Hardware backdoors are backdoors in hardware, such as code inside hardware or firmware of computer chips. The backdoors may be directly implemented as hardware Trojans in the integrated circuit. Hardware backdoors are intended to undermine security in

smartcard A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...

s and other

cryptoprocessor A secure cryptoprocessor is a dedicated System-on-a-chip, computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistan ...

s unless investment is made in anti-backdoor design methods. They have also been considered for car hacking.

Severity

Hardware backdoors are considered highly problematic because: # They can’t be removed by conventional means such as

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

# They can circumvent other types of security such as

disk encryption Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that g ...

# They can be injected at manufacturing time where the user has no degree of control

Examples

* Around 2008 the

FBI The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, t ...

reported that 3,500 counterfeit

Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...

network components were discovered in the US with some of them having found their way into military and government facilities. * In 2011 Jonathan Brossard demonstrated a proof-of-concept hardware backdoor called "Rakshasa" which can be installed by anyone with physical access to hardware. It uses

coreboot coreboot, formerly known as LinuxBIOS, is a software project aimed at replacing proprietary firmware (BIOS or UEFI) found in most computers with a lightweight firmware designed to perform only the minimum number of tasks necessary to load and r ...

to re-flash the BIOS with a

SeaBIOS SeaBIOS is an open-source implementation of an x86 BIOS, serving as a freely available firmware for x86 systems. Aiming for compatibility, it supports standard BIOS features and calling interfaces that are implemented by a typical proprietary x ...

and

iPXE iPXE is an open-source implementation of the Preboot eXecution Environment (PXE) client software and bootloader, created in 2010 as a fork of gPXE (gPXE was named Etherboot until 2008).University of Cambridge The University of Cambridge is a public collegiate research university in Cambridge, England. Founded in 1209 and granted a royal charter by Henry III in 1231, Cambridge is the world's third oldest surviving university and one of its most pr ...

computer laboratory) and Woods controversially stated that they had found a backdoor in a military-grade FPGA device which could be exploited to access/modify sensitive information. It has been said that this was proven to be a software problem and not a deliberate attempt at sabotage that still brought to light the need for equipment manufacturers to ensure microchips operate as intended. * In 2012 two mobile phones developed by Chinese device manufacturer

ZTE ZTE Corporation is a Chinese partially state-owned technology company that specializes in telecommunication. Founded in 1985, ZTE is listed on both the Hong Kong and Shenzhen Stock Exchanges. ZTE's core business is wireless, exchange, opt ...

were found to carry a backdoor to instantly gain

root access In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...

via a password that had been hard-coded into the software. This was confirmed by security researcher

Dmitri Alperovitch Dmitri Mikhailovich Alperovitch (born 1980) is a Soviet-born American think-tank founder, investor, philanthropist, podcast host and former computer security industry executive. He is the chairman of Silverado Policy Accelerator, a geopolitics th ...

. * U.S. sources have pointed the finger of suspicion at

Huawei Huawei Technologies Co., Ltd. ( ; ) is a Chinese multinational technology corporation headquartered in Shenzhen, Guangdong, China. It designs, develops, produces and sells telecommunications equipment, consumer electronics and various smar ...

hardware since at least 2012, suggesting the possibility of the presence of backdoors in Huawei products. * In 2013 researchers with the University of Massachusetts devised a method of breaking a CPU's internal cryptographic mechanisms by introducing specific impurities into the crystalline structure of transistors to change Intel's

random-number generator Random number generation is a process by which, often by means of a random number generator (RNG), a sequence of numbers or symbols that cannot be reasonably predicted better than by random chance is generated. This means that the particular outc ...

. * Documents revealed from 2013 onwards during the surveillance disclosures initiated by Edward Snowden showed that the

Tailored Access Operations The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, ...

(TAO) unit and other NSA employees intercepted servers, routers, and other network gear being shipped to organizations targeted for surveillance to install covert implant firmware onto them before delivery. These tools include custom BIOS exploits that survive the reinstallation of operating systems and USB cables with spy hardware and radio transceiver packed inside. * In June 2016 it was reported that

University of Michigan , mottoeng = "Arts, Knowledge, Truth" , former_names = Catholepistemiad, or University of Michigania (1817–1821) , budget = $10.3 billion (2021) , endowment = $17 billion (2021)As o ...

