The Trojan Stable: A Special Last Byte
The walls may not have ears but, unless the recommendations for hardware security and trust in this month's theme are followed, the picture frames hanging on the wall might.
When I first heard about the work on trustworthy hardware reported on in this edition of Computing Now, I was dubious. My model of the world included billion-dollar fabs and world-class designers working on processors and other large chips, and I couldn't see why any of them would risk their businesses to add a Trojan horse into a design. Then I thought about it some more and got scared.
Back 30 years ago, software came from a few trusted sources, often with source code, and experts loaded and ran it on computers. Even if there was a problem, the harm was limited because computers didn't talk to one another very well. That has all changed. First, the average consumer began to load software off of floppy disks; viruses got in, but could be easily traced to the source. Today software loads itself, and our high level of interconnectedness means that many consumers unknowingly own computers busy transmitting spam throughout the world.
We all know that software and hardware are basically equivalent, so this problem can be expected in hardware also. How? As more and more chips are included in consumer products, price pressures mean that they will be implemented using processes a few generations old, and produced at low-cost suppliers — exactly the kind where the risk of Trojan insertion would be highest. System designers of low-cost consumer products are unlikely to be sophisticated enough, or to have enough time and resources, to check for problems. So, the scenarios outlined here might well come to pass.
But, I am sure you are asking, who cares if someone hijacks my toaster?
Consumer products are going to be increasingly networked. We've read of smart refrigerators, which can tell what is inside and even how fresh it is. Perhaps these will go further, to find the lowest prices for the products you buy and print this information (and maybe coupons) to a network printer or to your smartphone.
But typing in a grocery list is a pain. My Droid lets me speak text messages and search terms, which is much faster. Your refrigerator will let you tell it your grocery list, instead of typing it.
With a microphone and Internet access, your hijacked refrigerator can become a spy, listening in on your conversations. If you think this risk is farfetched, you should be aware that a school system outside Philadelphia has been accused of spying on students using the webcams included in laptops given to each student.
The hijacker may not be able to include all the code for this in the shipped product. However, if he can convince the chip to download new firmware from his source, the refrigerator can be taken over for any number of nefarious purposes.
Multiply this by the number of net-connected devices that will be in the typical home ten years from now, and you have a serious problem. The walls may not have ears but, unless the recommendations in this edition of Computing Now are followed, the picture frames hanging on the wall might.
About the Author
Scott Davidson is a member of IEEE Design & Test of Computers' editorial board and Computing Now's advisory board. Contact him at firstname.lastname@example.org.