What if your hardware was infected with a virus?

It's not becoming uncommon to see viruses once again infecting the boot sector of a hard disk, in order to maintain their infection of a system.  There have even been reports of viruses infecting the BIOS, capable of maintaining infection after a full harddisk wipe.

But what if your actual hardware had an infection permanently programmed in?  It's not unheard of for consumer electronics such as digital photo frames to be manufactured and sold with malware installed at the factory.  What if the actual hardware design included a piece of malware designed to fail at a certain date/time or even phone home?

While the chances of this occurring are unlikely, it's still a possibility.  Chances are that if a piece of hardware were modified that significantly, it would most likely be deliberate actions of a well funded organization, with malware rivaling that of Stuxnet or Duqu.  This organization would need to do a lot more than just infect a USB stick - the organization would need someone on the inside of the manufacturing process to implement any hardware based malware, and most likely would be government funded.  This malware would be well beyond the complexity of Stuxnet or Duqu, as it would be malware written at the physical hardware layer, incorporated into the equipment.

The applications for such a piece of malware are very limited.  While espionage would be a likely candidate, it would be ill advised - any malware which would "phone home" from the physical layer would be detected by network monitoring tools, and the hardware would be taken out of service.  Once the physical "defect" was uncovered by researchers, a bulletin would be issued worldwide to discontinue use of that device.

A more likely application of hardware based malware would be sabotage.  Deliberately design a device to fail at a specified date/time.  Consider this scenario for a minute...what would happen if half the switches running the Internet backbone would fail simultaneously?  Communication would be severely crippled.  Then apply this one step further to hardware such as digitally controlled water pumps, generators, dam controls... Simultaneous failure of multiple components on a nationwide or global scale could have disastrous consequences.

While the likelihood of this being detected at a manufacturer level is relatively high, thanks to quality control processes, if a hardware based piece of malware were missed by a manufacturer, or intentionally introduced by a manufacturer under direction of its government, once a piece of hardware leaves the factory, hardware based malware would be near impossible to detect until it was too late.

Ultimately, this raises the question of "how well do you trust your manufacturers?"  Are you having a local, trusted manufacturer you've dealt with for years build your equipment, or do you outsource your manufacturing to the cheapest supplier overseas who you've never even met face-to-face?

In a world where best practices such as configuration management and configuration standardization are becoming key, should a piece of hardware based malware be created, configuration standardization may ultimately be our own downfall.

Unfortunately, much like Stuxnet and Duqu, it's no longer a question of "if" hardware based malware will appear, but "how soon"...

No comments:

Post a Comment