Department of Electrical Engineering and Computer Science had built a hardware backdoor that leveraged "analog circuits to create a hardware attack" so that after the capacitors store up enough electricity to be fully charged, it would be switched on, to give an attacker complete access to whatever system or device − such as a PC − that contains the backdoored chip. In the study that won the "best paper" award at the IEEE Symposium on Privacy and Security they also note that microscopic hardware backdoor wouldn't be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory. * In September 2016 Skorobogatov showed how he had removed a NAND chip from an

iPhone 5C The iPhone 5C (marketed as iPhone 5c) is a smartphone that was designed and marketed by Apple Inc. It is part of the sixth generation of the iPhone. The device was unveiled on September 10, 2013, and released on September 20, 2013, alon ...

- the main memory storage system used on many Apple devices - and cloned it so that he can try out more incorrect combinations than allowed by the attempt-counter. * In October 2018 Bloomberg reported that an attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America's technology supply chain.

Countermeasures

Skorobogatov has developed a technique capable of detecting malicious insertions into chips.

New York University Tandon School of Engineering The New York University Tandon School of Engineering (commonly referred to as Tandon) is the engineering and applied sciences school of New York University. Tandon is the second oldest private engineering and technology school in the United Sta ...

researchers have developed a way to corroborate a chip's operation using

verifiable computing Verifiable computing (or verified computation or verified computing) enables a computer to offload the computation of some function, to other perhaps untrusted clients, while maintaining verifiable results. The other clients evaluate the function a ...

whereby "manufactured for sale" chips contain an embedded verification module that proves the chip's calculations are correct and an associated external module validates the embedded verification module. Another technique developed by researchers at

University College London , mottoeng = Let all come who by merit deserve the most reward , established = , type = Public research university , endowment = £143 million (2020) , budget = ...

(UCL) relies on distributing trust between multiple identical chips from disjoint supply chains. Assuming that at least one of those chips remains honest the security of the device is preserved. Researchers at the

University of Southern California , mottoeng = "Let whoever earns the palm bear it" , religious_affiliation = Nonsectarian—historically Methodist , established = , accreditation = WSCUC , type = Private research university , academic_affiliations = , endowment = $8.1 ...

br>Ming Hsieh Department of Electrical and Computer Engineering
and the Photonic Science Division at the

Paul Scherrer Institute The Paul Scherrer Institute (PSI) is a multi-disciplinary research institute for natural and engineering sciences in Switzerland. It is located in the Canton of Aargau in the municipalities Villigen and Würenlingen on either side of the River ...

have developed a new technique called Ptychographic X-ray laminography. This technique is the only current method that allows for verification of the chips blueprint and design without destroying or cutting the chip. It also does so in significantly less time than other current methods
Anthony F. J. Levi
Professor of electrical and computer engineering at University of Southern California explains “It’s the only approach to non-destructive reverse engineering of electronic chips— ndnot just reverse engineering but assurance that chips are manufactured according to design. You can identify the foundry, aspects of the design, who did the design. It’s like a fingerprint.” This method currently is able to scan chips in 3D and zoom in on sections and can accommodate chips up to 12 millimeters by 12 millimeters easily accommodating an

Apple A12 The Apple A12 Bionic is a 64-bit ARM-based system on a chip (SoC) designed by Apple Inc. It first appeared in the iPhone XS and XS Max, iPhone XR, iPad Air (3rd generation), iPad Mini (5th generation), 8th generation iPad and Apple TV 4K (2 ...

chip but not yet able to scan a full Nvidia Volta GPU. "Future versions of the laminography technique could reach a resolution of just 2 nanometers or reduce the time for a low-resolution inspection of that 300-by-300-micrometer segment to less than an hour, the researchers say."

Severity

Examples

Countermeasures

See also

References

Further reading