In “Live Free or Die Hard,” Bruce Willis, as rogue hero John McClane, saves the world from a cyber terrorism attack.
The movie pokes fun at hackers living in their mothers’ basements, and portends what would happen if someone shut down the electrical grid.
While the plot may seem far-fetched, cyber attacks are a very real threat, and there has been a lot of talk lately about how to prevent and respond to cyber terrorists.
But what about attacks on the devices we use to access the Internet? They’re not only vulnerable to threats online; the devices could face attack during production.
“Is it a national security issue – yes, very much so,” said Paul Rosenzwieg, a homeland security consultant and former deputy assistant secretary for policy at DHS. “I think that some in the intel community are more worried about hardware intrusions than software.”
Many of America’s biggest names in electronics hardware manufacture their products overseas including Apple, Motorola, Dell and Xerox.
What if someone were to alter a one of those devices to record keystrokes, audio or video?
“During manufacture, the hardware is totally out of our control,” Rosenzweig said.
Roger Johnson, a physical security expert at Argonne National Laboratory, said it would be easy to do and difficult to detect, especially with keystroke recorders.
“You can buy those and just plug them in,” Johnson said. “They don’t have to plug it in externally. It could be inside the computer.”
Unless the person installing it did a careless job of soldering, it probably wouldn’t be noticeable either.
“You’d have to open the computer and know what you’re supposed to be seeing and see if there’s anything different,” he said. “If they’ve gone to the effort of making it look professional, you could be in some trouble.”
Johnson said empty space invites foreign objects. “Any time anyone can put other electronics inside, it’s a bad thing,” he said.
Cell phones would be more of a challenge. “Modern smart phones aren’t easy to pop open and tamper with,” Johnson said. “In theory, it’s possible.”
Microchips – electronic circuits that are essentially the brain of a device – are a major concern and checking for evidence of tampering could be nearly impossible, according to Johnson.
“If you didn’t design the chip, you’re not sure what’s out of the ordinary,” he said. “It’s a real problem when we get these electronics and we’re not sure what’s been put in there.”
Rosenzweig agrees. “My own view is that this isn’t a problem that can be ‘solved,’” he said. “The benefits of using off the shelf technology are too great, so we will only be able to insist on US manufacturing of chips for the most hyper critical systems.”
For the rest, Rosenzweig said risk management is key and we need to know who is building the chips and audit whether or not there is a possible threat.
Differences in international regulations also cause issues, according to Johnson. “Many of these companies aren’t bound by US law,” he said.
Johnson said the U.S. might not be prepared to check for signs of foul play. “When stuff is made elsewhere, there are not a lot of useful protocols to check to see if they’ve been tampered with,” he said.
But that doesn’t mean the government is ignoring the issue.
“This is a serious and significant issue of concern to the Federal government,” Rosenzweig said. “Securing the supply chain against hardware intrusion was one of the 12 priorities identified in the Comprehensive National Cybersecurity Initiative.”