{"id":63646,"date":"2018-11-01T19:00:57","date_gmt":"2018-11-01T23:00:57","guid":{"rendered":"https:\/\/newsroom.carleton.ca\/?post_type=cu_story&#038;p=63646"},"modified":"2025-08-19T09:37:34","modified_gmt":"2025-08-19T13:37:34","slug":"hardware-security-vulnerabilities","status":"publish","type":"cu_story","link":"https:\/\/carleton.ca\/news\/story\/hardware-security-vulnerabilities\/","title":{"rendered":"Don\u2019t trust your hardware: Why security vulnerabilities affect us all"},"content":{"rendered":"\n<section class=\"w-screen px-6 cu-section cu-section--white ml-offset-center md:px-8 lg:px-14\">\n    <div class=\"space-y-6 cu-max-w-child-max  md:space-y-10 cu-prose-first-last\">\n\n        \n                    \n                    \n            \n    <div class=\"cu-wideimage relative flex items-center justify-center mx-auto px-8 overflow-hidden md:px-16 rounded-xl not-prose  my-6 md:my-12 first:mt-0 bg-opacity-50 bg-cover bg-cu-black-50 pt-24 pb-32 md:pt-28 md:pb-44 lg:pt-36 lg:pb-60 xl:pt-48 xl:pb-72\" style=\"background-image: url(https:\/\/carleton.ca\/news\/wp-content\/uploads\/sites\/162\/conversation-circuit-board-1200w-1.jpg); background-position: 50% 50%;\">\n\n                    <div class=\"absolute top-0 w-full h-screen\" style=\"background-color:rgba(0,0,0,0.600);\"><\/div>\n        \n        <div class=\"relative z-[2] max-w-4xl w-full flex flex-col items-center gap-2 cu-wideimage-image cu-zero-first-last\">\n            <header class=\"mx-auto mb-6 text-center text-white cu-pageheader cu-component-updated cu-pageheader--center md:mb-12\">\n\n                                    <h1 class=\"cu-prose-first-last font-semibold mb-2 text-3xl md:text-4xl lg:text-5xl lg:leading-[3.5rem] cu-pageheader--center text-center mx-auto after:left-px\">\n                        Don\u2019t trust your hardware: Why security vulnerabilities affect us all\n                    <\/h1>\n                \n                            <\/header>\n        <\/div>\n\n                    <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"absolute bottom-0 w-full z-[1]\" fill=\"none\" viewbox=\"0 0 1280 312\">\n                <path fill=\"#fff\" d=\"M26.412 315.608c-.602-.268-6.655-2.412-13.524-4.769a1943.84 1943.84 0 0 1-14.682-5.144l-2.276-.858v-5.358c0-4.876.086-5.358.773-5.09 1.674.643 21.38 5.84 34.646 9.109 14.682 3.59 28.935 6.858 45.936 10.449l9.874 2.089H57.322c-16.4 0-30.31-.16-30.91-.428ZM460.019 315.233c42.974-10.074 75.602-19.88 132.443-39.867 76.16-26.791 152.063-57.709 222.385-90.663 16.7-7.823 21.336-10.074 44.262-21.273 85.004-41.688 134.719-64.193 195.291-88.413 66.55-26.577 145.2-53.584 194.27-66.765C1258.5 5.626 1281.34 0 1282.24 0c.17 0 .34 27.596.34 61.3v61.299l-2.23.375c-84.7 13.718-165.93 35.955-310.736 84.931-46.494 15.753-65.427 22.076-96.166 32.15-9.102 3-24.814 8.198-34.989 11.574-107.543 35.954-153.008 50.422-196.626 62.639l-6.74 1.876-89.126-.054c-78.135-.054-88.782-.161-85.948-.857ZM729.628 312.875c33.229-10.985 69.248-23.523 127.506-44.207 118.705-42.223 164.596-57.709 217.446-73.302 2.62-.75 8.29-2.465 12.67-3.751 56.19-16.772 126.94-33.597 184.17-43.671 5.07-.91 9.66-1.768 10.22-1.875l.94-.161v170.236l-281.28-.054H719.968l9.66-3.215ZM246.864 313.411c-65.041-2.251-143.047-12.11-208.432-26.256-18.375-3.965-41.73-9.538-42.202-10.074-.171-.214-.257-21.38-.214-47.046l.129-46.618 6.654 3.697c57.313 32.043 118.491 56.531 197.699 79.143 40.313 11.521 83.459 18.058 138.669 21.059 15.584.857 65.685.857 81.14 0 33.744-1.876 61.306-4.93 88.396-9.806 6.396-1.126 11.634-1.983 11.722-1.929.255.375-20.48 7.769-30.999 11.038-28.592 8.948-59.288 15.646-91.873 20.147-26.36 3.59-50.015 5.627-78.35 6.698-15.584.59-55.209.59-72.339-.053Z\"><\/path>\n                <path fill=\"#fff\" d=\"M-3.066 295.067 32.06 304.1v9.033H-3.066v-18.066Z\"><\/path>\n            <\/svg>\n            <\/div>\n\n    \n\n    <\/div>\n<\/section>\n\n<h4 id=\"this-article-was-originally-published-by-the-conversation-in-2018\" class=\"wp-block-heading\"><em>This article was originally published by The Conversation in 2018.<\/em><\/h4>\n\n\n\n<p>A few weeks ago, <a href=\"https:\/\/www.bloomberg.com\/news\/features\/2018-10-04\/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies\" target=\"_blank\" rel=\"noopener noreferrer\">Bloomberg reported that China was spying on American tech firms<\/a>, including Apple and Amazon, by installing secret microchips on server boards during the production process. These hardware <em>trojans<\/em> are, like the Greek horse used to sneak in soldiers, designed to appear harmless while in actuality they perform secret malicious operations.