« Medvedev's Questionable Analysis of World Woes | Main | Real Journalists, Plumbers, Citizens: Beware of Thug »

October 10, 2008

China's Pernicious PC Hardware Opens Backdoor to Trouble

Is your computer phoning home to Beijing right out of the box?  

 

 

Caveat emptor.

 

If you are looking for a new home computer, printer, electronic picture frame, motherboard, memory, or processor chip, you might want to take a look at the label before putting down your credit card, bagging up that item and carrying it home. If you think finding out where some of those items are made is sometimes tricky, try finding where each component of those products is made.

 

What’s the fuss? There has been a lot of talk going around for the past couple of years about the very real capability of someone to design or modify a chip in such a way as to program it to do nefarious things. Such a chip could steal your passwords, save your keystrokes, grab screen shots (or with printers, possibly save every document you printed), and phone “home”, sending that private information to whomever Frankenchipped your hardware to begin with. In an article last April in Popular Mechanics, Glenn Derene and Joe Pappalardo point out that,

 

Software vulnerabilities and online scams receive plenty of public attention. Viruses, Trojan horses, spyware, phishing schemes that trick people into providing financial data—all have made headlines in recent years. The emerging hardware threat is different. Imagine buying a computer, printer, monitor, router or other device in which malevolent instructions, or at least security loopholes, are etched permanently into the silicon.

 

While experts say that it is less likely that small-time thieves would have the capability to pull off such a stunt, foreign governments certainly have a reason: stealing private information from ordinary people can give you a revenue source that is difficult to dry up, and skimming a little off the top from multiple victims (this is nothing new), is difficult to notice but adds up for the perpetrator. The same goes for information, which can have direct and indirect military value to the government in question. Add to the mix the dawn of today’s computing power and you then can develop a searchable database of people you then wish to further exploit. Need to blackmail a politician or investment banker, or perhaps a military contractor? Imagine an electronic picture frame you bought at Best Buy for your office so it could rotate through your favorite pictures of your children as it sat there seemingly harmlessly next to your computer. But what if, when you connected that picture frame to your computer to upload your pictures to it, it installed a driver infected with a rootkit and one or two Trojan horses? The malware then collected your passwords and other personal data and sent it back to someone in China.

 

Well, imagine no more. It is a reality and has been for a little while now. Now imagine some of these devices carrying malware which cannot be detected by any of the top 100 antivirus tools out there. And add to that hard drives, usb flash drives, iPods, and literally every and any device you could conceivably connect to your computer – even your monitor – infected with difficult-to-detect malware. I encountered this twice with two brand new Acer laptops purchased last year, for example. It is entirely possible that many average users don’t know what to look for or even how to configure their security software to look for it. Thus the exploit remains undetected. For those who do discover it, they are often met with disbelief by retailers, who quite reasonably assume the virus must have come from the user’s end, rather than being “pre-installed” on their merchandise, which is more often the case for the moment. Yet, things are rapidly changing.

 

So how serious are countries like China in using a combined form of information warfare against the United States and her allies and how vulnerable are our military and civilian computer systems and networks? According to Larry Greenblatt, Lead Instructor Internetwork Defense, some companies are facing a massive tidal wave of attacks coming in from China, the cyber analogy to the human waves U.S. infantry men faced in the onset of the Korean War.

 

-Company IT guys are now saying that 70% of the source traffic that hits their firewalls and is blocked is from China. They say it’s difficult to tell how much more made it past the firewall undetected.

- Those digital picture frames, which happen by the way to be made in China, have been found to contain rootkits and Trojan horses that have been sending passwords and other user data back to China - and they still aren't sure if that's all yet. They're calling it the "nuclear bomb of viruses".

And here's the kicker that puts it right in your face:

- DOD can't think of any of the hardware devices they use which are made in the U.S.

