Those who understand Turing’s Theorem know that computers are ultimately all vulnerable to virtually undetectable errors and fraud. A new report reminds us just how much worse it is than we think: Wired: Hundreds of Millions of PC Components Still Have Hackable Firmware <read>
That laptop on your desk or that server on a data center rack isn’t so much a computer as a network of them. Its interconnected devices—from hard drives to webcams to trackpads, largely sourced from third parties—have their own dedicated chips and code. That represents a serious security problem: Despite years of warnings, those computers inside your computer remain disturbingly unprotected, offering an insidious and nearly undetectable way for sophisticated hackers to maintain a foothold inside your machine.
That’s the helpful reminder provided by new research from security firm Eclypsium, which today released a report on components and PC peripherals connected to and inside of hundreds of millions of computers around the world. Eclypsium researchers found that a slew of network cards, trackpads, Wi-Fi adapters, USB hubs, and webcams all had firmware that could be updated with “unsigned” code that lacks any cryptographic verification. In other words, it could be rewritten without any security check.
You should be aware and concerned with you phone, laptop, camera, car, or basically anything that has software, firmware, or is connected to the Internet.
But what about, for instance, Connecticut’s AccuVoteOS voting machines and risks beyond the supply chain. Many tout that our machines are simple, do not use Windows, and therefor not subject to well-known vulnerabilities. Yet they do contain a computer, internal firmware, and are used with programmable memory cards. Known vulnerabilities such as the Hursti Hack. That simplicity and rare, obscure programming makes them hackable, simply hackable, and makes the expertise to hack them seemingly rare as well.
We doubt election officials in Connecticut observe closely when the machines are serviced by the vendor. We know that physical security for our machines (and ballots) is weak, very weak. In most towns, multiple lone individuals can access them for hours undetected. In a few seconds firmware can be swapped, that looks just like the original.
Many argue that expertise to modify that firmware is rare in election officials, perhaps in vendor staff. That is far from true. All that is needed is one individual with that expertise (I guarantee there are many, and its easy for many more to learn that skill.). The person with access does not need that skill. All they need are the compromised chips, or memory cards. If they have evil intent or are threatened they can do they deed, if necessary get one of those jobs.