<\/p>\n\n\n\n<p>The named tech firms have <a href=\"https:\/\/www.cnbc.com\/2018\/10\/19\/apples-tim-cook-calls-for-retraction-on-chinese-spy-chip-story.html\" target=\"_blank\" rel=\"noopener noreferrer\">denied this report<\/a>; at the moment, we have no way of knowing who is right. If true, this is potentially the greatest malicious hardware security breach we\u2019ve seen. If not true, well\u2026 there are still enough hardware security vulnerabilities to go around.<\/p>\n\n\n\n<p>Earlier this year, the <a href=\"https:\/\/meltdownattack.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Spectre\/Meltdown bug was disclosed<\/a>. This security vulnerability affects virtually every processor, from those powering consumer computers to company servers, and it allows malicious code to access potentially confidential information. This was a fault in the hardware design: software <em>patches<\/em> (updates intended to correct the fault) were made available soon after and, officially, with negligible performance impact (<a href=\"https:\/\/www.extremetech.com\/computing\/264796-recent-intel-cpus-take-performance-hit-spectre-meltdown-patches\" target=\"_blank\" rel=\"noopener noreferrer\">it\u2019s not really negligible<\/a>).<\/p>\n\n\n\n<p>But this doesn\u2019t affect <em>you<\/em> directly, apart from a slightly slower computer\u2026 or does it?<\/p>\n\n\n\n<h2 id=\"microprocessors-are-everywhere\" class=\"wp-block-heading\">Microprocessors are everywhere<\/h2>\n\n\n\n<p>The average person interacts with scores of microprocessors every day. This does not include the servers and internet routers that process your email and social media: think closer to home. You likely have a smartphone and a personal computer or tablet.<\/p>\n\n\n\n<p>Perhaps an Amazon Echo or another smart speaker? An electronic <a href=\"https:\/\/www.protectamerica.com\/home-security-blog\/safe-and-sound\/ring-doorbell-hack_25196\" target=\"_blank\" rel=\"noopener noreferrer\">doorbell or intercom<\/a>? Your car alone, if less than ten years old, has dozens of processors responsible for everything from controlling the radio to acting on the brakes. A Spectre\/Meltdown-like bug <a href=\"https:\/\/www.wired.com\/2015\/07\/hackers-remotely-kill-jeep-highway\/\" target=\"_blank\" rel=\"noopener noreferrer\">on your car\u2019s breaks<\/a> is a frightening thought.<\/p>\n\n\n\n<p>These bugs occur because hardware design is <em>hard<\/em>. As part of <a href=\"http:\/\/sigbed.seas.upenn.edu\/archives\/2014-06\/VtRes_7.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">my research<\/a>, I\u2019ve had to design and implement processors. Making them work is challenging enough, but ensuring they are secure? Exponentially harder.<\/p>\n\n\n\n<p>Some might remember that in 1994, Intel had to <a href=\"https:\/\/www.techradar.com\/news\/computing-components\/processors\/pentium-fdiv-the-processor-bug-that-shook-the-world-1270773\" target=\"_blank\" rel=\"noopener noreferrer\">recall a line of buggy processors<\/a>, costing them millions of dollars. This was a case where the best chip designers in the world produced a flawed chip. Not a security vulnerability, just an incorrect result on some operations.<\/p>\n\n\n\n<p>This is much easier to detect and correct than a security vulnerability, which is often incredibly nuanced \u2014 those interested in reading more about the Spectre\/Meltdown exploit will see it\u2019s a very, very <a href=\"https:\/\/meltdownattack.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">sophisticated attack<\/a>. Last year, a cybersecurity researcher found several undocumented instructions on an Intel i7 processor. Instructions are the atomic operations a processor can perform: for example, adding two numbers, or moving data from one place to another. Every program you run likely executes thousands or millions of instructions. The discovered ones are not disclosed on the official manual, and for some, their exact behaviour remains unclear.