 

 

Jump ahead to 11:22 in this video to watch the interview NTDTV's Dong Xiang conducts with Greenblatt:

 

 

China not only intends to do harm, it also intends to do so through both hardware and software means of compromising computer systems, as if common sense couldn't predict this. More directly, U.S. civilian and military agencies are at risk. And China is clearly not doing so for defensive purposes. According to the 01 June 2002 article in Jane’s by Timothy L Thomas, titled “Confrontation central to Chinese IW aims”, China has shifted decidedly to an offensive, rather than defensive posture.  Since at least the mid-1990s, China has been ramping up its information warfare capabilities, aggressively using novel ways of exploiting security weaknesses to gain access to both civilian and military, home and business computers. In 1999, the now infamous book titled “Unrestricted Warfare” hit the presses, its authors Colonels Qiao Liang and Wang Xiangsui of the Chinese PLA. Published in English on 11 September 2002, the authors describe a wild array of new scenarios to bring down its stated enemy the United States, including flying planes into buildings. Nevertheless, the information warfare (IW) component could not be overlooked, either. This idea has been aggressively pursued by the PLA, to understate the matter. In the Winter 2001 issue of the Defense Intelligence Journal, the Chinese early on adopted a far broader and more robust spectrum of IW. While the U.S. focused on six fundamental concepts of “battlefield information warfare” or “command and control warfare”. In Nuclear terminology, this could be equated to “counterforce” warfare – specifically targeting assets of direct military value, such as command centers, operations, and so forth. The six pillars of which were Psychological Operations (PSYOP), Military Deception, Operational Security (OPSEC), Electronic Warfare (EW), Physical Attack/Destruction, and Computer Network Attack (CNA), focused on military targets. The Chinese view, influenced by the notion of unrestricted or asymmetrical warfare was that of “information warfare in the broad sense” as well as the narrow interpretation. The U.S. refers to this method as “Information Operations”, the aim to achieve “’full spectrum dominance’ based on “information superiority’”. In nuclear warfare terms, this could be referred to as including counter-value warfare: including targets of indirect military value, such as commerce, industry, the civilian supply chain (food and other essentials), the general public to deplete morale, as well as elected officials and civilian government operations.  There are a number of reasons why this is Chinas preferred method, but one of the more obvious is that extent to which the U.S. relies on technology to do so many things both military and civilian today, without in many instances, an offline Plan B. (As we’ve discussed previously at this blog, this is one of the key reasons why the EMP – electromagnetic pulse – threat to the U.S. is so big.)  

 

A report published on the web about that time on an Army web site discusses China’s method and philosophy for IW in depth,

 

How has the information age affected China’s attitude toward warfare? It is fair to say that the major change was a reevaluation of how to evaluate and conduct warfare. China realized that it couldn’t threaten countries as a superpower might do with its current nuclear force, but something it can do with its IW force. For example, China can theoretically threaten U.S. financial stability through peacetime IW. Electrons lie at the heart of not only IW but also the worldwide economic boom associated with stock markets and e-commerce. The characteristics of information (global reach, speed of light transmission, nonlinear effects, inexhaustibility, multiple access, etc.) control the material and energy of warfare in a way that nuclear weapons cannot.[3] IW attempts to beat the enemy in terms of promptness, correctness, and sustainability,[4] and electrons are capable of reaching out and touching someone a long way away. It thus makes complete sense to put a significant effort into developing an information-based capability in both the civilian and military sense. From the Chinese point of view, IW is like adding wings to a tiger, making the latter more combat worthy than ever before.

 

Recent reports of hacker attacks on U.S. labs indicate that China is moving from theory to practice in security matters as well. The Washington Times reported on 3 August 2000 that hackers suspected of working for a Chinese government institute broke into a Los Alamos computer system and took large amounts of sensitive but unclassified information. Los Alamos spokesman Jim Danneskiold stated that “an enormous amount of Chinese activity hitting our green, open sites” occurs continuously.[5]

 

 

The report goes on to explain the philosophical underpinnings behind the Chinese method of IW and it is an interesting read. A June 2008 article in Stratfor.com (Strategic Forcasting) discusses how this threat is developing. Now that China has economic ties in Latin America, Africa, and pretty much everywhere, it will likely build a navy capable of protecting them, and as such, it will seek to build a global empire that is not just an economic one. This is not your father’s Soviet Union. The USSR was China’s sickly older brother, China is by no means sickly or haggardly. Based on testimony before the House Armed Services Committee (and as we know from countless other sources over the years), Sratfor suggests that most alarmingly, China’s singular target for its military capabilities is the United States; “its asymmetric capabilities are uniquely tailored to dealing with the world’s sole superpower”. The hearing discussed four main ways China is seeking to bolster its capabilities against the U.S.: EMP weapons, ballistic missiles, counter space, as well as IW:

 

China is recognized as having one of the most advanced cyberwarfare capabilities in the world. An untold number of intrusions and attacks on military, government and corporate systems have been traced back to mainland China — often to sources with ties to the PLA. The testimonies of Shinn and Breedlove reinforced many other statements to this affect from U.S. military, government and industry officials. There is little doubt at this point that China would be able to bring massive and well-drilled force to bear in cyberspace in a future conflict. There is substantial concern within the government and military about the U.S. ability to defend the continental United States against such attacks — not only military systems, but targets as diverse as corporate Web sites and power grids.

