Virus laden hardware emerges
While the idea of software viruses is by no means new to those who work with computers, a new vector of attack seems to be developing in the form of hardware shipped from the manufacturer that is already infected with malware. In the past few weeks, a set of digital peripherals, particularly USB picture frames and IPods, have been found to contain one or more malicious executables. With such a method of delivery, it seems that the security industry may need to rethink what can and cannot be considered secure.
http://www.cnn.com/2008/TECH/ptech/03/13/factory.installed.virus.ap/index.html?iref=mpstoryview
Though the article indicates that actions have been taken against the manufacturers of the devices identified as being compromised, the impact of the incident will likely be far broader. Traditionally, the idea of trusted computing has relied on the fact that hardware is implicitly trusted upon arrival from the vendor. Only after exposure to a user or network does it seem possible for the hardware to be in some way compromised, and thus, if the user and network are secure, so too should the hardware.
In this case, such a model no longer appears valid. If the hardware from the manufacturer is infected, the safeguards afforded by proper user behavior and network protection are greatly reduced. Indeed, if extended beyond peripherals to internal computer components such as motherboards or network cards, such a threat would undermine a fundamental methodology in computer security of starting with trusted components and building on top of them secure OS and application layers. If the very hardware on which such software runs is corrupt, no trusted foundation can exist upon which to expand.
Unfortunately, it seems unlikely that this problem will be solved before becoming more serious. Unless stores begin to feel an economic impact from consumer concerns, vendors with two, three, or more levels of seperation between themselves and the customer will have little incentive to prevent such security breaches.
Max A, David W, Travis M
Comment by sky
March 16, 2008 @ 8:35 pm
I think that the OP is right that the idea that all hardware can be trusted is on the way out. This post reminded me of another on this blog written fairly recently, about how someone can unlock a locked windows machine using a firewire port:
http://cubist.cs.washington.edu/Security/2008/03/13/feature-or-flaw/
It wouldn’t make sense not to view some pieces of hardware as untrusted, like the CPU. But especially things that we connect to multiple computers it seems odd that we trust completely. Abstractly, there is not much of a difference between USB ports, firewire ports, and ethernet ports. They all transfer data between other sources, and one’s computer. I feel like it is only a matter of time before USB and firewire port lose privileges to the point where they are very similar ethernet ports.