<\/p>\n\n\n\n<figure><iframe loading=\"lazy\" frameborder=\"0\" height=\"407\" src=\"https:\/\/www.youtube.com\/embed\/KrksBdWcZgQ?wmode=transparent&amp;start=0\" width=\"688\"><\/iframe><\/figure>\n\n\n\n<p>The processor you own and use can do things the vendor doesn\u2019t tell you about. But is this a documentation issue? Or a genuine design flaw? Intellectual property secret? We don\u2019t know, but it is likely another security vulnerability waiting to be exploited.<\/p>\n\n\n\n<h2 id=\"the-vulnerabilities-of-hardware\" class=\"wp-block-heading\">The vulnerabilities of hardware<\/h2>\n\n\n\n<p>Why is hardware so fundamentally unsafe? For one, security is an aspect that is often overlooked in an engineering education across the spectrum from hardware to software. There are so many tools, concepts, paradigms that students must learn, that there is little time to include security considerations in the curriculum; graduates are expected to learn on the job.<\/p>\n\n\n\n<p>The side effect is that across many industries, security is considered the cherry on the cake rather than a fundamental ingredient. This is, fortunately, beginning to change: cybersecurity programs are <a href=\"https:\/\/www.mastersportal.com\/study-options\/269353245\/it-security-canada.html\" target=\"_blank\" rel=\"noopener noreferrer\">popping up across universities<\/a>, and we are getting better at training security-conscious engineers.<\/p>\n\n\n\n<figure class=\"wp-block-image align-center zoomable\"><a href=\"https:\/\/images.theconversation.com\/files\/242825\/original\/file-20181029-76405-81ak0d.jpg?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=1000&amp;fit=clip\"><img decoding=\"async\" src=\"https:\/\/images.theconversation.com\/files\/242825\/original\/file-20181029-76405-81ak0d.jpg?ixlib=rb-1.1.0&amp;q=45&amp;auto=format&amp;w=754&amp;fit=clip\" alt=\"\"\/><\/a><figcaption class=\"wp-element-caption\"><span class=\"caption\">A man works in front of three screens in a dark room. (<a class=\"source\" href=\"https:\/\/unsplash.com\/photos\/9SoCnyQmkzI\" target=\"_blank\" rel=\"noopener noreferrer\">Jefferson Santos\/Unsplash<\/a>, <a class=\"license\" href=\"http:\/\/artlibre.org\/licence\/lal\/en\" target=\"_blank\" rel=\"noopener noreferrer\">FAL<\/a>)<\/span><\/figcaption><\/figure>\n\n\n\n<p>A second reason is complexity. Companies that actually fabricate chips don\u2019t necessarily design them from scratch, as the building blocks are bought from third parties. For example, until recently, Apple bought designs for the graphics processor on iPhones from <a href=\"https:\/\/www.imgtec.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Imagination Technologies.<\/a> (<a href=\"https:\/\/www.eetimes.com\/document.asp?doc_id=1333614\" target=\"_blank\" rel=\"noopener noreferrer\">They\u2019ve since moved to in-house designs<\/a>). Ideally, specifications perfectly match the design. In reality, undocumented or erroneously documented features across different building blocks may interact in subtle ways to produce security loopholes that attackers might exploit.<\/p>\n\n\n\n<p>Unlike in software, these weak points have long lasting effects and are not easily corrected. Many researchers are contributing to solve these problems: from techniques for verifying that <a href=\"https:\/\/link.springer.com\/chapter\/10.1007%2F978-3-319-10557-4_13\" target=\"_blank\" rel=\"noopener noreferrer\">designs match specifications<\/a>, to automated tools that <a href=\"https:\/\/link.springer.com\/chapter\/10.1007\/978-3-642-37890-4_5\" target=\"_blank\" rel=\"noopener noreferrer\">analyze interactions across components and validate behaviour<\/a>.<\/p>\n\n\n\n<p>A third reason is economies of scale. From the business perspective, there are only two games in town: performance and power consumption. The <a href=\"https:\/\/www.electronicsweekly.com\/blogs\/mannerisms\/yarns\/intel-arm-power-struggle-2017-05\/\" target=\"_blank\" rel=\"noopener noreferrer\">fastest processor and the longest battery life win the market<\/a>. From the engineering perspective, most optimizations are harmful to security.