1. 16
  1.  

  2. 4

    The scariest one on this list is the postal one, and I’m not sure how it could be stopped. You could go to a store and buy a machine, but who is to say that it is not already backdoored?

    We need free firmware, and the ability to make anonymous purchases. But even then, we’re not necessarily safe…

    1. 3

      But even then, we’re not necessarily safe…

      Yeah, the whole thing devolves into “trusting trust” pretty fast. Hard disk controllers have multiple ARM cores now, cellphones have dedicated OSes to run the radios - the attack surface just keeps getting bigger and bigger. The foundations are getting so complex it’s impossible to audit what’s below.

      Heck, whose to say that seemingly unused Cortex-M3 isn’t waiting for the NSA’s magic word today…

      1. 1

        The foundations are getting so complex it’s impossible to audit what’s below

        It is going to be really hard, but this is why we need to start securing, monitoring and auditing the network inside systems as well as the networks between systems. Passive sensors could detect and alarm on firmware changes. Run IDS and ACLs on the PCI bus. Setup honey pot systems and look for unusual interdevice chatter or RF signals. I vouch for none of these approaches but I’d love to test them, the security world is going to be a crazy ride for next 20 years.

      2. 1

        And it is not limited to nation state actors. A hacker with hardware skills wants to break into a banking network, all she needs to do is get a job as a FedEx driver and she could put firmware or hardware backdoors in the servers/switches/routers she delivers. I’ve had pallets of servers delivered in which a loader put a forklift through through the pallet and some 1U23s.

        1. 2

          … you hope :|