 

 

China also has a long history of asymmetric warfare against not just the United States, but even other Communist states in the region that run afoul of its good graces. As quoted by the 2001 DIJ, Jia Weidong, Beijing Jiefangjun Bao (17 April 1999) explains that,

 

Asymmetrical warfare has clear smart war features: Asymmetric warfare is grounded in the development of technology, particularly high technology … Information or smart warfare has become the mainstay of asymmetrical warfare. The acquisition of accurate intelligence has always been a prerequisite for successful asymmetrical operations … Asymmetrical warfare is increasingly developing in the direction of no-contact warfare … Asymmetrical warfare will make the battlefield much more multidimensional.

 

 

Indeed, the Chinese have even been caught inserting RFID chips into coins finding their way into the pockets of Pentagon contractors on possibly sensitive projects in order to track them. China also appears to have taken advantage of the unbelievable decision by our State Department to outsource passport manufacture to Thailand. And lest we question China’s current resolve, we have the 2006 NBC report on the “Spike in Chinese efforts to steal U.S. technology” – both military and civilian. (Via LexisNexis)

 

 Since remote cyber attacks – denying capabilities to their enemies while gaining valuable information from them – are such a critical part of China’s four-pillar method of assault, one must consider new ways in which China can enhance the effectiveness of such attacks. One way becomes obvious, as more and more technology is being manufactured in China; technology that can be used to control and relay information. By hard-wiring technology to behave maliciously, the Chinese are taking the battle one step ahead of the somewhat already struggling software solutions already out there for combating malware. Another plus is that finding out if a chip is completely free of malicious programming or not is nearly impossible. Popular Mechanics:

 

When a software problem is detected, thousands or millions of computers can be fixed within hours with a software patch. Discover a malevolent hardware component, however, and machines need to be fixed one by one by one. On a large network it could take months—if the problem were detected at all.

 

"There are a whole bunch of functions inside each chip that you have no direct access to," says Stephen Kent, chief information security scientist for BBN Technologies and a member of the Intelligence Science Board, which advises U.S. intelligence agencies. "We passed the point a long time ago when you could combinatorially test all the possible inputs for a complex chip. If somebody hid a function that, given the right inputs, could cause the chip to do something surprising, it's not clear how you could test for that."

 

 

The value of such a tool would seem irresistible.  Derene and Pappalardo point out that,

 

Individuals, companies and federal agencies could all be at risk from foreign governments or criminal enterprises. A computer chip built with a subtle error might allow an identity-theft ring to hack past the encryption used to connect customers with their banks. Flash memory hidden inside a corporation's networked printers could save an image file of every document it printed, then send out the information. In a disturbing national-security scenario, overseas agents might be able to hard-wire instructions to bring down a Department of Defense system on a predetermined date or in response to an external trigger. In the time it took to bring the systems back online, a military assault could be underway.

 

 

Further, not only does such a threat exist and has already been  realized in a few small cases here and there, as the authors further show us,

 

Such tampering wouldn't have to occur in a factory where computer components were built. In fact, repair businesses and subcontractors may pose a greater danger. "A skilled and capable adversary could replace a chip on a circuit board with a very similar one," says John Pironti, a security expert for information technology consulting firm Getronics. "But this chip would have malicious instructions added to the programming." The strategy wouldn't be practical for running a broad identity-theft operation, but it might allow spies to focus an attack on a valuable corporate or government target—gaining access to equipment, then doctoring it with hidden functions.

 

 

While the article does mention there is some disagreement as to whether such a method is really possible, since it hasn’t yet been known to have happened on any scale larger than digital picture frames and at the overt hands of a foreign government, the risk is less “severe”. The article counters this with an example of such a method being undertaken by the U.S. against the Soviets once upon a time. However, what we know today is that China is both extremely secretive about its specific activities yet very open about its philosophy and its strategy. Since most so-called experts could not imagine the events of 9-11 or of Pearl Harbor before they occurred simply on that basis, they make themselves – and us – vulnerable to any properly thought-out attack, which when dealing with a power such as China is the very thing we can reasonably expect.

