Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hardware backdoors

    Scheduled Pinned Locked Moved Hardware
    20 Posts 6 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      senser
      last edited by

      How much of an issue are hardware backdoors in relation to firewalls/routers, especially when the firewall is running an open source OS and open source drivers (like pfSense) to control the hardware?

      We use the mighty pf, we cannot be fooled.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        Its more of an issue when running commercial solutions I'd imagine.
        I'd think one would go open source OS to escape that issue  ;)

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          I would only worry about that (at all) if your system has some sort of out of band access like HPs iLO. Not that I'm implying anything about iLO.  ;)
          It's possible to imagine a rouge firmware that mirrored an internal port on the out of band port for example.
          You would think something like this would be reported fairly quick though.

          Steve

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            I might worry for all major / popular commercial US and Chinese brands of equipment and OSs.

            I like open-source because its open-code and can be audited by anyone with eyes.

            (I also prefer older Motherboards that have no support for remote diagnostics or administration of BIOS features etc)

            And…  I wouldn't use virtualization at all if security and privacy are to be the words of the day.

            If 100% reasonable paranoia guided me I'd also want no managed switches and a minimum of packages and add-ins.

            1 Reply Last reply Reply Quote 0
            • A
              asterix
              last edited by

              @kejianshi:

              I wouldn't use virtualization at all if security and privacy are to be the words of the day.

              Hmmm.. I wonder where you base your info from .. :o

              If configured correctly virtualization is safe and secure ;)

              Like any hardware.. even if its from the 90's .. if not configured correctly will pose a security risk.

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                Hmmmmm…  I'm just guessing.  ::)
                Its more of a feeling than a fact.  I'm sticking with that story.

                "If configured correctly virtualization is safe and secure" - Depends on who you want to be safe and secure from, but basically, I disagree.

                I run virtualized machines at home BTW, but if I was hosting a server for political activists, for example, I wouldn't.

                I'm extremely distrustful of machines that have layer upon layer of complexity.

                1 Reply Last reply Reply Quote 0
                • chpalmerC
                  chpalmer
                  last edited by

                  @senser:

                  How much of an issue are hardware backdoors in relation to firewalls/routers, especially when the firewall is running an open source OS and open source drivers (like pfSense) to control the hardware?

                  :)

                  https://doc.pfsense.org/index.php/Comparison_to_Commercial_Alternatives

                  Open source is insecure myth

                  Some people are of the mindset that because the source is open, it's insecure because everyone can see how it works. Anyone who has paid any attention to security over the past 20 years knows the absurdity of that statement. No software relies on the obscurity of source code for security. If there was any truth in that, Microsoft Windows would be the most secure OS ever created, when the reality is all of the open source operating systems (all the BSDs and Linux) have security track records that are worlds better than Windows'. History proves the same applies to any software. Internet Explorer is continually hit with major security holes that many times take weeks to patch while they're being exploited in the wild, while open source browsers Firefox, Chrome and others have had significantly better security track records.

                  The widespread UPnP vulnerabilities announced in 2013 affecting over 300 commercial products is another good example. The vendors of hundreds of commercial products made extremely basic security mistakes, shipping with absurdly insecure defaults, and shipping outdated software. That's never been an issue with pfSense. That's just one example of where we've done a better job than many commercial vendors.

                  Triggering snowflakes one by one..
                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    And that just the accidental security holes.  Never mind the hidden intentional ones to facilitate law enforcement and others. 
                    But I guess if you have nothing to hide you have nothing to worry about - or so I've heard.

                    1 Reply Last reply Reply Quote 0
                    • chpalmerC
                      chpalmer
                      last edited by

                      @kejianshi:

                      And that just the accidental security holes.  Never mind the hidden intentional ones to facilitate law enforcement and others. 
                      But I guess if you have nothing to hide you have nothing to worry about - or so I've heard.

                      In that case Id imagine that Open Source stuff that is continually under scrutiny by the community would be the first to be found out if their was something to find.

                      Otherwise its all about how much access you allow- either via config or physical contact such as from an employee plugging something in on the LAN side.

                      Triggering snowflakes one by one..
                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        Correct - My point exactly.

                        1 Reply Last reply Reply Quote 0
                        • S
                          senser
                          last edited by

                          I have never understood FOSS to be a security problem in any way! To the contrary. Me mentioning open source in the original question was sort of the result of me not yet understanding what I really wanted to ask. Sorry for the confusion.

                          My question is probably more like: how much can hardware have a life on it's own, without the OS being in control of the ressources being accessed by the hardware? For example, take DMA:

                          Direct memory access (DMA) is a feature of modern computers that allows certain hardware subsystems within the computer to access system memory independently of the central processing unit (CPU).[1]

                          The DMA controller is controlled by the CPU, but can you trust the DMA controller to do what it is told?

