{"id":7532,"date":"2020-01-13T12:14:48","date_gmt":"2020-01-13T09:14:48","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=7532"},"modified":"2020-01-13T12:14:48","modified_gmt":"2020-01-13T09:14:48","slug":"36c3-open-source-hardware-dangers","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/36c3-open-source-hardware-dangers\/7532\/","title":{"rendered":"A\u00e7\u0131k kaynak her derde deva de\u011fil"},"content":{"rendered":"

Bir\u00e7ok ki\u015fi a\u00e7\u0131k kaynakl\u0131 yaz\u0131l\u0131mlar\u0131n tescilli yaz\u0131l\u0131mlardan daha g\u00fcvenli oldu\u011funu d\u00fc\u015f\u00fcn\u00fcrken benzer bir teorinin donan\u0131m geli\u015ftirmeye de uyarland\u0131\u011f\u0131n\u0131 g\u00f6rmeye ba\u015flad\u0131k. Ancak konunun uzmanlar\u0131 olan Andrew \u201cbunnie\u201d Huang, Sean \u201cxobs\u201d Cross ve Tom Marble, ge\u00e7ti\u011fimiz ay ger\u00e7ekle\u015fen 36. Chaos \u0130leti\u015fim Kongresi<\/a>\u2018nin (36C3) hacker konferans\u0131nda a\u00e7\u0131k kodlu geli\u015ftirmeler kullanman\u0131n donan\u0131mla ilgili g\u00fcven problemlerini \u00e7\u00f6zmeye yetip yetmeyece\u011fi ile ilgili \u015f\u00fcphelerini dile getirdi<\/a>. Huang bu konuda uzun bir konu\u015fma yapt\u0131.<\/p>\n

G\u00fcven a\u00e7\u0131s\u0131ndan donan\u0131m ve yaz\u0131l\u0131m aras\u0131ndaki farklar<\/h2>\n

A\u00e7\u0131k kaynakl\u0131 yaz\u0131l\u0131mlar, g\u00fcvenliklerini yaln\u0131zca a\u00e7\u0131k olmalar\u0131na de\u011fil, ayn\u0131 zamanda u\u00e7 noktada \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131n\u0131z program\u0131n yay\u0131nlanan kaynak koda sad\u0131k kalmas\u0131n\u0131 sa\u011flamak i\u00e7in yayg\u0131n olarak kullan\u0131lan ara\u00e7lara da bor\u00e7lu. \u00d6rnek vermek gerekirse, programc\u0131lar yaz\u0131l\u0131mlar\u0131n\u0131 dijital bir sertifikayla imzal\u0131yor; sistem de yaz\u0131l\u0131m\u0131 kullan\u0131c\u0131n\u0131n bilgisayar\u0131nda \u00e7al\u0131\u015ft\u0131rmadan \u00f6nce bu sertifikay\u0131 kontrol ediyor.<\/p>\n

Konu donan\u0131m oldu\u011funda ise bamba\u015fka bir durum s\u00f6z konusu. Hesaba dayal\u0131 adresleme veya dijital imza sa\u011flayan donan\u0131m analoglar\u0131 olmad\u0131\u011f\u0131 i\u00e7in kullan\u0131c\u0131lar, donan\u0131m hakk\u0131nda yay\u0131nlanan bilgilerin do\u011frulu\u011funu kontrol edebilecekleri bir araca sahip olam\u0131yorlar. Bir cihaz ya da \u00e7ip, en son fabrikada kontrol edilebiliyor. Fabrika kontrol\u00fc ile cihaz\u0131n kullan\u0131m\u0131 aras\u0131ndaki s\u00fcre artt\u0131k\u00e7a, ba\u015far\u0131l\u0131 bir MITM sald\u0131r\u0131s\u0131n\u0131n ger\u00e7ekle\u015fme olas\u0131l\u0131\u011f\u0131 da art\u0131yor.<\/p>\n

Ne ters gidebilir?<\/h2>\n

Genel olarak konu\u015fursak, fabrikadan \u00e7\u0131kt\u0131klar\u0131 zaman ile ilk kullan\u0131ld\u0131klar\u0131 zaman aras\u0131nda \u00e7iplerin veya cihazlar\u0131n ba\u015f\u0131na her \u015fey gelebilir. Her \u015feyden \u00f6nce, \u00fcretici yaz\u0131l\u0131m\u0131 de\u011fi\u015ftirilebilir. (Elbette \u00fcretici yaz\u0131l\u0131m\u0131 da esas\u0131nda bir yaz\u0131l\u0131m problemi oldu\u011fu i\u00e7in do\u011frulanabilir, fakat yine de bu do\u011frulama s\u0131ras\u0131nda donan\u0131ma g\u00fcvenmeniz gerekecektir.) Bu y\u00fczden Huang, bile\u015fen de\u011fi\u015fimleri, modifikasyonlar\u0131 ve implantlar\u0131 gibi donan\u0131mla ilgili problemlere odakland\u0131.<\/p>\n

