
Ask HN: Can we trust our CPUs? - freeduck
There is allot of buzz around darknets and encrypted mesh-nets. But can we trust our hardware?
A modern computer contains allot of different CPUs or CPU like circuits. Is there any way to determine if any of these chips are &quot;Phoning home&quot;?
======
iuguy
Actually it's not the CPU you need to be worried about.

Earlier this year at 44Café in London I did a talk in which I dropped about 16
bugs in SuperMicro's IPMI BMC implementation (through the medium of a drinking
game), some of which were picked up by Farmer and Moore's recent research into
IPMI, some not[1]. The Baseboard Management Controller (BMC) is a completely
separate computer, often running unmaintained Linux firmware that has full
South-Bridge and i2c access to your computer's memory. Basically it has Direct
Memory Access (DMA) but your computer doesn't appear to going the other way
around (although I haven't investigated this yet).

The board I looked at ran an ARM chipset and a custom Linux distro built by an
OEM called ATEN[1] and customised by SuperMicro. It's not that the system
appears to be phoning home, it's more that there are a lot of bugs and
defaults in the implementation, and compromising this allows you to compromise
the underlying server.

For desktop and laptop systems you don't usually have IPMI, so no BMC. Instead
you have intel's iAMT which is very similar in some respects. There's some
really fantastic research done in this space by Patrick Stewin and Iurii
Bystrov[3] who have implemented a hardware keylogger. I've been in contact
with them and they've updated their work since publishing the paper and intend
to present the results at the 44CON[4] security conference in London this
September.

Again it's not a case of these chips phoning home per se but a non-well
documented nor well-publicised attack surface with real-world implications for
espionage and malware.

Disclaimer: I'm one of the co-founders and co-organisers of 44Con.

[1] -
[http://www.wired.com/threatlevel/2013/07/ipmi/](http://www.wired.com/threatlevel/2013/07/ipmi/)

[2] - [http://www.aten.com/IPMI.htm](http://www.aten.com/IPMI.htm)

[3] -
[http://stewin.org/papers/dimvap15-stewin.pdf](http://stewin.org/papers/dimvap15-stewin.pdf)

[4] - [http://www.44con.com/](http://www.44con.com/)

~~~
lrem
Isn't it a common practice to keep IPMI out of reach of the Internet? At the
time I worked with an ISP all management interfaces were connected to a
separate network and the only means of accessing it remotely was through a
VPN...

~~~
superuser2
Especially in a large company, it's not _that_ hard for a determined attacker
to get something plugged into a network jack. If the management network goes
to employee desks, then you can plug whatever you want into it.

Unless vPro is authenticating with 802.11x and you're actually using different
passwords for every management interface, a professional cold _probably_ find
his way onto that subnet.

------
unclebucknasty
I think concern about other points of compromise that would render encryption
less useful is very, very valid. Not sure about the CPU itself per se, and
perhaps it could be a combination of components, not to mention the firmware,
software, etc.

With all of the emphasis on endpoint encryption as a solution in particular, I
have been raising this concern. The NSA has already carved out an exception
that allows them to keep encrypted data forever as they attempt to crack it.
So, that reveals their determination to defeat protective measures. Why
wouldn't they attempt to build in other back doors at the
hardware/firmware/software level?

It just seems to me that too much emphasis on technical solutions to
government intrusions is not the right way to go. As a back-stop, technical
solutions like encryption are fine. But, why should we have to play cat-and-
mouse with our government to protect our privacy? This posture lets them off
the hook and esentially says, "if they can get your information, it's fair
game". We shouldn't have to look over our shoulders this way.

Instead, their activity should be outlawed and there should be legal
protection, such that whistleblowers like Snowden are considered heros instead
of criminals.

~~~
antocv
Finally someone said it.

Its also a game that we would loose against our own government/s, since we are
paying for all that - in effect working against ourselves from the start.

This is a sociological problem that cant be solved by technological means. If
people are fine with with their government fucking them over, no amount of
tinfoilhattery will suffice to change anything.

