How-to Pwn HMS Queen Elizabeth!

[Ed P]

Actually of course I’m not even sure that the title is at all possible, but I just hope that the MOD (and others) read this article on subverting a low-level chip to do nasty things. I also hope that they strip the pension from the idiots who sold off all our chip manufacturing and failed to support ARM etc as strategic British assets that no foreigner (including the Yanks) could own.

As the article title says this is a demonically clever way of subverting a chip to insert a privileged backdoor. In theory I guess if you chose the chips that would be used to monitor exterior connections (be they Internet or even radio) it would be possible to make a certain electronic “door knock” open all!

[Dave Rice]

Hard to see how this will work in the field and especially on the Queen Elizabeth. The command and control systems won’t have an internet connected web browser for starters!

[Ed P]

The chip in question does not have to be on an Internet connected computer system Dave, for example it could be on the radio or any other bit of electronic kit that has a connection to both the on-board and outside world and forms a part of the integrated system. That is the intrinsic nastiness of this potential exploit.

[Dave Rice]

“Every time a malicious program—say, a script on a website you visit—runs a certain, obscure command, that capacitor cell “steals” a tiny amount of electric charge and stores it in the cell’s wires without otherwise affecting the chip’s functions. With every repetition of that command, the capacitor gains a little more charge. Only after the “trigger” command is sent many thousands of times does that charge hit a threshold where the cell switches on a logical function in the processor to give a malicious program the full operating system access it wasn’t intended to have. “It takes an attacker doing these strange, infrequent events in high frequency for a duration of time,” says Austin. “And then finally the system shifts into a privileged state that lets the attacker do whatever they want.”

I cannot see how that would work attacking a warship. Where is the malicious script running from? The whole premise of someone knobbling the CPU die seems a bit far fetched for this scenario too. They are careful of the provenance of what goes into critical systems, they don’t buy a job lot of CPUs from Alibaba.

From what little I know it seems like NASA, you don’t use anything that is even vaguely cutting edge. Indeed it probably wasn’t even cutting edge a decade ago. It’s proven tried and trusted kit that’s been tested over and over and is thoroughly understood technology.

[Ed P]

Dave, this was just a thought exercise, in my initial sentence I said that I doubted if it was possible. However with nearly every controller having a PIC chip or some form of intelligence that can be compromised (say after a number of clock cycles pass) then it would have required a verification that every bit of electro-mechanical equipment certifies that all its components come from verifiable sources and don’t for example have an Apple logo on them. (a generic reference for a company that sources from China), you could just as well substitute Intel’s OEM locations in Turkey or Israel as ones that are also open to compromise.

The advent of Software Defined Radio raises new possibilities in ways of breaching a diode-protected system. (It was recently discovered that a system commonly used within nuclear power plant control systems has a built-in, hard-coded backdoor!)

In the same way Stuxnet was a multilevel multi-system attack I cannot imagine that any diode system  breach will be accomplished by a single system being compromised.

*diode-protected. Information flow is one way only.

[edit] If a ship’s radio system is compromised the ‘script’ or code could come from anywhere in the world. There were for example rumours that Russia had done something similar to The Donald Cook an Aegis destroyer in the Black Sea.

[Richard]

From a cursory reading of the linked account every chip that rolled off the production line would feature the same ‘undocumented feature’. While very cleaver in its concept and perhaps its theoretical execution, manufacturers have enough trouble trying to make chips work reliably, ‘as designed’. I am less than clear how a ‘simple’ addition to the in production silicon would ensure the avoidance of unexpected interactions during the chip’s lifetime. If the objective was to slip these dodgy chips into specific products, how would that be achieved? How would the miscreant know which devices to contact or how to get their script loaded. In practice it sounds to need something like a small army of helpers, not some lone genius. It would appear like to have an application if shoe horned into say ATM machines.

Perhaps it is an argument in favour of manufacturers maintaining clean master mask copies and ensuring the production masks comply with the master. Or is this aimed at specific limited scale ships, and not really at mass production CPUs? I would like to think that they were produced in cleaner conditions, but note that the US staff vetting, supervision and management does appear to leave everything to be desired.

Dave, as I heard, NASA was bulk buying second hand 486 chips a few years back, they were only interested in job lots of tens or maybe hundreds of units, so I lost interest when I scrapped a few old machines from various cupboards. I understand much the same position applies with air-plane makers with both types tending to run highly specific proprietary code. I am aware that some small plane makers may follow other routes including the use of more ‘mainstream’ operating systems.

[Ed P]

Richard any mask verification would have to be an automated process, even the mask for a Ryzen chip is quite mind-blowing especially when it is noted that the design is 3D with interconnections across layers.

My point was not really aimed at the how-to-do-it but at the potential dangers that arise from putting strategic resources under the control of not always friendly third parties. In the same way the French reputably built-in ways of ensuring that Exocets were not used against them, it would not be beyond imagination to assume that foreign powers will try and subvert things they have within their manufacturing control.

I obviously have no idea how the Russians zapped the Donald Cook, but subverted Chinese chips could be one avenue of attack.

Stuxnet was unusual in that the US wanted to make their attack undetectable and deniable. A Military situation just needs a ‘crash&burn’ piece of code in fact it should not be subtle! For example set the engine turbines to overspeed would probably be just a couple of PICs that needed to be zapped, so an ‘army of helpers’ would not be needed.

[Richard]

Yes, verification would essentially be an automation, dare I say a robotic task – though that could also be subverted if it was tried sufficiently keenly.

The injection of the well known FUD into anything is well understood it was a main plank of IBM’s sales pitch when Noah was in short trousers. The use of fifth columnists to build your defensive capabilities is clearly daft – I would suggest any and all non home group territories fall into that camp. Mind you the USA vetting, supervising and management of their own resources reminds me of using open doors, windows and roofs as security barriers.

[Ed P]

A minor divert because I found this tale of making a home-made integrated circuit chip of educational value to me. Even though this was a very simple IC, it used no less than four masks which I guess only make sense when you overlay them and figure out which layers are additive and which subtractive. It makes the process of surreptitious malicious changes not so far fetched as may at first appear.

[Dave Rice]

The whole premise takes so many steps I think it’s in Occam’s razor territory. There are more plausible ways to achieve a similar result i.e. the disruption of a critical system.

[Author]

Posts