Cyber-security "Scare"

A recent post via Information Age suggests that a chip made in China and used in US Military systems has a backdoor that could allow a problematic source of cyber attacks on systems using these devices.  A subsequent posting from Errata Security suggests this is a bogus story and there is not a deliberate Chinese effort to modify the chips to gain access to US Military systems.
However, the same Errata Security posting acknowledges that the backdoor exists and that the chip is used in some military systems -- particularly those that use COTS (commercial off the shelf) technology, and even that the the chips are made in China.
It seems to me that the back-door exists, and is available for abuse for those who know how ... it isn't clear to me that field programmable gate array devices (FGPAs), where this apparently exists, is the type of device that script-kiddies are likely to target.  But, there are more sophisticated bad guys out there -- the June 2010 Stuxnet virus is a proof of this, and the potential for attacking military targets.
The only thing "bogus" about this report as far as I can tell is that it suggested that the Chinese deliberately re-engineered the design to incorporate the back-door ... that would be a painful thing to do without the CAD files needed to edit the design. But it is either optimistic, or overly nationalistic to assume that China or any other high technology country might not have the capability to utilize such a "feature" or to modify designs to incorporate such features.
This is quite parallel to the 1988 Morris Worm situation where back-door aspects of tools in UNIX, some of which were 'debug' features, were used to penetrate and then propagate one of the first computer worms. That these aspects of the systems were not created for malicious use, did not prevent their abuse. Fortunately in that case the intent of the abuse was not malicious, the Internet was new and UNIX a fairly rare beast. Today's world is different, and we might be wise to be a bit scared of cyber abuse and attack vectors.
Two key messages for computing professionals are to be found in this tale:

  1. Don't leave in back-doors and debug paths - the "enable" for these need to be carefully considered, and disclosed to buyers/users so they can lock down these paths.
  2. If you happen to be using electronic devices -- be aware that there are attack paths you may not have anticipated and are beyond the scope of your "firewall" security.  
If this feels uncomfortable, it should. Cyber-security is both non-trivial, and has high potential for abuse and damage. The motives of the potential bad-actors are varied, from financial gain to military or quasi-military objectives. It is not clear to me that we are really well informed, much less sufficiently protected.

No comments:

Post a Comment