Chinese bookmarks: a true story about virtualization, security and spies. Types of bookmarks Hardware bookmarks

A long time ago, when personal computers were purchased abroad in batches of several hundred pieces, and not in “circulations” of millions, small commercial offices were organized under the auspices of one of the KGB departments to “search for bookmarks.” Now we all understand perfectly well that this was one of the honest ways of taking money, because at that level of security and organization it was possible to find anything, but not a bookmark in the chips. But large buyers from among state offices and enterprises still had nowhere to go. They paid.

advertising

Today, Intel does not even hide the fact that the processors and chipsets of modern computer platforms have built-in tools for remote control PC. Intel's much-touted Active Management Technology (AMT) should help simplify remote system maintenance - diagnostics and repairs - without user intervention. But no one is immune to the fact that AMT administrator rights can also be used for malicious purposes and, as it turns out, there is not just a bookmark, there is a whole “pawnbroker”.

According to a publication by security specialist Damien Zammit, modern Intel chipsets have a built-in local and isolated Intel Management Engine (Intel ME) microcontroller chip. This is a solution with its own firmware, which is not available for study by third-party tools and with full control rights over the processor, memory and the system as a whole. Moreover, the controller can work with the PC turned off, as long as power is supplied to the memory. Of course, the operating system and utilities will have no idea about the activity of the controller and will not sound the alarm while it is working with the system and data.

Search for electronic information interception devices using electromagnetic field indicators

COURSE WORK

Specialty “10.02.01 Organization and technology of information security”

Completed by: Shevchenko Konstantin Pavlovich

student of group No. 342

_______________/_____________/

signature full name

"____"___________2016

Checked:

Teacher

_______________/S.V. Lutovinov/

signature full name

"____"___________2016

Tomsk 2016

Introduction. 3

Types of bookmarks. 4

Acoustic bookmarks. 4

Phone bookmarks. 7

Hardware bookmarks. 8

Electromagnetic field indicators. 10

Radio frequency meters. 13

Scanning receivers and spectrum analyzers. 14

Hardware-software and special control systems. 16

Radiation detection system. 17

Wire line monitoring tools. 18

Nonlinear locators and metal detectors. 20

Bookmark detection. 21

Conclusion. 22

Literature. 23

Introduction

Information has long ceased to be personal. It has acquired a tangible cost weight, which is clearly determined by the actual profit received from its use, or the amount of damage caused to the owner of the information with varying degrees of probability. However, the creation of information raises a number of complex problems. One of these problems is the reliable provision of safety and established status of information circulating and processed in information computing systems and networks. This problem came into use under the name of information security problems.

A special inspection is a set of engineering and technical measures carried out using control and measuring equipment, including specialized technical means, aimed at preventing the interception of technical information containing information constituting a state secret, personal, with the help of embedded in protected technical means and products of special electronic stowing devices.

The purpose of the course work: to get acquainted with the basics and means of searching for electronic devices for intercepting information using electromagnetic field indicators in theory and practice.

Types of bookmarks

Acoustic bookmarks- these are special miniature electronic devices for intercepting acoustic (speech) information, covertly installed in rooms or cars. The information intercepted by acoustic bookmarks can be transmitted via radio or optical channel, over the electrical network alternating current, by telephone line, as well as by metal structures of buildings, pipes of heating and water supply systems, etc.

Rice. 1. Acoustic radio bookmark

The most widely used are acoustic bookmarks that transmit information over a radio channel. Such devices are often called radio bookmarks. Depending on the medium of propagation of acoustic vibrations, radio bookmarks are divided into acoustic radio bookmarks And radio stethoscopes.

Acoustic radio tags are designed to intercept acoustic signals via a direct acoustic (air) channel of information leakage. The sensitive element in them is, as a rule, an electret microphone.

Rice. 2. Radiostethoscope

The radio stethoscope is designed to intercept acoustic signals propagating along a vibroacoustic (walls, ceilings, floors, water supply pipes, heating, ventilation, etc.) leakage channel. Piezomicrophones or accelerometer-type sensors are usually used as sensitive elements. In order to increase the operating time, these acoustic bookmarks can be equipped with control systems for turning on the radio transmitter from the voice, as well as systems remote control. To receive information transmitted by radio bookmarks and radio stethoscopes, scanner receivers and software and hardware control systems are used.

