We’ve all been there: You’re at a social event and someone starts the, “You know about computers, can you…” Two minutes into the conversation, I wanted to run for cover—not because I didn’t want to help them, but out of genuine concern for my own safety if I got involved. I don’t regret it, but what would you do?
Briefly, an expert hacker was maliciously targeting this person, who is a “friend of a friend of a friend.” They knew next to nothing about computers, but in the course of their work, they had apparently annoyed this hacker so much that they became a “pet” target, and it was affecting their career, and personal life. The hacker had identified their system and knew whenever it was connected to the Internet, and had also hacked personal accounts across various institutions.
When I was broached, I thought it was just a case of needing to install good security software, ensure a solid firewall and change passwords, basic processes. However, as soon it became clear this wasn’t a transient opportunist, but was instead a targeted, concerted effort by an expert who knew what they were doing and how to make someone’s life miserable, my mind started racing, and my body started backing off.
Recent conversations with security experts had alerted me to IC hacks, such as unlocked debug ports that can provide access to code. Here, even if you lock your debug port after test, you have to make sure it’s immune to hacks using voltage swings or clock glitching.
Clock glitching can be used when coming out of reset and the system checks the bit that locks the debug port. That period of time is defined, say 57 microsecond; by glitching the clock by setting and resetting it, the system might skip that bit check, leaving the debut port open, even though you might have taken the precaution of locking that bit.
“The simple solution is to use a locked byte and then mirror the byte so you have to check both sides and make sure it correlates,” according to Skip Ashton, vice president of software engineering at Silicon Labs. “It requires too long a glitch so you can't clock glitch like you would normally.”
This is good to know if you’re a developer and you just finished testing/debug, but Ashton’s next statement is what came to mind as I was by now half listening to this hapless victim’s story.
Ashton’s point was that while you have to make sure you clean your side of the street, hacks at the IC level are rare because it’s relatively difficult, and there are so many other, easier ways to hack a device or system.
Every port becomes a weakness; every interface becomes an attack surface, and every communication a potential breach, from the IC to the board to the network to the Internet to the grey-stoned institutions that assume a stance of assurance. Behind the facade they are panicking, trying desperately and failing miserably to keep black-hat operators from accessing their customers’ data.
We all know this to be true, of course, and most engineers are technically savvy enough to take good precautions, from firewalls to encryption of files and communications.
Yet how many of us could successfully stave off an unrelenting, expert hacker? I see it as a lifetime of “whack-a-mole” and paranoia that is a case of when, not if, the hacker will breach another layer of protection.
By this time I’m thinking: If I get involved, I don’t know enough beyond the basics to really help them. Even if I do try and help, it’s a huge time sink and I run the risk of being detected and becoming a target myself. Do I really want to risk inviting that into my family’s life? Don’t we have enough to worry about?
I had to back away congenially with vague promises of looking into it and getting back to them. But frankly, I don’t even want to contact them: their phone calls, texts and email are already visible. It would have to be a “Deep Throat”-type alleyway conversation. Who is really prepared for that?
What would you do? If you have any suggestions, please share them. I’ll get word to this person, somehow, maybe via a note stuffed discretely into their pocket while passing in disguise. In a crowded plaza.