ARRA News Service
 News Blog for social, fiscal & national security conservatives who believe in God, family & the USA. Upholding the rights granted by God & guaranteed by the U.S. Constitution, traditional family values, "republican" principles / ideals, transparent & limited "smaller" government, free markets, lower taxes, due process of law, liberty & individual freedom. Content approval rests with the ARRA News Service Editor. Opinions are those of the authors. While varied positions are reported, beliefs & principles remain fixed. No revenue is generated for or by this "Blog" - no paid ads - no payments for articles. Fair Use Doctrine is posted & used.
Blogger/Editor/Founder: Bill Smith, Ph.D. [aka: OzarkGuru & 2010 AFP National Blogger of the Year]
Contact: editor@arranewsservice.com (Pub. Since July, 2006)     Home Page    
One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors. -- Plato (429-347 BC)

Friday, April 13, 2018

How President Trump Could Shut Hidden ‘backdoor’ Hardware Threats From China Being Installed On Critical Systems

by Robert Romano: The U.S. is vulnerable to installing imported, vulnerable computer hardware from China and elsewhere with hidden backdoors on critical infrastructure, like the power grid, water systems, hospitals, air traffic control, communications and defense-related systems. And the American people may not find out about it until it is too late and things start getting switched off.

Fortunately, President Donald Trump could do something about it by levying a heavy tariff on technology components that include such unsecure backdoors or are from regions known to produce such backdoors.

In 2016, a group of computer engineers at the Department of Electrical Engineering and Computer Science at the University of Michigan in Ann Arbor hypothesized that a single circuit could be developed out of millions or billions onto a computer chip to create a “backdoor” to the computer’s operating system. Called an “analog” hack, it proved that “a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting a chip’s functionality).”

Unfortunately, because chip manufacturers rely on global supply chains for fabrication and then, necessarily, on post-fabrication testing to detect problems, this leaves virtually every chip vulnerable and highly unlikely to be detected: “this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester.”

The core of the problem identified by the engineers is “Outsourcing of chip fabrication opens up hardware to attack,” such that at any point in the fabrication process this “needle in a haystack” circuit could be introduced by a single employee without detection. The proof of concept on an OR1200 chip suggested that “Experimental results show that our attacks work, show that our attacks elude activation by a diverse set of benchmarks, and suggest that our attacks evade known defenses.” In short, the engineers proved it worked.

Militarized, it is easy to conceive that the U.S. could import the technology that will be used against it, with the power grid, potable water and even the critical nuclear offensive and defensive weapons systems potentially being able to be shut off at the flip of a switch. For years it has been speculated that such malicious circuits could be put onto computer chips by intelligence agencies, but with the University of Michigan study, it suddenly appeared quite viable.

A year later, in May 2017, the Michigan engineers’ worst fears were realized when it was publicly revealed that such an exploit had not only already been found on the Intel family of processor chips on the so-called Intel Management Engine, but had been manufactured tens of millions of times over, effectively proliferating all over the world. As described by the UK Register’s Thomas Claburn: “The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, to run code beneath the operating system to spy on or meddle with the computer completely out of sight of other users and admins. The holes can also be exploited by network administrators, or people masquerading as admins, to remotely infect machines with spyware and invisible rootkits, potentially,” or even commandeer applications.

Security patches have since been developed by Microsoft and others to secure affected systems, and Intel developed a detection tool that can be downloaded to alert a user if their system is affected.

At least one group suggested the bug was intentional. A team of researchers at the London-based Positive Technologies on Aug. 28, 2017 published a study outlining a process that disables the Intel Management Engine that it says it found because it used publicly available utilities to take a peek at the code that makes the Intel chip work, finding a line of code called “High Assurance Platform (HAP) enable”. After Googling the term, the team turned up a 2009 paper from the National Security Agency Commercial Solutions Center about these so-called High Assurance Platforms that utilize commercially available technologies with “additional High Assurance Security mechanisms.” The description in the NSA paper states, “The fusion of commercial initiatives plus trusted software create a ‘High Assurance Platform’ (HAP).” Now, that in itself does not actually prove that the Intel Management Engine was compromised on behalf of intelligence agencies in accordance with being such a platform. But, the team was able to engineer a process that would disable the Intel Management Engine.