 

As such, the NSA and DOD are looking into some ways, according to the Popular Mechanics article, to shore up our semiconductor industry, as well as to “guard their electronics supply chains”. This, however is becoming increasingly difficult as Intel and AMD move more of their operations to China and the smaller chip makers follow suit in order to remain competitive. Presently, under 25% of these companies still reside onshore in the U.S. This problem hits home, particularly when we try to imagine where we would get our computers if China were to go to war with us or an ally. Were Ronald Reagan still president, he would likely sign an executive order stopping this, as he did with sensitive technology trade with the Soviet Union; however, we have no such good fortune in Pennsylvania Avenue today. The result is that the DOD and other government agencies have increasingly been forced, in a twist of irony, to rely on outdated and poorer quality technology, created in the U.S., produced in China, and unavailable to the nation that developed it. The ultimate technology sink hole.

 

 

The NSA’s Trusted Foundry Access program, designed to incentivize technology developed onshore in the U.S.  or a trusted ally (such that the ally’s security may be), and certify technology forged in those locations seems to lack key components also, according to the Popular Mechanics article:

 

Ten companies have joined the program since 2004—the inaugural deal, with IBM, cost the government a reported $600 million. To participate, manufacturers need to take measures such as obtaining security clearances for staff members and quarantining computer design tools from the Internet. Further, "The facilities must be on-shore or in a closely allied country," says a Defense Department official involved with the program.

  

One potential flaw in the program is that it covers "just a slice of the life cycle," says Jim Gosler, a Sandia National Laboratories researcher who has spent time probing U.S. electronics systems to identify vulnerabilities. "You have to make sure the component stays trusted—they get out and about" once the equipment leaves the factory and goes into service.

 

More critically, even well-funded initiatives can't permanently withstand the forces pushing microchip production offshore. Ultimately, trying too hard to isolate American chip-making might simply help foreign-owned chip manufacturers challenge U.S. dominance in the field. "It's a pretty hairy situation to look out 10 or 15 years and have to ask, ‘Where are we going to get our technology?'" the Defense official says.

 

Meanwhile, many of the prevailing political winds seem to be pushing against any serious pursuit of a solution. Bill Gertz in his 29 June 2007 article (via LexisNexis) reveals how the Commerce Department is actively engaging in pushing to loosening more “export controls on goods to China [that] will assist Beijing's intelligence services in identifying U.S. technology for purchase or theft for its military buildup." The insanity is that while that was going on (and it certainly went on as well ad nauseam during the Clinton administration), Secretary of Homeland Security Michael Chertoff stated (again, via the Popular Mechanics article, as well as an earlier one), “Increasingly when you buy computers they have components that originate ... all around the world. We need to look at ... how we assure that people are not embedding in very small components ... that can be triggered remotely."

 

Another plan under development from DARPA involves finding a way to scan computer chips for malicious items in a way analogous to how software virus scanners scan for malicious code written into software.  The agency is currently contracting with Raytheon, MIT, Johns Hopkins University “and others” to make this happen. Given the continued problem with Chinese foreign nationals in our universities and the often lackluster security there, one has to wonder how bullet-proof such developments might be, once we in fact find a way to do it. Popular Mechanics quotes one expert as saying, "Even if you found something, you could never be confident you found everything," Nevertheless, if the U.S. is serious about  doing this, nothing is impossible. The question is, particularly in light of the current face of Washington and with heavy financial strings being tugged by powerful interests with strong Chinese economic ties, as well as general apathy on the consumer and industry level, how serious are we?

 

 

 

Posted by Martin at October 10, 2008 03:32 AM

Comments

Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I'v just started to learn this language ;)
See you!
Your, Raiul Baztepo

Posted by: RaiulBaztepo at March 31, 2009 03:54 PM

Hi !! ^_^
I am Piter Kokoniz. Just want to tell, that I like your blog very much!
And want to ask you: is this blog your hobby?
Sorry for my bad english:)
Thank you:)
Piter Kokoniz, from Latvia

Posted by: PiterKokoniz at April 8, 2009 02:45 PM

Hey Raiul and Piter. Thank you for your kind words and I do hope you both continue learning English. So far, it looks as if you are fast learners. :)

@Piter, I had no idea they used the same Ukrainian ISP in Latvia as they do in Ukraine, which Raiul also uses. I guess it makes sense since you both are sort of neighbors. ;)

Posted by: Martin at April 9, 2009 10:46 PM

Post a comment




Remember Me?