system memory independently of the central processing unit (CPU).[1]

    The DMA controller is controlled by the CPU, but can you trust the DMA controller to do what it is told?

    How about "bus mastering":

    In a bus mastering system, both the CPU and peripherals can be granted control of the memory bus. Where a peripheral can become bus master, it can directly write to system memory without involvement of the CPU, providing memory address and control signals as required.[1]

    OTOH, everyone knows that there are tools like tcpdump and any obvious remote backdoor can be easily exposed.
    BUT: there might still information be transmitted that these tools do not capture at all, or messages that disguise as "normal" traffic…

    And this is probably what I really want to know: is it even possible for freebsd to protect us from hardware manufacturers exploiting hardware architectures?

    Would we have to allow only encrypted information into memory? But how do you do math on encrypted data? Hmm..

    1 https://en.wikipedia.org/wiki/Direct_memory_access



  • Thats why I don't like too many "features" on the mobo of the firewall.  Some motherboards these days have all sorts of features that could, in theory, allow an intruder to examine pretty much everything thats happening in the OS remotely without any need of hacking the OS.

    This was based on software exploit
    http://en.wikipedia.org/wiki/Blue_Pill_(software)

    But with the wrong hardware, I imagine the same effect could be had with malicious hardware not thin hypervisor required.
    If you believe the news, all phones are already there, so why not MOBOs and NIC cards etc…  etc...
    (By malicious I mean malicious to the consumer - but on purpose)


  • Netgate Administrator

    Anything that has an IP or could potentially get an IP could be sending information back to China. I'm not going to start worrying about a device built into my keyboard or something because to retrieve the information from it would require physical access and once someone has that they could get anything anyway.
    Things that I might worry about would include, in rough descending order of worry: routers, layer3 switches, layer2 switches, out-of-band management devices, network printers. Anything with an IP.

    To be honest I'm not that worried about any of that. You are far more likely to be hacked by someone with a phone that has been compromised.

    Steve



  • Yeah - You can't worry about EVERY piece of hardware or software made, but you can avoid the known offenders.



  • @kejianshi

    Interesting thread and question.

    I was thinking about the same as you. Using Commercial products or open-source software. In the days of NSA affairs this comes again more in my focus. Of course there are other institutions or groups which do the same as the NSA but today it's in the media.

    So in general I would agree that open-source firewalls would be "more secure" when looking at backdoors because the code is open source and everyone can look at the code. And I would be should that even if some institutions support open-source product to implement backdoors someone else on the wolrd would find this and publish this.

    Further you were talking about virtualisation. Virtualisation with KVM or qemu is also open-source. Don't know if this makes things more or less secure than let's say VMware virtualized servers.



  • I would trust the open versions more than the more closed code things when it comes to VM stuff also.  Yeah.  Like you said.



  • Everything that is connected to a network or has the ability to connect to a network (WAN or LAN) could be possibly hacked into. It all depends on how dedicated the opposite person/hacker is on hacking your network or network device.

    For example.. Apple says a lot of BS about their iOS.. but it has been hacked/compromised time and time again. Darn even their so called super secure finger print has been hacked as of today.



  • Fingerprints are stupid simple biometrics to copy.  I'm amazed it took this long to hack that since the very fingerprint you need to lift is all over the screen more than likely!  :P



  • @kejianshi:

    Fingerprints are stupid simple biometrics to copy.  I'm amazed it took this long to hack that since the very fingerprint you need to lift is all over the screen more than likely!  :P

    Well it took a day from the date of actual product receipt :)



  • Seems like my thoughts on DMA and bus mastering express real issues and that there is exploitation and research going on:

    "DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host.

    "Therefore they present a highly critical threat to system security and integrity. Unfortunately,to date no OS (operating system) implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy."

    The German Government funded research was closing in on its aim to develop a reliable detector for DMA malware.

    "At the moment we have a proof-of-concept that proves that a detector is possible," Stewin said in an email to SC. "It can find DAGGER."

    The proof-of-concept was based on a runtime monitor dubbed BARM which modelled and compared expected memory bus activity to the resulting activity, meaning malware residing on peripherals would be detected. [1]

    1 http://www.scmagazine.com.au/News/358265,research-detects-dangerous-malware-hiding-in-peripherals.aspx


Log in to reply