In addition to bookmarks that transmit information over a radio channel, there are bookmarks that use 220 V power lines to transmit information. Such acoustic bookmarks are called network. To intercept information transmitted by network bookmarks, special receivers are used that are connected to the power network within the building.

In practice, it is also possible to use acoustic bookmarks that transmit information along the lines of security and fire alarm systems, as well as telephone lines. Most simple device, which transmits information over a telephone line, is the so-called “telephone ear” device (Fig. 3).

Rice. 3. Telephone ear TU-2

Phone bookmarks designed to eavesdrop on information transmitted over telephone lines. Usually they are made in the form of a separate module or disguised as elements of a telephone set, a telephone plug or socket.

To intercept information in such bookmarks, two methods are used: contact and non-contact methods. With the contact method, information is obtained by directly connecting to the controlled line. With the non-contact method, information is collected using a miniature induction sensor, which eliminates the possibility of establishing the fact of eavesdropping on information.

The transfer of information using a telephone bookmark begins the moment the subscriber picks up the handset.

Rice. 4. Phone bookmark

Hardware bookmarks- these are electronic devices illegally and secretly installed in technical means of processing and transmitting information (computers) in order to ensure at the right time information leakage, violation of its integrity or blocking. Made in the form of standard modules used in computers, with minor modifications. As a rule, they are placed in a computer when assembling a computer to order from an enterprise of interest, as well as when troubleshooting or modifications carried out during the service or warranty period.

Rice. 5. Hardware bookmark

Using hardware bookmarks, it is possible to intercept data, for example, I/O data personal computer: monitor image; data entered from the keyboard, sent to the printer, recorded on internal and external media.

In addition to acoustic, telephone and hardware bookmarks, they can be used for unauthorized retrieval of information. portable video recording devices.

Broadcast from video cameras can be directly recorded on a video recorder, or transmitted over a radio channel using special transmitters. If, in addition to the video image, sound transmission is required, then a microphone is installed together with the video camera. As a rule, video transmitters are made in the form of a separate unit, while being small in size and weight. But there are often cases when they are structurally combined with television cameras (Fig. 5).

Rice. 6. Video transmitter

Video cameras and transmitters are powered either from built-in batteries, while the operating time, as a rule, does not exceed several hours, or from a 220 V power supply, and their operating time is practically unlimited.

In short, it states the following (hereinafter in the text is my subjective free paraphrase).

Allegedly, large corporations around the world, including Apple, Amazon and others like them, have been ordering expensive top-end servers from SuperMicro for many years. The latter was fed up with such volumes of orders; its own factories could no longer cope. Then it outsourced the production of a certain number of motherboards to its Chinese subcontractors.

Polite Chinese people came to these same subcontractors and made them an offer they couldn’t refuse. Like, come on, guys, at our request, you will additionally install another small, undocumented chip on the motherboards you produce. If you do, we’ll charge you extra money, but if you don’t, we’ll ruin your business with various checks. As a result, motherboards “modified” in this way were distributed all over the world, and some of them ended up in large first-tier American companies, banks, and government agencies.

Some time passed. One of Amazon's divisions, a certain company called "Elements", is concerned about the security of the solutions it has developed in the field of mass processing of video streams. Among other things, they ordered a hardware security audit to a certain Canadian company. And this is where undocumented chips, skillfully hidden, implanted into motherboards, were discovered. Which are, like, not that easy to detect. Because firstly, they are very small and gray. Secondly, they are disguised as ordinary solder couplings or chip capacitors. Thirdly, in the latest revisions they began to hide them directly into the thickness of the textolite, so that they are visible only on X-ray photographs.

If you believe the text, then through the embedded microcode, the spy chip periodically “pings” through the BMC module one of its anonymous “puppeteers”, from whom it receives further instructions for action. And supposedly even this adversary is able to download “from wherever necessary” some code, which is then injected directly into the running kernel operating system or into application code.

Well, what follows is a rant about how big a security hole this is, what assholes these Chinese are, what their audacity and arrogance is, all the men are assholes, you can’t trust anyone, “now we’re all going to die,” and that’s all. The interesting discussions from a technical point of view end here.

