As microchips have grown smaller and more powerful, they have infiltrated virtually every corner of society, from smartphones to medical devices to the controls that regulate rail lines, power grids and water treatment facilities. Computer security experts have been warning that these embedded computers are highly vulnerable to attack because they are increasingly networked with other computers and because they have virtually no defenses protecting their firmware, programs that are hardwired onto the chip. In October, following a wave of network attacks believed to have originated in Iran, Secretary of Defense Leon Panetta warned that a “cyber Pearl Harbor” could be imminent.

Security experts used to take firmware for granted, notes Scott Borg, director of the nonprofit Cyber Consequences Unit, because, unlike software, it was designed to operate unchanged for long periods of time. “Yet the circuits embodying these programs are designed to accept a significant number of rewrites, so they can still be altered by cyberattackers,” he says.

Engineers are making headway in protecting these chips. One new approach, described at a computer security conference in July, is a program that would scan random chunks of firmware code to check for signs of intrusion. Developers Ang Cui and Sal Stolfo of Columbia University say their “symbiote” can work with any type of firmware without slowing a computer's processing speed. It may also detect malware that no one had any way of noticing before, potentially shedding light on an “untold chapter of the history of Internet warfare,” Cui says. They plan to deliver a prototype for U.S. government testing by the end of 2012.

Borg calls Stolfo and Cui's approach “very promising.” Marc Dacier, a senior director at Symantec Research Labs, asserts that a major obstacle to any defense measure is getting companies to adopt it. The Pentagon is pushing for legislation to require the private sector to cooperate with government on cybersecurity issues. Without such legislation, Panetta said in his October speech, “we are, and we will be, vulnerable.”

This article was originally published with the title Digital Danger.

Comments