2014-01-13

Some thoughts on vulnerabilities of information and communication technology

Situation

As information technology has become more intelligent, Internet of Things is extending as we speak and major part of ICT-production has gone after cheap labour and vast investments in Asia, there is again hype to talk about hidden backdoors in foreign manufactured devices. USA government has criticized Huawei being too close to Government of China, Russian papers are telling tales of spying chips in Chinese made household devices, alleged backdoor has been found in U.S. manufactured router, Smart TV from South-Korea has been sending user information to Internet, U.S studies have proved that manipulation of IC-production can effect random generators quality. 

This reminds of times when everybody was worried when MS NT operating system was trying to contact Internet from closed network, everybody new that U.S. Military Foreign Sales devices included downgraded encryption and backdoors, there was story of backdoor in French missile that was utilized in first Gulf war. At that time military procurement was requiring to have source code of a product to check any malevolent behaviour. 

The fact remains that no single producer system is 100% proof against vulnerabilities, weaknesses or malfunctioning parts, whether they are intentional or happenstance. Only way to be more certain of integrity of systems is to do them oneself with huge risk of unintentional vulnerabilities or utilize open source code and hope that enough experts have been playing with code to find major problems. If this is not possible one can mix different products together to balance their individual weaknesses and require as open management, synchronizing or signalling interfaces as possible. For military user it is not problem if single device is malfunctioning but a catastrophe if whole fleet of devices is not available when needed. One should cut these single vendor chains if possible and sometimes do that even at cost of more arduous maintenance or operation.

What to do

There are some things one can do to help mitigate risks as follows:

Create reference environment, a small world of every device configuration found in actual operative system of systems. 
  • With this reference environment one can do number of tests to find out how each device is behaving in abnormal situations.
  • Every update or new product should undergo vigorous testing before they are delivered in to operative environment.
  • Some wireless devices should be tested in Faraday’s cache in case of unintentional transmissions and find any undefined transmissions in echoless room.

Conformance or type testing to find out any anomalies differing from specification:
  • Test linearity of device against some references. This is to find any anomalies between input and output compared to other similar devices.
  • Test with overload to find out behaviour in asymmetric circumstances
  • Test with changed inputs in all ports to find unspecified behaviour
  • Test with exposure to electromagnetic radiation to find level of immunity to outside fields
  • Test with High Powered Microwave to find out vulnerability to excess radiation
  • Protocol testing to find behaviour with other devices that are assumed to follow standard.

Mix system structures of different providers. Since no ICT –product or provider is 100% trusted through whole life cycle, it is advised to utilize devices of different vendors together:

  • At physical layer one can utilize different fibres, links or wires to balance any singular weakness
  • At link layer one should rely on open standards and mix different manufacturers devices if possible or utilize parallel mediums with different links together to provide maximum availability
  • At network layer mixture of routing or switching devices may be combined but problem may arise with end-to-end management or with proprietary functions
  • Cyber defence in depth requires always multiple structures at higher layers. These structures mix different operating systems, different databases, different middleware and even different programming together with domains of cyber defence. One should try to cut any session at least once.

Build integrity with encryption. Sometimes implementing encryption at special ways may nullify backdoors that try to gather information.

  • All media and links can be tapped so strong encryption is needed at bulk transfer level. It might be done at wavelength multiplexing level to enable high throughput or at link level to enable different manufacturers. 
  • Network level encryption will protect from lower layers sniffers.
  • Session level encryption is good when roaming among various access services. 
  • Content based encryption is best to protect information itself but it does not protect systems from insiders, man-in-the-middle or backdoors.

Take care of all auxiliaries as well as main system.

  • Management system is most obvious avenue for any logical attack so management systems should be checked and tested even better than actual nodes.
  • Electricity is a proponent avenue for many effects or information gathering. Any power supply should be tested thoroughly and inbound electric wiring analysed for excess modulations.
  • All wiring should be tested time to time for additional devices that have been installed during or after implementation of actual system.
  • All AC, water, piping or drainage systems may be used as platform for malevolently behaving functions.

These are just some examples that can be done in mitigating single manufacturer risks in military ICT -environment.