~~~
lukifer
Stockholm Syndrome is the norm, not the exception. I'm open to suggestions on
methods to fundamentally alter human nature.

~~~
wavefunction
You have to build a culture where this is unacceptable through laws that are
enforced with sufficient vigor. And as we've seen, you (the public) have to
keep constant vigilance for oversteps and "correct" those oversteps through a
process of holding government and private individuals accountable.

------
mkup
There's a microcontroller with ARCompact architecture inside Intel chipsets,
which has access to all devices, to the RAM, has its own network stack and
running custom real-time OS (ThreadX). All technologies actively advertised by
Intel such as Active Management, AntiTheft, Identity Protection, Rapid Start,
Smart Connect, Protected Audio Video Path - are powered by this controller.

More info:
[https://ruxconbreakpoint.com/assets/Uploads/bpx/Breakpoint%2...](https://ruxconbreakpoint.com/assets/Uploads/bpx/Breakpoint%202012%20Skochinsky.pdf)

So basically every desktop motherboard or notebook has a chip which runs
unknown software and has full access to your RAM and network interface.
There's something to worry about.

------
kryten
Any system of significant complexity be it hardware or software cannot be
trusted unless it is 100% open source both from the hardware level to the
software level and all systems that are used to manufacture it are open source
as well and the whole process has open oversight.

Even if you tape out a CPU and ship it to the fab, they _could_ still add
stuff before it is packaged.

In conclusion, no you can't trust anything we use today. Even Stallman's open-
everything laptop is open to compromise.

Pen, paper, box of dice, OTP or accept these facts.

~~~
antocv
That is why NSA has their own factory in which they produce their own chips
and computers, clean and (electronically) isolated place.

I believe any country worth its salt, such as China/Israel/Russia, has such a
capability - to produce their own chips and stack to work with, and they have
the capability to compromise/backdoor foreign/target hardware, as well as
methods to detect attempted tampering in their own for example military
hardware.

It would be too damn funny if a countries communications and/or military
hardware suddenly started acting "weird"/against them in case of a war?

~~~
hollerith
>NSA has their own factory in which they produce their own chips and computers

Citation or evidence?

~~~
DanBC
([http://www.militaryaerospace.com/articles/print/volume-9/iss...](http://www.militaryaerospace.com/articles/print/volume-9/issue-12/departments/cots-
watch/nsa-seeking-new-business-for-in-house-cmos-wafer-fab.html))

~~~
ippisl
Thanks.

That's from 1998 , when building fabs was cheap. I wonder what manufacturing
process their latest factory uses.

~~~
fnordfnordfnord
Bamford mentions it briefly in one of his books, either _The Puzzle Palace_ or
_Body of Secrets_. They've had chip fab capabilities for some time before the
1990's.

------
trotsky
Short answer is you can trust building block type components like CPUs if
they're designed by a company that is in the camp of the same nation
state/alliance that you align with as well. Very similar to the thought
process you would use when deciding if you can trust that guy over there with
a gun.

Theoretically the answer is no if you're talking about gear (say highly
integrated Socs) designed and fabbed in a country that has demonstrated a
trust issue or two with the folks that issue your passport.

Practically though this is one of the last things you should be spending time
worrying about assuming you're not currently engaged in global politics or
things that have a blast radius.

You can pretty much hide a semitrucks worth of nastyness inside any modern
chip these days. And while it wouldn't be impossible to find, it requires a
well financed effort to try.

But the real answer is you didn't really ask the right question. Computers
(and phones/etc etc) are so inundated with security holes between the endless
streams of bugs, opaque supply chains, exploitable design errors and a
pervasive belief that better security = less sales that there's simply no need
to go after the cpu, it's far cheaper and provides credible deniability to all
involved.

While I have no doubt there are at times intentional flaws introduced into big
name chip designs, any use of such things would be limited to extremely unique
circumstances as the blowback if discovered would be pretty damn apocalyptic
if you're talking say intel/ibm/oracle.

Anybody that's going to get at your data is ether going to convince you to
give it to them, or spend an hour or two and beat your software stack.

Even when the NSA testifies in congress to convince them to block telecom
mergers unless they get a clause barring zte/huawei gear it's primarily the
software stack that they're worried about. Even listening devices need point
releases from time to time.

------
wladimir
I'm not sure about CPUs. They don't have direct connections to the outside
world. If you want to distrust any hardware, it makes sense to focus on
communication peripherals such as network cards, wifi/gsm modems etc.

For example the baseband processors in phones contain a complicated firmware
of 16 MB+. This contains many hidden diagnostic modes on various subsystem
levels. Baseband processors have been known to be exploited remotely, and as
they have direct connection to the main CPU, giving full control over the
device, including GPS, camera etc.

