Mass implementation of Trojan viruses, introduced in the chip manufacturing process, will be responsible for allowing attackers and others to obtain leaky data and to control processes from IoT devices and beyond, a German security expert says.
Christof Parr, who is head of embedded security at Ruhr-Universität Bochum in Germany, has obtained special grant funding to explore the controversial subject, the university says in a release.
Hardware Trojans, or backdoors, could be “integrated into the devices by the manufacturers from the outset, or included during chip manufacturing,” the university says.
“Governments all over the world might be deeply interested in hardware Trojans,” Paar says.
Indeed, when National Security Agency Deputy Director Richard Ledgett was asked what he thought about IoT devices collecting intelligence, he said it is something the agency is looking into, according to The Intercept.
And in February, James Clapper, U.S. director of national intelligence, “acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities,” according to the Guardian.
+ Also on Network World: IoT botnet: 25,513 CCTV cameras used in crushing DDoS attacks +
Paar says he wants to use his research to “develop mechanisms that will render the Internet of Things more secure,” the university release continues.
Much folklore over spying using internet devices has concentrated on such things as smart televisions with microphones that are always on, or Mark Zuckerberg’s now famous taping-up of his laptop camera. Parr believes, however, the spying will come from within the chip—particularly when the encryption is turned off through manufacturer-introduced controls.
Spying via IoT devices
Parr isn’t the only one who thinks IoT will provide built-in exploits usable for spying. Harvard’s Berkman Center for Internet and Society released a study earlier this year that came up with numerous reasons connected devices would be great for spooks.
Among those reasons is the fact that software systems are “fragmented, leading to a lack of coordination and standardization” in encryption—holes, in other words. They also say “real-time intercept” is possible with increasing use of sensors such as cameras (the Zuckerberg worry), after-the-fact review of images is doable with recording mechanisms built into devices, and a lack of meta data encryption is being used. In fact, meta data needs to be unencrypted for devices to work, writes Personal Liberty, which has studied Harvard's study.
Meta data is the data about data, which is used in call and email routing, for example.
And all of the activities can all be done from afar.
Why would chip makers do this?
Parr says companies could introduce Trojans directly into the chip because of a willingness to help governments, although they'd do it at great risk because they can alienate the customer if it gets discovered. Parr uses an example of a Swiss company who created NSA-breakable encryption devices during the Cold War. The company lost the trust of customers, he explains.
That’s something Parr wants to explore: To what extent do companies find it hard to say no to governments and why are companies motivated to provide the backdoors?
Parr comes up with some fascinating future-use scenarios that he wants to explore with his grant funding. They include how GPS coordinates could be made to switch chip-embedded intercepts on and off. “The Trojan would be activated only if the user was in a certain region,” Parr says.
Someone could also change the atom count in a chip transistor to add a backdoor, and it would be virtually undetectable, he says. Some chips have a billion transistors in them.
This article is published as part of the IDG Contributor Network. Want to Join?