Motherboards under threat
WE have grown accustomed to the increasing phenomenon of the hacking of business computer systems and in some cases also private computers. Absa, the Department of Justice, Transnet National Ports Authority and, more recently, TransUnion are but a few South African examples of entities that were recently hacked and held at ransom.
If asked, most people would indicate that they understand “hacking” to be the exploitation of computer software vulnerabilities to inject malware or spyware into a computer network. The aim of the infiltration is often to acquire confidential information or cause serious damage.
However, computer systems hacking can also be done by using hardware, such as the modification of the printed circuit board of the computer or server. Already in 2018, Bloomberg reported that Supermicro motherboards (the clusters of microchips and circuitry on the circuit board of a computer) contained millimetre-size microchips with back doors that were secretly used by Chinese spy services to steal data.
The manufacturing of these motherboards of Supermicro (a Taiwanese company) were outsourced to China and were eventually shipped to Apple, Amazon and other companies for use in their network servers.
For obvious reasons, the claim has been rejected by the companies involved and by the US Department of Homeland Security. However, experts all over the world, such as Theodore Markettos from the University of Cambridge, are convinced that the possibility of carrying out such an astonishing hack is very real. Over the years there have been several documented examples of such system-level attacks.
The Chinese company Huawei is one company that was more recently accused of similar tactics and the use of their 5G technology was banned from several countries for this very reason.
When a printed circuit board is designed, the printed circuit diagram, often with thousands of referenced components, is stored in two files used by manufacturers – a Gerber and a drill file. The Gerber file contains a schematic of the interconnections between components on the board, and the drill file the position of the holes in the board where the components will be inserted. More often than not, circuit boards include extra circuitry and empty component footprints for testing and debugging or various versions of the circuit board.
What probably happened in the Supermicro case was that the designs were tampered with and a spy chip or other malware components embedded in the circuitry to take control of certain data buses. Since components today are millimetres in size, malicious components are very difficult to detect. It could also have been that a maliciously altered version of a specific component was used, which makes it even harder to detect. This type of attack is very serious, since it uses seemingly legitimate components with hardware Trojans (malware that misleads users regarding its true intent).
It could even have been that the Gerber or drill files were altered before manufacturing. Since Gerber files can contain hundreds of thousands lines, it is quite easy to change the design without being detected.
According to the Institute of Electrical and Electronics Engineers, a technical standardisation organisation, typical attacks usually access one of the data buses such as the SMBus (controlling the voltage and clock frequency), SPI bus (used by the BIOS or Basic Input/Output System that initialise hardware during boot-up), LPC bus (manages control and security functions), or high-speed buses, to damage and disable components, interfere with communication, or execute malicious code.
If a circuit board is distrusted, it can be analysed through a system developed by Mark Tehranipoor from the Florida Institute for Cybersecurity Research. The system uses optical scans, microscopy, X-ray tomography, and artificial intelligence to compare a printed circuit board and the various components with the original design stored in the initial Gerber and drill files. This process can also be done through manual confirmation by checking all components that lack a reference designator, ensuring that every reference designator is present in the schematic layout and parts list; focusing on the shape and size of component footprints (for example, the number of pins); and examining the unpopulated parts of the board.
A brand-new test, created by Huifeng Zhu from Washington University in the US and his colleagues, is called PDNPulse and analyses the power consumption of a printed circuit board to determine small variations in the “fingerprint” of power consumption, based on measurements at several points on the board.
The power consumption characteristics are inexorably affected by changes to the circuit board, no matter how small. In tests, the researchers were able to detect Trojan changes on several different circuit boards with 100% accuracy. Careful monitoring and measurement of the power consumption of a circuit board is therefore important, since it can expose hidden malicious devices that an attacker has installed to steal delicate information or cause failures.
Hackers of computer networks and data will always find new innovative ways to illegally access computer systems as technology advances. By now, we understand malware reasonably well, but the exploitation of vulnerabilities in the printed circuit board are only now beginning to get some of our well-deserved attention.
Modern motherboards, with their thousands of minuscule components and intricate circuits, are quite vulnerable to exploitation, hacking, and other threats, especially because the manufacturing is often outsourced. This is a point of vulnerability where an attacker could insert malicious features to steal sensitive data or crash a device to cause disruption.
Businesses will have to tread carefully in the future by taking circuit board or hardware threats seriously, and by ensuring early detection and deterrence of attacks. As in the case of malware, heightened sensitivity, wellplanned outsourcing processes and robust security measures are needed.