How do you assess if your computer has a hardware rootkit?

Question

How do you assess if your computer has a hardware rootkit? There was another question about Chipsec with no answers, I assume no one knows the answer. Any other way to assess?

Answer 1

There's no practical way to provide complete assurance that a machine isn't compromised. There are a few things you could look for, but none are definitive.

Based on details in the NSA ANT catalog, you could compare the board in question to a reference photograph of a known-clean motherboard and look for evidence of the implants they offered a few years ago. The NSA designed small boards that are designed to fit behind an Ethernet jack tower; they have implants hidden inside USB and monitor cables, etc. But finding one would be a total shot in the dark.

And even if you look, it's just as likely that a machine has had its firmware or silicon compromised somewhere, and those implants would be entirely invisible.

You could monitor your network for unexpected traffic, but know that some of these implants use RF energy to exfiltrate their data. And not all of them use WiFi, 3G, or Bluetooth protocols, either. Some are even based on malicious USB drives that rely on an agent (witting or unwitting) to physically carry them off of the premises.

Instead of focusing on a particular threat, you'll do more for your overall security by watching your network carefully. Run NIDS and DLP tools. Monitor for suspicious traffic volumes, times, ports, etc. Consider an SSL intercepting proxy. Also keep abreast of security alerts. Not only will these types of activities help defend against malicious implants, but they could detect the activity of ransomware, worms, viruses, malware, or hackers, too.