I'm generally a big skeptic in life. Without denying the genius of the Chinese, some aspects still seem very unrealistic to me personally. Take it just like that, on the sly from engineers and management, and make changes to the design motherboard at the level of the manufacturer, without disrupting its performance? And if with the knowledge of management, then how was he motivated to expose such a serious reputational risk to all such big business? Inject your code into the operating system and applications? Well, with Windows it’s still okay, I’m ready to believe it with a creak. But in Linux, where you don’t know in advance who collected it and how? Show off-line network activity? Which, if desired, can be detected and filtered. Not to mention the fact that normal admins never set BMCs to “shine their naked ass on the Internet,” and good admins generally throw them into a separate VLAN without the possibility of access anywhere.

Well, again, lately the Americans have been developing some kind of fierce spy mania and paranoia. And they also decided to quarrel with China. So the objectivity and impartiality of the original article is in question. On the other hand, I don’t really understand where they get such beautiful stories from. Back in 2011, the tabloid magazine "Xakep" wrote about the same Chinese bookmarks at the microcode level in a BMC flash drive. That article also smacks of paranoid delirium, but there is no smoke without fire. Or does it happen?

In general, share your opinion in the comments. It is especially interesting to hear Comrade. kvazimoda24 on the topic of the possibility of integrating some kind of spy microcircuits into the thickness of the textolite.

Convenient remote control tools save system administrators a lot of energy - and at the same time pose a huge security risk when they cannot be disabled in hardware using a jumper or switch on the motherboard. The Intel Management Engine 11 unit in modern Intel platforms poses just such a danger - initially it cannot be disabled and, moreover, some mechanisms for initialization and functioning of the processor are tied to it, so that rough deactivation can simply lead to complete system inoperability. The vulnerability lies in Intel technologies Active Management Technology (AMT), even with a successful attack, allows you to gain complete control over the system, as was described back in May of this year. But researchers from Positive Technologies.

The IME processor itself is part of the system hub (PCH) chip. With the exception of PCI Express processor slots, all communication between the system and the outside world goes through the PCH, which means that the IME has access to almost all data. Prior to version 11, an attack using this vector was unlikely: the IME processor used a proprietary architecture with the ARC instruction set, which was little known to third-party developers. But in version 11, a bad joke was played on the technology: it was transferred to the x86 architecture, and the modified MINIX was used as the OS, which means that third-party studies of binary code were significantly simplified: both the architecture and the OS were well documented. Russian researchers Dmitry Sklyarov, Mark Ermolov and Maxim Goryachiy managed to decrypt the executable modules of IME version 11 and begin their thorough study.

Intel AMT technology has a vulnerability score of 9.8 out of 10. Unfortunately, complete shutdown IME on modern platforms is not possible for the reason described above - the subsystem is closely related to initialization and startup of the CPU, as well as power management. But from a flash memory image containing IME modules, you can remove everything unnecessary, although this is very difficult to do, especially in version 11. The me_cleaner project is actively developing, a utility that allows you to remove the general part of the image and leave only vital components. But let’s give a small comparison: if in IME versions up to 11 (before Skylake), the utility deleted almost everything, leaving about 90 KB of code, now it is necessary to save about 650 KB of code - and in some cases the system may turn off after half an hour, since the block The IME enters recovery mode.

However, there is progress. The above-mentioned group of researchers were able to use the development kit, which is provided by Intel itself and includes Flash utilities Image Tool for setting IME parameters and Flash Programming Tool, working through the built-in SPI controller. Intel does not publish these programs on open access, but finding them on the Internet is not particularly difficult.

The XML files obtained using this kit were analyzed (they contain the structure of the IME firmware and a description of the PCH strap mechanism). One bit called "reserve_hap" (HAP) seemed suspicious due to the description "High Assurance Platform (HAP) enable". An online search revealed that this is the name of a high-trust platform program associated with the US NSA. Enabling this bit indicated that the system had entered Alt Disable Mode. The IME unit did not respond to commands and did not respond to influences from the operating system. There are also a number of more subtle nuances that can be found in the article on Habrahabr.ru, but in new version me_cleaner has already implemented support for most dangerous modules without setting the HAP bit, which puts the IME engine in the “TemporaryDisable” state.

The latest modification of me_cleaner, even in the 11th version of IME, leaves only the RBE, KERNEL, SYSLIB and BUP modules; no code was found in them to enable the IME system itself. In addition to them, you can use the HAP bit to be completely sure that the utility can also do this. Intel has reviewed the research and has confirmed that a number of IME settings are indeed related to the capabilities needs of government organizations. increased security. These settings were introduced at the request of US government customers, they have undergone limited testing and such configurations are not officially supported by Intel. The company also denies introducing so-called backdoors into its products.