Bile\u015fen ekleme<\/h3>\n

G\u00fcn\u00fcm\u00fczde bir \u015farj kablosunun USB ba\u011flant\u0131s\u0131na<\/a> tamamen yetkisiz bir mod\u00fcl yerle\u015ftirmek m\u00fcmk\u00fcn. Do\u011fal olarak, implantlar i\u00e7in \u00e7ok daha fazla alan sunan \u00e7ok bile\u015fenli daha karma\u015f\u0131k ekipmanlara bile\u015fen eklemek \u00e7ok daha kolay. Buradaki tek iyi haber, sonradan eklenen bir \u00e7ipi tespit etmenin g\u00f6rece kolay olmas\u0131.<\/p>\n

Bile\u015fen de\u011fi\u015ftirme<\/h3>\n

En basit de\u011fi\u015ftirme hilesi, marka i\u015faretiyle yap\u0131lanlar. Ger\u00e7ek hayattan bir \u00f6rnek verelim: Yanl\u0131\u015f \u00e7al\u0131\u015fan bir mikro kontrol\u00f6r g\u00f6rsel olarak kontrol edildi\u011finde, \u00fczerinde do\u011fru marka yer alan (STMicroelectronics) tamamen farkl\u0131 bir \u00e7ip kullan\u0131ld\u0131\u011f\u0131 tespit edildi. Bu vakada yap\u0131lan hile, pahal\u0131 bir bile\u015fenin daha ucuz bir bile\u015fenle de\u011fi\u015ftirilmesinden ibaretti, ancak de\u011fi\u015ftirilen bile\u015fenin yerine her \u015feyi koymak m\u00fcmk\u00fcn.<\/p>\n

\u00c7ip modifikasyonu<\/h3>\n

\u0130nsanlar genelde fabrikadan \u00e7\u0131kt\u0131ktan sonra \u00e7iplerin bir daha modifiye edilemeyece\u011fini d\u00fc\u015f\u00fcn\u00fcyor, ancak bu do\u011fru de\u011fil. Pek \u00e7ok durumda tek bir \u00e7ip olarak alg\u0131lad\u0131\u011f\u0131m\u0131z \u015fey asl\u0131nda birka\u00e7 ayr\u0131 mikro devrenin tek bir paket i\u00e7inde sunulmu\u015f hali. Deneyimli bir d\u00fc\u015fman, ayn\u0131 teknolojiyi kullanarak ayn\u0131 pakete ufac\u0131k bir silikon par\u00e7as\u0131 daha yerle\u015ftirerek bu implant\u0131 mevcut ba\u011flant\u0131lara ba\u011flayabilir.<\/p>\n

\"\"

\u00c7ip \u00fczerine implant. Kaynak<\/a>.<\/p><\/div>\n

\u00dcstelik bunu yapmak i\u00e7in gerekli ekipmanlar olduk\u00e7a ucuz ve her yerde bulunabiliyor (konu\u015fmac\u0131ya g\u00f6re, \u00c7in\u2019den gelen ikinci el bir tel ba\u011flama makinesinin maliyeti yakla\u015f\u0131k 7.000 USD). Bununla birlikte sahtecilik, X \u0131\u015f\u0131n\u0131yla tespit edilebiliyor.<\/p>\n

Silikon devre levhas\u0131 inceli\u011finde \u00e7ip \u00f6l\u00e7e\u011finde paketleri (WL-CSP) modifiye etmek \u00e7ok daha pahal\u0131ya mal oluyor, ancak bu sahtecilik X \u0131\u015f\u0131nlar\u0131yla da ortaya \u00e7\u0131kar\u0131lam\u0131yor.<\/p>\n

Entegre devre (IC) modifikasyonu<\/h3>\n

\u015eirketler genelde \u00e7ipleri alana \u00f6zg\u00fc g\u00f6revlere y\u00f6nelik tasarlar, fakat \u00fcretimini d\u0131\u015f kaynaklara yapt\u0131r\u0131r; yaln\u0131zca pazar\u0131n b\u00fcy\u00fck oyuncular\u0131 kendi \u00e7iplerini \u00fcretmenin maliyetini kar\u015f\u0131layabilir. Hal b\u00f6yleyken son \u00fcr\u00fcn\u00fc referans \u015fartlar\u0131na uyacak \u015fekilde modifiye etmenin birden fazla yolu var. Dahas\u0131, bir \u00e7ip veya cihaz tasar\u0131mc\u0131n\u0131n elinden \u00e7\u0131kt\u0131ktan sonra kimse son \u00fcr\u00fcnle orijinal \u00f6zelliklerin birbirini tutup tutmad\u0131\u011f\u0131n\u0131 kontrol etmekle pek u\u011fra\u015fm\u0131yor.<\/p>\n

