1

Background:

A nice Chinese based manufacturer (AllWinner Technology Co.Ltd) produces very useful SoC used boards that often claim to be open source hardware.

Question:

If need be is there by way of logic and testing a way to find out or at least estimate if there are hardware backdoors on the device.
My understanding here of a backdoor is anything inside the electric/logic scheme of the SoC designed with the purpose to coduct an attack.

What this question is looking for is at best a most comprising list of concepts/approaches that have been used for testing against backdoors in hardware.

Remarks: I am aware that the question appears hilarious and that by the nature of being very very very small structures any looking into the device is rather impossible. Yet for instance in another case of Blue Pill rootkits some people suggested some concept for testing which involved executing code that would by design demand a certain predetermined duration to be executed which can be compared to extern stop-watch measured time source for comparision. So maybe there it has been thought of to have a set of testing applications that have expected results by way of the specifications stated by the hardware (i.e. that the CPU type is ARMv7) and which can be tested. I do not want to rule out any backdoor but find a way to at least reduces risks and gather more Security. I did not intent to showcase the AllWinner as something I expect a backdoor. But I have been told that the hardware they produce is open source and hence expect i.e. better backdoor testability.

humanityANDpeace
  • 1,412
  • 1
  • 12
  • 24

1 Answers1

3

You'd probably have to go around a lot of places to get anything specific, but since you are talking about hardware-based exploits, you're going to want to look for physical bugs. There's a great article I read from spiderlabs about some stuff like this: http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html

There are probably a LOT more on the internet, but a lot of looking for them involves searching for unaccounted radio transmissions if I recall.

Edit: As far as testing for specific backdoors only on ANY piece of hardware, that may be impossible.

Desthro
  • 1,007
  • 5
  • 5
  • thanks for the pointing the finger to the more easily detectable hardware backdoors here. I did not expect this but surely a great hint. – humanityANDpeace Oct 10 '14 at 16:57
  • Yeah, I'd assume for anything to be a "backdoor" installed on a piece of hardware, it would need some way of communicating externally, IE: Radio, OR if you install a driver, the driver may compromise your system and communicate through whatever network devices you have available. Tricky stuff. – Desthro Oct 10 '14 at 17:01
  • thank you! That holds true for certain types of attack scenarios (i.e. those where you seek to get data access). If the goal was simply (and bad enough) to brick the device upon reception of a series of data bytes not much output communication needs to take place. Also there are surely other attack types. – humanityANDpeace Oct 10 '14 at 17:11
  • That would be very unfortunate indeed, though destroying a device seems to leave very little to gain from the cost of developing such a piece of hardware and implementing or deploying it widely. – Desthro Oct 10 '14 at 17:47
  • slightly related [Is there an industry term for IC “drop-in” circuits used for malicious or clandestine purposes?](https://electronics.stackexchange.com/q/420242/102305) – uhoh May 15 '19 at 08:54