There have also been bugs in wired networking hardware in which specially
crafted packets resulted in low-level crashes. It was not exploitable in the
cases I remember, but I'm sure someone persistent enough and with the right
skills may be able to find some.

None of these examples actually "phone home" in the classic sense, but my
point is that these peripherals have proprietary firmware that is hardly under
public scrutiny, and anything can be hidden in them.

~~~
andor
Also, if connected via PCI, networking hardware has direct memory access.
AFAIK most GSM modems are USB devices, though.

~~~
wladimir
Most GSM modems are part of SoCs. Indeed for USB dongles for your PC or laptop
it's different, but that's not the "baseband processor" I was talking about.
It would be somewhat harder to exploit the parent system through USB (at least
if the driver can be trusted), on the other hand it could temporarily pretend
to be a keyboard and storage device but that'd be very OS dependent.

------
yungchin
You might be interested in
[https://blogs.oracle.com/ksplice/entry/hosting_backdoors_in_...](https://blogs.oracle.com/ksplice/entry/hosting_backdoors_in_hardware)
\- they show that devices connected to the PCI bus can potentially modify your
kernel at boot time, without changing its on-disk signature.

------
etiam
I'm glad you raise the question freeduck. I was actually going to post
something like it once the more important discussion about opposing
surveillance by social and political means has got going properly (technical
solutions won't fix the deeper problem of authoritarian tendencies in
society). A few years ago I read about remote control by hardware in this
article: [http://www.tgdaily.com/hardware-opinion/39455-big-brother-
po...](http://www.tgdaily.com/hardware-opinion/39455-big-brother-potentially-
exists-right-now-in-our-pcs-compliments-of-intels-vpr)

Be sure to check the video linked at the end:
[http://www.youtube.com/watch?v=wlj7u3tOQ9s](http://www.youtube.com/watch?v=wlj7u3tOQ9s)

I don't know much about this myself but I'll be very interested to see the HN
community's take on to what extent we can trust out hardware.

------
conductor
This is a copy-paste of my comment from an older thread [0]:

[http://www.xakep.ru/post/58104/](http://www.xakep.ru/post/58104/) (use Google
Translate)

TL;DR

The author has found an undeclared software module (backdoor?) working as a
hyper-visor in the System Management Block chip on the South Bridge working
with Intel CPU with VT virtualization technology.

[0] -
[https://news.ycombinator.com/item?id=4462782](https://news.ycombinator.com/item?id=4462782)

------
anonymous
"Is there any way...?"

Generally, if you mean phoning home over the internet, yes! If you mean over
cellular networks, no.

To get things started, there should first be some "buzz" around kernelspace
packet filters. Because that is what you need to start using.

Computers running packet filter software are sometimes called "firewalls". But
that terminology does not promote much understanding among users who are not
also career network administrators.

If you are concerned with what your device is communicating over the public
internet, then you can monitor these communications first to confirm your
suspicions. And then, if necessary, you can exercise some control over it.

How? Run packet filter software in your OS's kernel. Numerous open source,
free OS's allow you to do this. And what does it cost? Nothing! With
commercial, proprietary OS's that are sold for money (which are often just
modified versions of open source free OS's) it may not be so easy. In fact,
they may make it impossible to do. Go figure.

With a packet filter, you can view and, if desired, block packets entering and
leaving your machine, according to your rules. Assuming you can get this set
up easily (and indeed you can), why would anyone not want to do this? You can
even use an old computer repurposed just to do packet filtering. Have your new
devices use it as a gateway.

For the avoidance of doubt, popular "firewall" software like ZoneAlarm or
whatever are not what I'm talking about. Those are userspace software.

"Can we trust hardware?"

In general, I'd say the more bundled it is, the less trustworthy it is. If you
cannot even open the enclosure let alone run your own OS (hello Apple), that's
not going to help users who want to "trust, but verify". Building your own
computer (think something like RaspberryPi) gives you freedom and more peace
of mind.