Officially, the story is that the bug was actually an unintentional design flaw that was only discovered after several millions of units had already shipped and were in use. According to an official statement from Intel in August 2017, “Intel does not and will not design backdoors for access into its products. Recent reports claiming otherwise are misinformed and blatantly false. Intel does not participate in any efforts to decrease security of its technology.”

In many ways it would be better if the design “flaw” was actually an intentional backdoor, since then at least this occurred in a controlled environment with the awareness and cooperation of the manufacturer with the U.S. government to assist in national security endeavors, meaning government systems were unaffected. Unfortunately, officially, the vulnerable Intel hardware was sold everywhere, everyone bought into it and the vulnerability proliferated across the entire planet, and the manufacturer was unaware. And they might have even been installed on critical systems, including those necessary for functioning national security, if the federal government was unaware of the bug.

Or intelligence agencies could have been aware, but did not alert the manufacturer. Therefore, although outsourcing of technology plays a key role with this problem and insourcing will be a means to solving it, foreign supply chains are not the only problem that must be contended with. With the case of Intel, it shows absolutely that not only can foreign manufacturers subversively include such analog hacks on hardware, so could domestic companies accidentally, and even with the knowledge of the government, then they might not help it get fixed.

Once fabricated and eventually exposed, suddenly tens of millions of chips are available all over the world that can be reverse engineered by hostile state and non-state actors to be exploited, replicated or improved upon. The more these types of products are sold commercially, the more likely more they will be fabricated in ways that are even more surreptitious.

There are other examples, in May 2017, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team confirmed that Hikvision security cameras, a Chinese manufacturer of video surveillance equipment, had come with hidden backdoors installed on them. Think of that, a security camera that the manufacturer may have wanted to be compromised.

These events could be looked at as the digital equivalent of a near-miss from an asteroid. It’s not merely a possibility or even a probability, but a practical certainty that eventually these types of malicious circuits will be included with a chip operating a critical system vital to national security — and the public might be unaware that it has occurred until it is too late. Why? Because today these types of components are being outsourced and not secured at all aspects of the supply chain.

In March, Federal Communications Commission Chairman Ajit Pai announced that his agency will be voting on blocking U.S. subsidies to companies that purchase Chinese technology, pointing to the danger of hidden back doors. Pai stated, “Threats to national security posed by certain communications equipment providers are a matter of bipartisan concern. Hidden ‘back doors’ to our networks in routers, switches — and virtually any other type of telecommunications equipment — can provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more.”

Similarly, last month Singapore-based Broadcom was blocked from purchasing tech giant Qualcomm by President Trump, to prevent this very thing from happening. Qualcomm makes components for everything including computers, networks and smart phones.

Clearly this is a priority for the Trump administration, but more needs to be done to create a secure domestic supply chain in light of these national security concerns. Restrictions could be placed on the sale of imported devices that do not meet with U.S. cyber security specifications, either in the form of quotas, tariffs or blocking importation altogether.

Similarly, regulations could be enacted requiring that critical systems funded by the federal government only use components made in America under the new specifications, taking the FCC’s proposal a bit further.

Diplomatic talks can be engaged to formulate an international cyber treaty that could govern the rules of the road, outlawing manufacturing backdoors.

To prevent proliferation, safeguards should be taken to ensure that such backdoors are not similarly deployed by U.S. military and intelligence agencies into commercial products for spying since if and when they are discovered, they can be proliferated and reverse-engineered by foreign adversaries and non-state actors to undermine the very system that is supposed to be concerned with security.

