This was an ISACA presentation by Nsale Ronnie a top hacker in Africa working with Ernst and Young. He demonstrated how other governments are leading by far in the nature of their espionage through hardware.
2. Disclaimer
There is a need to discuss the problems in order to find solutions
This doesn’t represent the current status of malware/ security trends
I don’t know everything !!!!
3. Agenda
Motivation: State Level Back dooring?
X86 architecture
National Level attacks
Cyber criminal advantage
Introducing plasnito
Why cryptography won’t save us
4. Who am I?
Security Consultant (EY)
MSc. Security and Mobile computing (University of Massachusetts-Boston)
Author: Blindsecurity2010 (A hacker’s perspective)
Projects: BlueRonv0.1 Backtrack 2 and OwaspWeb Exploitation. Google can list the rest
17. Routers: HEADWATER
•HEADWATER PBD transferred remotely over internet to target router
•PBD is installed in the router’s boot ROM via upgrade command
•PBD activated after a system boot
NOTE:
HEADWATER is the cover term for the PBD for Huawei Technologies routers. This was adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment under project name TURBOPANDA
24. Reality
This is not a vulnerability :
It is sheer bad design due to legacy.
Don't expect a patch.
Fixing those issues will probably require breaking backward compatibility with most standards (PCI, PCIe, TPM).
25. Why crypto won't save you
We can fake the bootking/password prompt by booting a remote OS (Truecrypt/Bitlocker)
Once we know the password, the BIOS backdoor can emulate keyboard typing in 16bit real mode by programming the keyboard/motherboard PIC microcontrollers
If necessary, patch back original BIOS/firmwaresremotely.
26. Why crypto won't save you
TPM + full disk encryption won't save you either :
It's a passive chip : if the backdoor doesn't want explicit access to data on the HD, it can simply ignore TPM.
Your HD is never encrypted when delivered to you. You seal the TPM when you encrypt your HD only. So TPM doesn't prevent backdooringfrom anyone in the supply chain.
27. How about Antivirus?????
Putting an AV on a server to protect against unknown threats is purely cosmetic.
You may as well put lipstick on your servers...
30. Remediation
Flash any firmware upon reception of new hardware with open source software you can verify
Perform checksums of all firmwaresby physically extracting them (FPGA..) : costly !
Verify the integrity of all firmwaresfrom time to time
Update forensics best practices :
1) Include firmwaresin SoW
2) Throw away your computer in case of intrusion
Even then... not entirely satisfying : the backdoor can flash the original firmwaresback remotely.