Donan\u0131m hangi noktada de\u011fi\u015ftirilebilir?<\/h2>\n

Sunumu ger\u00e7ekle\u015ftiren uzman, birka\u00e7 farkl\u0131 de\u011fi\u015ftirme senaryosu da sundu. Bu senaryolar, olduk\u00e7a karma\u015f\u0131k senaryolardan (a\u015f\u0131r\u0131 u\u00e7 bir \u00f6rnek olarak sevkiyat s\u0131ras\u0131nda kargoya m\u00fcdahale edilmesi<\/a>) g\u00f6rece daha basit olanlara kadar de\u011fi\u015fiklik g\u00f6steriyordu. Genel olarak bakt\u0131\u011f\u0131m\u0131zda herkes bir \u00fcr\u00fcn\u00fc sat\u0131n al\u0131p \u00fczerinde oynamalar yapt\u0131ktan sonra tekrar satmak \u00fczere sat\u0131c\u0131ya iade edebilir. \u015eeklen bak\u0131ld\u0131\u011f\u0131nda da tedarik zincirinin \u00e7e\u015fitli a\u015famalar\u0131nda \u00fcreticinin ambalaj ekibi veya g\u00fcmr\u00fck g\u00f6revlileri gibi bir\u00e7ok \u00fc\u00e7\u00fcnc\u00fc ki\u015fi, ekipmana eri\u015fime sahiptir. Bunlardan herhangi biri isterse ekipman \u00fczerinde oynama yapabilir. Hangi a\u00e7\u0131dan bakarsak bakal\u0131m, a\u00e7\u0131k kaynakl\u0131 donan\u0131m kullan\u0131m\u0131, g\u00fcvenli\u011fi pek de artt\u0131rmayacakt\u0131r.<\/p>\n

Sonu\u00e7lar<\/h2>\n

Huang, sunumunun sonlar\u0131na do\u011fru, donan\u0131m \u00fcretiminde yap\u0131labilecek hangi t\u00fcr de\u011fi\u015fikliklerin son kullan\u0131c\u0131 taraf\u0131ndan \u00e7iplerin ve cihazlar\u0131n g\u00fcvenli\u011finin do\u011frulanabilmesini sa\u011flayabilece\u011fi hakk\u0131nda fikir y\u00fcr\u00fctt\u00fc. Bu hareketin felsefesiyle ve \u00e7ip modifikasyonunun teknik detaylar\u0131yla ilgilenenler sunumun videosunu izleyebilir<\/a>.<\/p>\n

Donan\u0131mlar\u0131 tehlikeli hale getirmenin bir\u00e7ok yolu var ve bu yollar\u0131n bir k\u0131sm\u0131 pahal\u0131 veya u\u011fra\u015ft\u0131r\u0131c\u0131 de\u011fil. Daha da \u00f6nemlisi, bir sald\u0131r\u0131n\u0131n karma\u015f\u0131kl\u0131\u011f\u0131 ile tespit etmenin zorlu\u011fu aras\u0131nda do\u011frudan bir korelasyon da yok. Kurumsal kullan\u0131c\u0131lar olarak tehlikenin fark\u0131nda olun ve yaln\u0131zca u\u00e7 nokta g\u00fcvenlik \u00fcr\u00fcnlerine g\u00fcvenmekle kalmay\u0131n; kurumsal altyap\u0131 koruma sistemleri, geli\u015fmi\u015f tehditleri ve hedef g\u00f6zeten sald\u0131r\u0131lar\u0131 savu\u015fturur<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Chaos \u0130leti\u015fim Kongresi konu\u015fmac\u0131lar\u0131ndan biri, a\u00e7\u0131k kaynakl\u0131 donan\u0131m kullan\u0131m\u0131n\u0131n donan\u0131mla ilgili g\u00fcven problemlerini \u00e7\u00f6z\u00fcp \u00e7\u00f6zemeyece\u011fine dair g\u00f6r\u00fc\u015flerini dile getirdi.<\/p>\n","protected":false},"author":700,"featured_media":7533,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[2085,1781,1507,2087,754],"class_list":{"0":"post-7532","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-36c3","10":"tag-acik-kaynak","11":"tag-ccc","12":"tag-chaos-iletisim-kongresi","13":"tag-donanim"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/36c3-open-source-hardware-dangers\/7532\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/36c3-open-source-hardware-dangers\/18372\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/36c3-open-source-hardware-dangers\/15247\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/36c3-open-source-hardware-dangers\/7352\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/36c3-open-source-hardware-dangers\/20126\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/36c3-open-source-hardware-dangers\/18434\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/36c3-open-source-hardware-dangers\/16859\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/36c3-open-source-hardware-dangers\/20876\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/36c3-open-source-hardware-dangers\/19624\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/36c3-open-source-hardware-dangers\/25995\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/36c3-open-source-hardware-dangers\/32015\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/36c3-open-source-hardware-dangers\/13888\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/36c3-open-source-hardware-dangers\/12622\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/36c3-open-source-hardware-dangers\/21868\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/36c3-open-source-hardware-dangers\/26606\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/36c3-open-source-hardware-dangers\/24798\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/36c3-open-source-hardware-dangers\/20813\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/36c3-open-source-hardware-dangers\/25658\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/36c3-open-source-hardware-dangers\/25489\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/36c3\/","name":"36c3"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/7532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=7532"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/7532\/revisions"}],"predecessor-version":[{"id":7535,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/7532\/revisions\/7535"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/7533"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=7532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=7532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=7532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}