What is clear is that without a proper national technology strategy, of which tariffs and other import controls could play a key role, the U.S. remains vulnerable to installing imported, vulnerable computer hardware on critical infrastructure, like the power grid, water systems, air traffic control, communications, hospitals and defense-related systems, and the American people may not be aware of it until the power grid is shut off, the water system is compromised or planes start falling out of the sky.

It is the equivalent of opening the gates and letting the Trojan Horse inside to enable the Greek soldiers to burn Troy to the ground.

What was merely speculative just a few years ago is now fully realized, with multiple examples of compromised hardware both as a proven concept and millions of sales. A single undetected malicious circuit on a chip, installed on the wrong system, could prove to be devastating to national security and even our constitutional system of government, and the Trump administration, Congress and the tech industry need to act before it is too late.
----------------
Robert Romano is the Vice President of Public Policy at Americans for Limited Government.
Tags: Robert Romano, Americans for Limited Government, President Trump, Shut Hidden ‘backdoor’ Hardware Threats, China, Critical Systems To share or post to your site, click on "Post Link". Please mention / link to the ARRA News Service and "Like" Facebook Page - Thanks!
Posted by Bill Smith at 10:00 AM - Post Link

0 Comments:

Post a Comment

<< Home


View U.S. National Debt
Don't miss anything!
Subscribe to the
ARRA News Service
It's FREE & No Ads!
You will receive a verification email
& must validate you subscribed!
You Then Receive One Email Each AM
With Prior Days Articles / Toons / More

Also, Join & leave conservative posts & comments on
Facebook.com/ARRANewsService
Recent Posts:
Personal Tweets by the editor:
Dr. Bill - OzarkGuru - @arra
#Christian Conservative; Retired USAF & Grad Professor. Constitution NRA ProLife schoolchoice fairtax - Editor ARRA NEWS SERVICE. THANKS FOR FOLLOWING!
Action Links!
State Upper & Lower House Members
State Attorney Generals
State Governors
The White House
US House of Representatives
US Senators
GrassFire
NumbersUSA
Ballotpedia
Facebook Accts - Dr. Bill Smith
Pages:
ARRA News Service
Arkansans Against Big Government
Alley-White Am. Legion #52
Catholics & Protestants United Against Discrimination
End Taxpayer Funding of NPR
Overturn Roe V. Wade
Prolife Soldiers
Project Wildfire 4 Life
Republican Liberty Caucus of Arkansas
The Gold Standard
US Atty Gen Loretta Lynch, aka Eric Holder, Must Go
Veterans for Sarah Palin
Why Vote for Hillary (Satire)
FB Groups:
Arkansas For Sarah Palin
Arkansas Conservative Caucus
Arkansas County Tea Party
Arkansans' Discussion Group on National Issues
Blogs for Borders
Conservative Solutions
Conservative Voices
Defend Marriage -- Arkansas
FairTax
FairTax Nation
Arkansas for FairTax
Friends of the TEA Party in Arkansas
Freedom Roundtable
Pro-Life Rocks - Arkansas
Republican Network
Republican Liberty Caucus of AR
Reject the U.N.
Patriots
Exchange
Links
Request Via
Article Comment
Links to ARRA News
A Patriotic Nurse
Agora Associates
a12iggymom's Blog
America, You Asked For It!
America's Best Choice
ARRA News Twitter
As The Crackerhead Crumbles
Blogs For Borders
Blogs for Palin
Blow the Trumpet Ministry
Boot Berryism
Cap'n Bob & the Damsel
Chicago Ray Report - Obama Regime Report
Chuck Baldwin - links
Common Cents
Conservative Voices
Diana's Corner
Greater Fitchburg For Life
Lasting Liberty Blog
Liberal Isn't Amy
Marathon Pundit
Patriot's Corner
Right on Issues that Matter
Right Reason
Rocking on the Right Side
Saber Point
Saline Watchdog
Sultan Knish
The Blue Eye View
The Born Again Americans
TEA Party Cartoons
The Foxhole | Unapologetic Patriot
The Liberty Republican
The O Word
The Path to Tyranny Blog
The Real Polichick
The War on Guns
TOTUS
Twitter @ARRA
Underground Notes
Warning Signs
Women's Prayer & Action
WyBlog
Editor's Managed Twitter Accounts
Twitter Dr. Bill Smith @arra
Twitter Arkansas @GOPNetwork
Twitter @BootBerryism
Twitter @SovereignAllies
Twitter @FairTaxNation
Editor's Recommended Orgs
Accuracy in Media (AIM)
American Action Forum (AAF)
American Committment
American Culture & Faith Institute
American Enterprise Institute
American Family Business Institute
Americans for Limited Government
Americans for Prosperity
Americans for Tax Reform
American Security Council Fdn
AR Faith & Ethics Council
Arkansas Policy Foundation
Ayn Rand Institute
Bill of Rights Institute
Campaign for Working Families
CATO Institute
Center for Individual Freedom
Center for Immigration Studies
Center for Just Society
Center for Freedom & Prosperity
Citizens Against Gov't Waste
Citizens in Charge Foundstion
Coalition for the Future American Worker
Competitive Enterprise Institute
Concerned Veterans for America
Concerned Women for America
Declaration of Am. Renewal
Eagle Forum
FairTax
Family Research Council
Family Security Matters
Franklin Center for Gov't & Public Integrity
Freedom Works
Gingrich Productions
Global Incident Map
Great Americans
Gold Standard 2012 Project
Gun Owners of America (GOA)
Heritage Action for America
David Horowitz Freedom Center
Institute For Justice
Institute for Truth in Accounting
Intercollegiate Studies Institute
Judicial Watch
Less Government
Media Reseach Center
National Center for Policy Analysis
National Right To Work Foundation
National Rifle Association (NRA)
National Rifle Association (NRA-ILA)
News Busters
O'Bluejacket's Patriotic Flicks
OathKeepers
Open Secrets
Presidential Prayer Team
Religious Freedom Coalition
Renew America
Ron Paul Institute
State Policy Network
Tax Foundation
Tax Policy Center
The Club for Growth
The Federalist
The Gold Standard Now
The Heritage Foundation
The Leadership Institute
Truth in Accounting
Union Facts

