40

The recent news item Chinese Star N9500 Android smartphone contains factory-installed Trojan, says security firm has prompted me to think about firmware security. The news mentions the spyware is part of the device's firmware.

This makes me worry: How can I detect when firmware is stealing my information? What can I do to mitigate this problem?

I'm worried about cell phones (Android) and routers. Does someone have some information regarding detection programs?

[Edit]: Reason I ask is that I am considering a router from a China brand - which would cost much much more if it is from other brand. It is from Mi.com. The router, costs 699 RMB or 112 USD, includes a 1TB 2.5 inch hard drive. The price is very attractive, but I am worrying that my information may not be secure.

David
  • 15,814
  • 3
  • 48
  • 73
  • 4
    Decompile and reverse engineer the firmware – Lucas Kauffman Jun 23 '14 at 05:04
  • 45
    It's probably better to buy a Chinese router, since that one will only have the Chinese malware. A router from a US company will be produced in China as well (with the same malware), but will have NSA malware _in addition_. In the end, there's nothing you can do about it anyway, since you have hardly a way of preventing the firmware to do evil things (or even knowing about!). – Damon Jun 23 '14 at 10:41
  • 1
    I wouldn't really care about the company's nationality—China has a lot of people and companies and they aren't all the same. I would more care about the company. – Ramchandra Apte Jun 23 '14 at 12:29
  • I don't believe a router can easily steal your information if yon are connecting securely (for example, through https). – Quora Feans Jun 23 '14 at 18:37
  • 3
    Try installing Firefox in China, it comes with non-removable plugins allowing remote access, remote screenshots and reading passwords ;) – BlueCacti Jun 23 '14 at 23:31
  • @lucas have you read the EULAs of, say, Microsoft products? Sounds like an unconditional no-rev-eng to me. – Simon Kuang Jun 24 '14 at 06:13
  • 5
    Since when are EULA legal binding contracts? They are by far not always enforceable. – Lucas Kauffman Jun 24 '14 at 06:37
  • 1
    At https://www.telefoniert-nach-hause.de there's a wiki set up for documenting devices which "phone home". Unfortunately it's only in German and also somewhat unorganized, but it's generally a possible starting point for finding out if somebody else has already analyzed a device. I'm not aware of a similar site in English. – oliver Jun 24 '14 at 15:53

4 Answers4

32

You could use a tool like Wireshark to analyze your outbound traffic (you need to be upstream of the device) and look for unexpected/suspicious outbound traffic. Of course, it could be infrequent or only triggered by certain activities, so you'd need a large volume of data to analyze. And you'd need to be able to analyze (at least traffic analysis) the encrypted traffic as well as plaintext.

Alternatively, you can dump the flash of your devices and reverse-engineer the firmware in the devices. Of course, you'll need to consider all the firmware:

  • Cell Phone
    • Android OS & Apps
    • Bootloader
    • Baseband (GSM/LTE)
    • Bluetooth
    • Wifi Controller
  • Router
    • Router OS (Linux, VxWorks, RouterOS, JunOS, iOS, etc.)
    • Wifi Controller
    • Modem (if applicable)

And don't get me started on a laptop or desktop...

So, long story short, you're talking about a project of immense proportions, something that's one of the big open questions in security. How do we trust the hardware? See all the stories about NSA implants and the questions for enterprises trying to secure their infrastructure.

Depending on your threat model, you might be able to find some things, but it's nearly impossible to be sure there's nothing unless you're making all your own chips & software.

David
  • 15,814
  • 3
  • 48
  • 73
  • Ah. That means even if I do serious hunting, unless I am willing to spend a lot of time, I may not be able to find anything! So this turns out to be whether you trust the hardware or not... – Just a HK developer Jun 24 '14 at 04:15
  • 3
    I think this would be a really interesting university project for a CS undergrad. I'm sure that Wireshark output could be filtered down enough to produce significant findings (or not, depending). One might write a Wireshark monitoring program that collects and groups data, looking for interesting/dangerous usage patterns/anomalies. Maybe one could even throw in some fancy graphs. I think professors would like that :P If I didn't already have a project planned, something like this would definitely be it! – Chris Cirefice Jun 24 '14 at 06:01
4

The threat of firmware being compromised has been around for a decade. The entire point of doing so is to compromise a machine at a level that cannot be scanned from the operating system. It is even below the kernel level of the operating system. You would need to analyze it with an outside system to determine that the compromise was coming from the firmware. It wouldn't surprise me if the security company who analyzed the phones had to completely disassemble them to determine that the trojan had been baked into the firmware.

The only way you could actively determine if your phone was compromised without all of that was to install some form of security software (i.e. firewall and anti-virus) on your phone that would monitor and stop suspicious behavior, and then consistently monitor the logs. It might take you two or three times of setting the phone back to the factory default to determine that it has been compromised at such a deep level.

The anti-virus is also hindered by the fact that it can only stop behavior that it recognizes. If the malware installed is not known to the companies writing the software, then it won't be able to stop it. Also, the firewall wouldn't hinder any programs from contacting the internet that you have given permission to do so.

Android is currently the least secure phone operating system. Period. It is also the most targeted and exploited.

For your router and your network, the same protections apply in terms of firewalls and anti-virus, but you can also set up a packet capture system to capture sample packets of everything leaving your network. It might not stop the compromise, but you can determine what information has been compromised, what systems and ports it originated on, and proceed from there.

tk1974
  • 209
  • 1
  • 5
  • 4
    AV and firewalls probably wouldn't help either, if the compromise is in the firmware. The OS depends on the system to tell it what's going on, and the firmware can make the system lie. Particularly if the hardware was designed to allow that type of behavior. And network activity at that level would bypass pretty much any firewall rules at the OS level or above. – cHao Jun 23 '14 at 18:56
2

For anything other than a phone, I would argue for a less incredibly difficult, combined solution.

If it were anything but a phone, such as a router or laptop/desktop, a useful method would be to have system network logging performed by a tool at the lowest level the system permits, or even by a fake "switch" (proxy) in between the system and the router. At the same time, use a tool that captures and logs all information coming out of the router. Then, compare the two logs - what's going into the router vs what's coming out. Or, at a system level, what the system log says was going out vs what really went out (thus exposing what the firmware was hiding).

Anything the device in question is sending out that was not requested is thus suspect - and any information which changed in unexpected ways.

What makes the phone issue so much more tricky is getting upstream, or capturing all traffic incoming and outgoing, is vastly more expensive and difficult. With a wired networking device one has options, but with a phone - it's a good thing security firms are willing to put in such effort!

As to testing your desired router, however, I am aware of no simple tool or software/hardware paired solution that lets you do this all without considerable low-level knowledge and effort.

BrianH
  • 245
  • 2
  • 7
1

As can be understood by Davids excellent answer, the idea of actually verifying that the proprietary firmware of device such as a phone is not/never taking your information or capable of doing so at request is such a massive undertaking as to be nearly a ludicrous proposition.

The 'Stallman solution' would make this verification easier as source code is more humanly readable. Take a look at Tomato/OpenWRT for routers or the as yet not complete Replicant project for Android phones.

The hope of the free software/open source movements is that someone else has already done this analysis (and done it competently/completely) so you don't have to. At least the backdoors here need to be disguised as mistakes to pass the maintainer and/or team, unless he/she/them is malicious or has his/her/their machine[s] compromised.

Then you only need to worry about the hardware...

JKAbrams
  • 174
  • 6