Dragons in the Algorithm
Adventures in Programming
by Michael Chermside

My Security Nightmare

As Willie Sutton didn't say, "I rob banks because that's where the money is."

I work for a bank, and so I worry more about security than most programmers. After all, if a hacker were were truly motivated and competent who would they pick to go after? Probably a bank (the other good option is political or corporate espionage). Recently I saw two security-related stories which, when combined, form my ultimate nightmare: an effective attack for which I cannot imagine a possible defense.

The first story was a research article on microchip design written by some researchers at the University of Illinois at Urbana-Champaign. The researchers asked an interesting question: suppose a smart, competent attacker were to make some changes to the design of a CPU: could they make the CPU vulnerable to some kind of hacking attack without making it obvious? It is not a question I had ever heard before: I am used to thinking of the hardware as fixed and looking for vulnerabilities in the software instead.

image0The answer was a resounding "Yes!". They came up with two attacks: each requiring around 1000 extra logic gates, on a chip that has around 1.8 million gates! One attack allowed a specially designed program to read anything in memory (including things like passwords), the other allowed extra programs to run that were invisible to the rest of the computer. Each could be activated by using a special "trigger phrase" -- which could even be delivered by just sending a packet to the machine (you don't necessarily have to hack into the machine to activate it). Once activated, the code you run can be completely invisible to the operating system, and can override any software running on the computer. It could collect passwords (allowing a conventional hack), modify data, replace programs with versions that have backdoors, and if done by a competent hacker, all of this would be impossible to detect.

An undetectable and unstoppable vulnerability: it's a good thing that CPUs cost millions of dollars to manufacture (even for a very small run) and that we buy our computers from reputable companies like Dell who get their chips from reputable companies like Intel and AMG.

image1The second story is about a large multinational fraud that was being executed throughout parts of Europe. Over a period of months, MasterCard had noticed a suspicious pattern of credit card fraud throughout Northern England. Someone technically sophisticated was making fake duplicates of real credit cards, but the investigators could not determine how the fraudsters were obtaining the data. By one account, the break in the case came when a security guard at a grocery store noticed a burst of static on his cell phone; by another account the break came when someone duplicated a card that had only ever been used once. Either way, someone took apart one of the store scanners and discovered that it had an extra payload.

Someone had built in a device which stored data on a small portion of the cards that got scanned. Then once a day it would place a wireless call to someplace in Pakistan to drop off the data and pick up new instructions. Presumably from there an international criminal ring produced the fake cards.

Of course the fraud groups at MasterCard are well aware of this kind of scam, and they correlate stolen card numbers back to what stores and what devices those cards had been used in previously. Had it been just this one scanner with modified hardware, the folks at MasterCard would have identified it almost immediately. Scotland Yard noticed that the scanner with the bug in it weighed an extra 4 ounces. Soon investigators with scales were speeding to stores throughout Europe, checking for card-readers that weighed 4 oz more than they should. They found hundreds of compromised machines - even in major retailers like Wal-Mart, and there was no sign of tampering.

It turns out that the bugs were inserted not by agents in the store, but by someone in a factory in China back when the devices were first being manufactured. The criminals were quite smart in how they leveraged the information: never stealing so much from one site that it would give away the game. And they made off with at least 50-100 thousand dollars, perhaps more. No matter how careful the people at the stores were, they had no chance against devices that where compromised in the supply chain before the store ever received it.

. . .

So here is my nightmare senario: someone decides to target a bank ('cause that's where the money is). They manufacture chips that allow them access below the operating system level, which is immune to any attempt to use virus checking, encryption or other such defenses. And they insert these into the supply chain somehow (how big a bribe would it take to get a couple of hours unobserved in a Dell warehouse?). Then they get competent programmers to slowly siphon off cash at levels that won't be noticed. Sure, the costs of such a scheme probably run in the millions of dollars, but organized crime in places like Russia certainly have access to this kind of money.

And I cannot imagine anything that I, as a technical expert at a bank with a concern for security, could do to prevent this attack.

Posted Thu 04 December 2008 by mcherm in Programming