Now that IBM's PC division is owned by Lenovo, some people
are getting
worried
about their security:
Assistant Secretary of State Richard Griffin said the department would
also alter its procurement process to ensure US information security
was guaranteed.
His comments came after Rep Frank Wolf expressed national security
concerns.
...
In a letter to Mr Wolf, Mr Griffin said government security experts
had recommended the computers "be utilised on unclassified systems
only".
He said the government was committed to ensuring the purchase would
not "compromise our information and communication channels".
And he said the state department would change the way it buys its
technology "in light of the changing ownership of IT equipment
providers."
His letter did not refer to Mr Wolf's specific concern that at least
900 of the computers were to be used "as part of the classified
network deployed in the United States and around the world in
embassies and consulates".
Mr Wolf, Republican chairman of the committee that oversees the
department's funds, told reporters that China's spying efforts were
"frightening".
It was "no secret that the US is a principal target of Chinese
intelligence services", he said, adding: "No American government
agency should want to purchase from them".
Should you worry? Well, sort of.
The first thing you need to realize is that manufacturing PCs isn't
like manufacturing cheese. Any real-world PC contains components
from zillions of manufacturers. Let's take one of our servers
which I happen to have open as an example:
Component | Manufacturer | Manufacturer Country | Country of Manufacture |
Case | Chenbro | Taiwan | Unknown |
Power supply | ??? | ??? | Taiwan |
Motherboard | Tyan | Taiwan | Taiwan |
CPU | Intel | USA | Unknown, but Intel fabs all over the world. |
Memory | Samsung | Korea | Unknown |
RAID Card | 3Ware | USA | Unknown |
Hard Drives | Seagate | USA | Singapore |
Floppy Drive | Mitsumi | Japan | PRC |
Operating System | Linux | - | All over the world |
And this is just the components you buy separately. The motherboard is
basically a bunch of components (memory, video chips, NICs, etc.)
which are bought bought by the manufacturer and surface mounted onto
the motherboard. These subsidiary components are manufactured all over
the world and the PC manufacturer has basically no supervisory role
over the manufacture. IBM/Lenovo may manufacture more of their
components themselves but quick look at a typical IBM desktop offering
suggests a similar mix-and-match situation.
With that in mind, let's ask what the threat model is.
It seems to me that there are two basic threats to be concerned by.
The first is that the computer will be built with some kind of
trojan horse so that an attacker can take control remotely to
get access to or copies of your data. This requires somehow having
access to some reasonably central part of the computer (i.e., probably
not the floppy drive) but if you can write to the memory or PCI
bus, you're most likely good to go there. And of course if you control
the Operating System or the BIOS, you're totally set. Did I mention that
lots of PCI cards have access to the BIOS for things like RAID configuration
and network booting? And, of course, Microsoft (which is what State
presumably runs) has a zillion programmers who produce a large number
of unintentional security holes. It wouldn't exactly be hard to
hide an intentional one. You could even make it look unintentional
to cover your tracks.
That's all most people have
to worry about (to the extent they need to worry at all) but intelligence
agencies need to worry about another attack: some sort of extra
component like a keylogger that provides a side channel into the
computer. Anyone who has access to any part of the computer at pretty much any
point in the assembly process can install something like this.
So, the situation is really bad in that if you buy pretty much any
off-the-shelf computer and the attacker knows what model of computer you
buy, they can almost certainly bribe someone in the production process
to insert some kind of trojan/key-logger, etc. Hardware and
software are simply so brittle that it's not possible to have any level
of confidence that your system is secure if you're up against an attacker
with that level of sophistication (read Reflections on Trusting Trust
for just how bad the situation can be). But that said, it's not clear why
one should be any more concerned about equipment manufactured by Lenovo
than anyone else. Sure, they're owned (partly) by the PRC, but the stuff
assembled in the US, so it's probably not any easier for the PRC to
compromise Lenovo's machines than someone else's.
The real issue here is protection against what Schneier calls the
"New York Times Attack". You have to buy some computers and
there's some chance they'll be compromised. No matter what the real
risk profiles, when that happens it's going to look a lot better to
say you bought them from Dell than from the Communist Chinese Government.