Blogs For Borders
Reject the United Nations
Presidential Prayer Team
Thousands of Deadly Islamic Terror Attacks Since 9/11

FairTax Nation on FaceBook
Friends of Israel - Stand with Israel
Blog Feeds
Syndicated - Get the ARRA News Service feed Syndicated!
ARRA Blog Feed

Add to Google Reader or Homepage

Add to The Free Dictionary

Powered by Blogger

  • To Exchange Links - Email: editor@arranewsservice.com!
  • Comments by contributing authors or other sources do not necessarily reflect the position the editor, other contributing authors, sources, readers, or commenters. No contributors, or editors are paid for articles, images, cartoons, etc. While having reported on and promoting principles & beleifs beliefs of other organizations, this blog/site is soley controlled and supported by the editor. This site/blog does not advertise for money or services nor does it solicit funding for its support.
  • Fair Use: This site/blog may contain copyrighted material the use of which has not been specifically authorized by the copyright owner. Such material is made available to advance understanding of political, human rights, economic, democracy, and social justice issues, etc. This constitutes a 'fair use' of such copyrighted material as provided for in section Title 17 U.S.C. Section 107 of the US Copyright Law. Per said section, the material on this site/blog is distributed without profit to readers to view for the expressed purpose of viewing the included information for research, educational, or satirical purposes. Any person/entity seeking to use copyrighted material shared on this site/blog for purposes that go beyond "fair use," must obtain permission from the copyright owner.
  • © 2006 - 2020 ARRA News Service
Creative Commons License
Creative Commons Attribution Noncommercial Share Alike 3.0 Unported License.