                          How about "bus mastering":

                          In a bus mastering system, both the CPU and peripherals can be granted control of the memory bus. Where a peripheral can become bus master, it can directly write to system memory without involvement of the CPU, providing memory address and control signals as required.[1]

                          OTOH, everyone knows that there are tools like tcpdump and any obvious remote backdoor can be easily exposed.
                          BUT: there might still information be transmitted that these tools do not capture at all, or messages that disguise as "normal" traffic…

                          And this is probably what I really want to know: is it even possible for freebsd to protect us from hardware manufacturers exploiting hardware architectures?

                          Would we have to allow only encrypted information into memory? But how do you do math on encrypted data? Hmm..

                          1 https://en.wikipedia.org/wiki/Direct_memory_access

                          We use the mighty pf, we cannot be fooled.

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            Thats why I don't like too many "features" on the mobo of the firewall.  Some motherboards these days have all sorts of features that could, in theory, allow an intruder to examine pretty much everything thats happening in the OS remotely without any need of hacking the OS.

                            This was based on software exploit
                            http://en.wikipedia.org/wiki/Blue_Pill_%28software%29

                            But with the wrong hardware, I imagine the same effect could be had with malicious hardware not thin hypervisor required.
                            If you believe the news, all phones are already there, so why not MOBOs and NIC cards etc…  etc...
                            (By malicious I mean malicious to the consumer - but on purpose)

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Anything that has an IP or could potentially get an IP could be sending information back to China. I'm not going to start worrying about a device built into my keyboard or something because to retrieve the information from it would require physical access and once someone has that they could get anything anyway.
                              Things that I might worry about would include, in rough descending order of worry: routers, layer3 switches, layer2 switches, out-of-band management devices, network printers. Anything with an IP.

                              To be honest I'm not that worried about any of that. You are far more likely to be hacked by someone with a phone that has been compromised.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                Yeah - You can't worry about EVERY piece of hardware or software made, but you can avoid the known offenders.

                                1 Reply Last reply Reply Quote 0
                                • N
                                  Nachtfalke
                                  last edited by

                                  @kejianshi

                                  Interesting thread and question.

                                  I was thinking about the same as you. Using Commercial products or open-source software. In the days of NSA affairs this comes again more in my focus. Of course there are other institutions or groups which do the same as the NSA but today it's in the media.

                                  So in general I would agree that open-source firewalls would be "more secure" when looking at backdoors because the code is open source and everyone can look at the code. And I would be should that even if some institutions support open-source product to implement backdoors someone else on the wolrd would find this and publish this.

                                  Further you were talking about virtualisation. Virtualisation with KVM or qemu is also open-source. Don't know if this makes things more or less secure than let's say VMware virtualized servers.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    I would trust the open versions more than the more closed code things when it comes to VM stuff also.  Yeah.  Like you said.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      asterix
                                      last edited by

                                      Everything that is connected to a network or has the ability to connect to a network (WAN or LAN) could be possibly hacked into. It all depends on how dedicated the opposite person/hacker is on hacking your network or network device.

                                      For example.. Apple says a lot of BS about their iOS.. but it has been hacked/compromised time and time again. Darn even their so called super secure finger print has been hacked as of today.

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        kejianshi
                                        last edited by

                                        Fingerprints are stupid simple biometrics to copy.  I'm amazed it took this long to hack that since the very fingerprint you need to lift is all over the screen more than likely!  :P

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          asterix
                                          last edited by

                                          @kejianshi:

                                          Fingerprints are stupid simple biometrics to copy.  I'm amazed it took this long to hack that since the very fingerprint you need to lift is all over the screen more than likely!  :P

                                          Well it took a day from the date of actual product receipt :)

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            senser
                                            last edited by

                                            Seems like my thoughts on DMA and bus mastering express real issues and that there is exploitation and research going on:

                                            "DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host.

                                            "Therefore they present a highly critical threat to system security and integrity. Unfortunately,to date no OS (operating system) implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy."

                                            The German Government funded research was closing in on its aim to develop a reliable detector for DMA malware.

                                            "At the moment we have a proof-of-concept that proves that a detector is possible," Stewin said in an email to SC. "It can find DAGGER."

                                            The proof-of-concept was based on a runtime monitor dubbed BARM which modelled and compared expected memory bus activity to the resulting activity, meaning malware residing on peripherals would be detected. [1]

                                            1 http://www.scmagazine.com.au/News/358265,research-detects-dangerous-malware-hiding-in-peripherals.aspx

                                            We use the mighty pf, we cannot be fooled.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.