------
vacri
Wireshark or similar network sniffer. Any phone-home is going to require using
the usual channels to get out of your location to the general internet. Things
like TEMPEST require external sniffers; an autonomous agent will have to use
what is going to be available, and your modem isn't going to be transferring
custom protocols... and if it is, then the ISP's equipment probably wouldn't.
And if all three units are, well, things are worse than we could have
imagined, but you'd be talking about a conspiracy that would require the
silence of an incredible amount of people.

~~~
twoodfin
This is definitely a pure conspiracy theory, but there have to be hundreds of
readily usable side-channels for transmitting information out of a compromised
box that wouldn't show up in Wireshark unless you knew exactly what to look
for. Think biases in timings or not-so-random bits in client-generated TLS
values.

~~~
vacri
This is a good point, but remember also that those packets have to go
somewhere specific - the information may not be encoded in the bits, but in
the timing instead. This being said, the information still has to arrive at
its destination.

~~~
PavlovsCat
We're talking about an adversary that potentially taps and stores all traffic
at major endpoints worldwide. They packets have to go further than a few hops,
but not to a _specific_ destination, not necessarily.

Think taping a playing card to the spokes of a deaf person's bike. You won't
automagically hear it when they're riding it in the basement, but if they ride
through the streets, you'll know.

------
zamalek
I don't think you could fit enough transistors into a CPU die to do any form
of monitoring - you would need to basically have an incredibly complex
software package do it (which you could store on a ROM on the die). The only
problem with that is you would need to translate a set of machine code
instructions into an intent in real-time: we can't even do this offline (the
best we have is IDA, but that needs crazy amounts of human intervention). So
as far as the physical chip goes it's irrationally paranoid to worry about it.

However, Realtek, as a good example, love to home-grow their own [shitty]
protocols and hence always require drivers - so if you want to realistically
question whether or not your hardware could monitor you, looks at its
inseparable twin: drivers. They run in the kernel and have access to pretty-
much everything else on your system: no amount of UAC, sudo or whatever else
not will keep your data safe from it - and most users won't think twice when
installing them.

------
X4
Can someone please explain if this is true?

 __ _" Computers with particular Intel® Core™ vPro™ processors enjoy the
benefit of a VNC-compatible Server embedded directly onto the chip, enabling
permanent remote access and control."_ __

[http://www.realvnc.com/products/viewerplus/](http://www.realvnc.com/products/viewerplus/)

Because if it is true, then your CPU is a potential backdoor given that they
have a masterkey or masterpassword.

And I really don't understand how this can work when the computer is turned
off, any ideas??

~~~
lcedp
When you turn off computer through OS motherboard still stays powered. Later
it can wake up itself by bios alarm or wake-on-LAN or this VNC thing.

------
Proleps
You can always use a second device with different hardware to monitor your own
network traffic. If you don't fully trust that hardware use yet another device
with different hardware behind it :P

------
sehugg
It's certainly interesting to think about, at least:
[http://theinvisiblethings.blogspot.ru/2009/06/more-
thoughts-...](http://theinvisiblethings.blogspot.ru/2009/06/more-thoughts-on-
cpu-backdoors.html)

Given the huge downside of a CPU exploit leaking or being detected, I'd expect
them to be used very sparingly if at all. This XKCD comes to mind:
[https://xkcd.com/538/](https://xkcd.com/538/)

------
venomsnake
I think you cannot trust anything that is not behind an air gap and powered by
a source not connected in the general grid.

~~~
trotsky
That's the absolute truth. And given the vast array of high frequency
oscillators, high end dacs and software configurable pin reassignment, you
really need to include a pretty effective rf shield (say ~-40db over
~10kkhz-1.xghz) or go for something closer to an air moat than an air gap.

By the same token the only 100% trustworthy human is a dead one. But we trust
folks constantly and we're overwhelmingly better off for it.

------
flyinRyan
The answer is clearly, and obviously: no you can't trust CPUs, memory,
compilers, disassemblers, microcode or anything else.

The better question is: what is being done to address this? What _can_ be done
(are you going to trust an "open source" CPU producer who swears they have no
back doors?)?

------
Steve_NM
Intel actually sells the capability of most post-1st gen Intel processors
phone _home_ in a way that is transparent to the end user as a feature.

[http://intel.ly/14U14JW](http://intel.ly/14U14JW)

------
uptown
I've always wondered about those dirt-cheap USB devices sold on eBay. Seems
like an easy target for a malicious device masquerading as a USB hub.

------
mariuz
The only solution is opencore cpu based hardware

[http://opencores.org/donation](http://opencores.org/donation)

