Last year, hackers made headlines after they breached SolarWinds, a software company that specializes in network monitoring software. About 33,000 organizations, including the Pentagon, the U.S. State Department, and some intelligence agencies, use Orion, one of SolarWinds’ products. Orion was designed to monitor the users’ networks to make sure they were functioning properly and, ironically, kept safe.
The breach seems to have started with an attack on Microsoft products, including the Microsoft Office 365 server SolarWinds was using. Office 365 handles email, among other things, and email servers are notoriously hard to protect against malware infection because they have to process data from computers all over the Internet. The attackers then mounted a supply chain attack, meaning that instead of directly attacking government offices, the attackers compromised the Orion software that those organizations used, before the software was actually delivered to them.
Copying a digital signature is already hard enough that hackers hardly ever try it.
What could software manufacturers do to defend against such an assault? Recently, researchers from Ohio State University and Potomac Research LLC, led by Noeloikeau Charlot, published a paper on the idea of using “physically unclonable functions.” Physically unclonable functions, or PUFs, exploit the fact that, at a microscopic level, even mass-produced computer chips have tiny differences from one chip to the next. PUFs leverage that to let every chip in a computer, smartphone, or other device generate a signal that no other chip can generate. Just like your bank might want to check your fingerprint before you access your safety-deposit box, an online bank can check a device’s PUF to make sure that only someone with the right device is accessing a bank account. PUFs can be impressively distinct. “The researchers,” according to a press release, “believe it would take longer than the lifetime of the universe to test for every possible combination available.”
PUFs are a great technical idea, but they suffer from a few drawbacks. A fingerprint identifies a person, but a PUF identifies a device. If you use more than one device, as many people do, either you have to always have the correct one handy or the bank has to know the PUFs for all of them. And registering a new PUF would require that you convince your bank that you own both the new device and the old one, a process that could give hackers another opportunity to impersonate you and gain access to your account. By definition, backing up a PUF is impossible, so if you don’t have multiple devices registered, then losing one means starting over from scratch. And if someone steals a device that’s registered to the bank, you would need a way to revoke the registration before hackers can break into the device and use the PUF.
While there are situations where PUFs could be very useful, the researchers are, unfortunately, barking up the wrong tree when it comes to hackers. We already have the technical tools to prevent hacks like SolarWinds. We can identify devices using digital signatures. We just don’t use them correctly.
If a PUF is like a fingerprint, a digital signature is like an ID card with a ridiculously long ID number written on it. If you have the right information, you can copy a digital signature from one device to another, so multiple devices are not a problem, just like you can make a copy of an ID card given enough time and resources. On the other hand, you can prove that you have the right digital signature without giving away the key information, just like it would be very difficult for someone to copy an ID card if they can only briefly examine it. Unlike PUFs, there isn’t a physical barrier to copying a digital signature. But the fact is, copying a digital signature is already hard enough that hackers hardly ever try it.
These attacks were coming from inside a system that had already been vouched for.
Compromising an email server is like trying to infiltrate a post office. Fingerprint scanners and ID cards will help catch someone who is impersonating a postal worker. But what about a drone hidden in a package? Even if you can accurately determine where it came from, that doesn’t necessarily tell you whether it’s safe or not. Instead, the post office might have to start X-raying every sufficiently large package. This quickly becomes an arms race: Attackers try to disguise the drones, while the defenders try to get better at identifying them. This is basically the current situation with malware, and with email servers in particular.
Office 365 has a single sign-on feature, meaning that a company can tie all of its computers into a single log-in system. So once the attackers had broken into SolarWinds’ Office account, they apparently used it to access other SolarWinds systems, including the one which publishes updates to the Orion software.
It’s possible that PUFs could have helped here as a part of a two-factor authentication system, where users have to not just type in a password but also confirm another way that they are who they say they are. On the other hand, many organizations do not use two-factor authentication, even when it is available in their software. There’s also evidence that the attackers may have exploited a bug in Office that allowed them to bypass two-factor authentication.
Once the attackers had access to the Orion update system, they were able to modify the software updates that SolarWinds sent out regularly to their customers. Most organizations install these updates automatically, for two good reasons. They often include important security upgrades, like bug fixes, and they are supposed to be digitally signed by the manufacturer to ensure they are legitimate. In this case, the updates were correctly signed, because they came from SolarWinds’ own computers! PUFs would not have helped here.
The modifications made to the Orion software allowed the attackers to control the software remotely. Once the attackers had control of this system, they could spy on pretty much everything that was going on. These attacks were coming from inside a system that had already been vouched for.
If better identification tools are not the answer, what is? What most concerns me is the string of security bugs and programming mistakes that we keep hearing about when these breaches occur. “The SolarWinds hack that targeted the U.S. government really got people thinking about how we’re going to be doing authentication and cryptography,” Daniel Gauthier, a physicist at Ohio State University and a senior author on the paper, said. “We’re hopeful that this could be part of the solution.”
PUFs are a solution to the wrong problem. We currently have a situation where users expect software to have bugs, and programmers are encouraged to rush software out the door first and fix it later. Instead of penalizing the manufacturers for security bugs, we treat them almost as natural disasters—no one’s fault. The way that updates are easily distributed and automatically installed over the Internet encourages this, but it’s a major problem when it comes to security. Until this situation is changed, we can expect to keep hearing about security breaches despite PUFs and other exciting new technical tools.
Joshua Holden is professor of mathematics at the Rose-Hulman Institute of Technology and the author of The Mathematics of Secrets: Cryptography from Caesar Ciphers to Digital Encryption.