Perfect, persistent, undetectable hardware backdoor

A Def Con talk titled "Hardware Backdooring is practical" demonstrated bootkitting Windows, but in this case it was the "perfect" backdoor that would be "persistent" and "virtually undetectable."

We've heard a lot about nation states attacking us for intellectual property, such as secretly walking away with millions of dollars in American research and development, but a proof-of-concept presentation from Def Con touched on potential agendas such as state-level permanent backdooring. The idea is fairly intense because basically whatever way a person were to try to get rid of the backdoor, short of tossing the hardware into the trash, would ultimately fail.

Homeland Security has talked about the dangers of importing tainted tech and how our country needs to trust and be sure the supply chain is clean. But what if a country, let's say China, were to purposefully plant backdoors in microelectronics that ended up in U.S. military, government or high-value corporations? The talk titled "Hardware Backdooring is practical" by security research engineer Jonathan Brossard, CEO of Toucan Systems, explained why cryptography such as Truecrypt, Bitlocker or TPM "won't save us." In fact, such backdoors could result in "Epic evil remote carnal pwnage (of death)."

Brossard demonstrated bootkitting Windows, but in this case it was the "perfect" backdoor that would be "persistent" and "virtually undetectable." It could cross network perimeters like firewalls yet allow a nation state remote access for remote updates. Antivirus won't help either as it can't protect against unknown threats and is only "cosmetic." Brossard said, "You might as well put lipstick on your servers." We are not talking about a hardware backdoor into a single machine or server; an entire data center could as easily be backdoored.

Brossard introduced this perfect backdoor, a proof-of-concept malware for the intel architecture called "Rakshasa." Yet he qualified, "We are not terrorists. We won't release our PoC backdoor."

What's really scary is that Rakshasa doesn't reside in the disk and therefore leaves zero evidence in the filesystem. It leaves zero network evidence on the LAN. It can "remotely boot from an alternate payload or even OS" like fake Truecrypt/Bitlocker. Rakshasa can even show a fake BIOS menu if necessary. "We use an embedded CMOS image. We can use the real CMOS nvram to store encryption keys/backdoor states between reboots." It is capable of infecting "more than a hundred different motherboards." The research paper states:

The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, an Unified Extensible Firmware Interface (UEFI) firmware, or from a PCI firmware, resulting in permanent lowering of the security of the backdoored computer, even after a complete erasing of hard disks and reinstallation of a new operating system.

What it comes down to, in simple terms, is that you cannot get rid of it. Even if you wipe the computer and start over, the undetectable backdoor would remain because it is capable of living on in the BIOS. If you were to flash the firmware, a backdoor such as Rakshasa "can flash the original firmware back remotely." Brossard's demo showed that backdooring the BIOS or PCI firmware "to allow the silent booting a remote payload via an http(s) connection is equally practical and ruins all hope to detect the infection using existing tools such as antivirus or existing forensic tools."

Included in the "forensic best practices" was the suggestion to "throw away your computer in case of intrusion." This will hopefully raise awareness so companies can come up with new "best practices" regarding forensics and post intrusion analysis.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.