Hardware trojan besides network card?

Question

We all can read news about "Hardware trojans" (it has grown in the recent few years..).

But my question is: Besides the network card, could there be any HW trojan that can cause any real damage?

If I would need to put a HW trojan in a server/computer, then I would put it in the NIC, since I can only reach the machine over ethernet/wifi. It does not make sense to me to put a HW trojan in a CPU. (I just don't understand why are people so afraid of HW trojans. Shouldn't they only need to be worried about their NIC card? )

They can be installed in anything with storage ability. And you can communicate with them via any communications you so wish, so having the NIC only stipulation is kind of a red herring. — Fiasco Labs, Jun 23 '14 at 06:21
Define "damage". Physical damage? Information disclosure? Unauthorized access? — schroeder, Jun 24 '14 at 16:27
You assume the main goal is to have active communication with the trojan — schroeder, Jun 24 '14 at 16:30

score 2 · Accepted Answer · answered Jun 24 '14 at 17:05

Since a perfectly honest network card acts under the control of the host CPU, a malicious hardware element in the CPU can perfectly betray the user's secrets. After all, when you have some malware in your machine, the malware is just software, and it runs on the CPU -- and yet your secret data can escape.

Any piece of hardware with DMA access can read and write memory at will, and thus can modify OS and application code as it gets executed. This is sufficient to do everything that kernel-level malware can do, i.e. quite a lot of evilness. This includes the CPU itself, the GPU, the hard disk controllers, the network cards, the USB controllers...

Even if you are intent on having a dormant backdoor, which does nothing until activated from the outside, it can still be done purely in the CPU, or in the DMA controller: it suffices to have the CPU or the DMA controller inspect memory transfers and wait for a specific pattern, which triggers the hostile code. Attacker then just has to send a ping request or some other packet with the said pattern: the DMA controller will see it when it transfers it from the NIC to the main RAM, and the CPU will see it when it recomputes the IP packet checksum.

People are afraid of hardware backdoors because they feel they have no control over it -- and that's entirely true.

score 1 · Answer 2 · answered Jun 23 '14 at 05:59

Have you looked at the articles about NSA implants and back doors?

I could put a back door in a SATA controller. Special sequence of bytes written to disk, trojan is triggered. Or even trigger it over the network controller via DMA. One could create a weakness in the RNG in the CPU and use it to leak information. Chipsets with short-range wireless transceivers in them are possible.

The trust boundaries within the machine are blurry. It's not like the CPU validates every bit of data coming from the NIC.

score 1 · Answer 3 · answered Jun 23 '14 at 06:15

Variety. If everyone is only looking at network cards and only have the capability of analyzing network cards, how many people would be caught with their pants down if the infections originated from other components?

Here is a scare story:

A few years ago the U.S. Department of Defense determined that over a third of all of its equipment was compromised by bootleg components bought from third party overseas contractors by U.S. Government contractors. Now, if any of those were electronic, and they were compromised at the firmware level, then later installed into protected network capable systems, what would be the potential for compromise?

As an addendum to the above, the U.S. has banned the use of any components imported from East Asia in governmental systems.

News stories:

DARPA going to ware against bootleg components

Sale of counterfiet parts

Hardware trojan besides network card?

3 Answers3