<\/p>\n\n\n\n<p>In <a href=\"https:\/\/www.embedded.com\/design\/prototyping-and-development\/4023830\/Safety-Critical-Operating-Systems\" target=\"_blank\" rel=\"noopener noreferrer\">safety-critical real time systems<\/a> (think autonomous cars, aeroplanes, etc.), where <em>how long<\/em> something takes to execute is critical. This has been a problem for a while. Current processors are designed to execute as quickly as possible <em>most of the time<\/em>, and will occasionally take lengthy periods; predicting how long something will take is incredibly challenging. We do know how to <a href=\"http:\/\/www.parmerasa.eu\/\" target=\"_blank\" rel=\"noopener noreferrer\">design predictable processors<\/a>, but virtually none are commercially available. There\u2019s little money to be made.<\/p>\n\n\n\n<h2 id=\"changing-focus-on-cybersecurity\" class=\"wp-block-heading\">Changing focus on cybersecurity<\/h2>\n\n\n\n<p>In the long term, the same won\u2019t hold true for security. As the <a href=\"https:\/\/www.ndot.in\/blog\/dawn-cybersecurity-era-age-iot.html\" target=\"_blank\" rel=\"noopener noreferrer\">age of the Internet of Things dawns on us<\/a>, and the number of processors per household, vehicle and among infrastructure continues to increase, companies will undoubtedly move towards security-conscious hardware.<\/p>\n\n\n\n<p>Better-trained engineers, better tools and more motivation for security \u2014 when a stamp of security quality means you sell more than your competitors \u2014 will push for good cybersecurity at all levels.<\/p>\n\n\n\n<p>Until then? Maybe foreign countries have interfered with it, maybe not; regardless, don\u2019t trust your hardware. That pesky update notification that keeps popping up? Update. Buying a new device? Check the manufacturer\u2019s security record. Complex advice on choosing good passwords? Listen. We\u2019re trying to protect you.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>This article is republished from <a href=\"https:\/\/theconversation.com\/institutions\/carleton-university-900\" target=\"_blank\" rel=\"noopener noreferrer\">The Conversation<\/a> under a Creative Commons license. Carleton University is a member of this unique digital journalism platform that launched in June 2017 to boost visibility of Canada\u2019s academic faculty and researchers. Interested in writing a piece? Please contact <a href=\"mailto:steven.reid3@carleton.ca\">Steven Reid<\/a> or <a href=\"https:\/\/theconversation.com\/become-an-author\" target=\"_blank\" rel=\"noopener noreferrer\">sign up to become an author<\/a>.<\/p>\n\n\n\n<p><em>All photos provided by The Conversation from various sources.<\/em><\/p>\n\n\n\n<p>&#8212;<br>\n<a href=\"https:\/\/newsroom.carleton.ca\/\">Carleton Newsroom<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/counter.theconversation.com\/content\/105773\/count.gif?distributor=republish-lightbox-basic\" alt=\"The Conversation\"\/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article was originally published by The Conversation in 2018. A few weeks ago, Bloomberg reported that China was spying on American tech firms, including Apple and Amazon, by installing secret microchips on server boards during the production process. These hardware trojans are, like the Greek horse used to sneak in soldiers, designed to appear [&hellip;]<\/p>\n","protected":false},"author":410,"featured_media":63679,"template":"","meta":{"_acf_changed":false,"footnotes":"","_links_to":"","_links_to_target":""},"cu_story_type":[1623],"cu_story_tag":[],"class_list":["post-63646","cu_story","type-cu_story","status-publish","has-post-thumbnail","hentry","cu_story_type-expert-perspectives"],"acf":{"cu_post_thumbnail":"blueprint"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story\/63646","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story"}],"about":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/types\/cu_story"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/users\/410"}],"version-history":[{"count":3,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story\/63646\/revisions"}],"predecessor-version":[{"id":79248,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story\/63646\/revisions\/79248"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/media\/63679"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/media?parent=63646"}],"wp:term":[{"taxonomy":"cu_story_type","embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story_type?post=63646"},{"taxonomy":"cu_story_tag","embeddable":true,"href":"https:\/\/carleton.ca\/news\/wp-json\/wp\/v2\/cu_story_tag?post=63646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}