But even if the story has not yet been confirmed, the security services warn that the possible supply chain attacks it describes are too real. After all, the NSA has been doing something similar, according to whistleblower Edward Snowden. Now, researchers are going a step further, showing how to easily and cheaply plant tiny spy chips that are hard to detect in the company's hardware supply chain. One of the researchers has shown that it can be implemented without even a state-funded spy agency-just an aggressive hardware hacker with the right access and devices worth as little as $200.
At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of the hardware hacker in his basement. He intends to prove to the world how spies, criminals or saboteurs with the lowest skills can easily plant chips into corporate IT devices with a low budget to provide them with invisible back door access. (full disclosure: I will speak at the same meeting, which pays for my trip and provides participants with copies of my forthcoming book.) With only a $150 hot air welding tool, a $40 microscope and some $2 chips ordered online, Elkins can somehow change the Cisco firewall. He says most IT administrators may not notice this, but can give remote attackers deep control.
"We think these things are so amazing, but it's not hard," said Elkins, the "chief hacker" of FoxGuard, an industrial control system security company. "by showing people this hardware, I want to make it more real. It is not magical, let alone a fantasy. I can do it in my basement. There are a lot of people smarter than me, and they can do it almost at no cost. "
Nails in a firewall
Elkins found a ATtiny85 chip with an area of about 5 square millimeters on a $2 Digispark Arduino board. It's not the size of a grain of rice, but it's smaller than a fingernail. After writing the code to the chip, Elkins removes it from the Digispark board and welds it to the motherboard of the Cisco ASA 5505 firewall. He is installed in an inconspicuous place, does not require additional wiring, and allows the chip to access the serial port of the firewall.
The figure below shows how hard it is to find a chip when the firewall board is complex, even when ASA 5505 is relatively small in size of 6 by 7 inches firewall board. Elkins said he could use smaller chips, but he finally chose Attiny85 because it was easier to program. He said he might have hidden his malicious chip more ingeniously in one of several RF shielding "cans" on the firewall board, but he hoped to be able to show the location of the chip at the CS3sthlm conference.
At the bottom of the Cisco ASA 5505 firewall motherboard, the red ellipse represents the 5 square millimeter chip added by Elkins.
Once the firewall starts at the target's data center, Elkins programs his small portable chips to attack. It acts as a security administrator and connects their computers directly to the port to access the firewall configuration. Then the chip triggers the password recovery function of the firewall, creates a new administrator account, and obtains access to firewall settings. Elkins said he used Cisco's ASA 5505 firewall in the experiment because it was the cheapest firewall he found on eBay. But he said that any Cisco firewall that provided this recovery in the event of a password loss worked. ``We are committed to transparency and are investigating researchers' findings, '' Cisco said in a statement. If new information is found to be noted, we will communicate through normal channels. ``.
Once the malicious chip has access to these settings, Elkins says, his attack can change firewall settings so that hackers can remotely access devices, disable their security features, and allow hackers to access and see all connected device logs without alerting administrators. "I can basically change the configuration of the firewall and let it do whatever I want." Elkins also said that if more reverse engineering is done, the firewall firmware can also be reprogrammed to build a more comprehensive foothold for the network used to monitor victims, although proof of the concept is still under way.Elkins also said that if more reverse engineering is done, the firewall firmware can also be reprogrammed to establish a more comprehensive foothold for the network used to monitor the victims, although proof of the concept is still under way.
Before Elkins's work, he tried to reproduce more accurately the kind of hardware hacking Bloomberg described in its supply chain hijacking scenario. As part of a study published at the Chaos Computer Conference conference in December, Trammell Hudson, an independent security researcher, established a proof of concept for the Supermicro circuit board, which tried to mimic the hacker's technology described in the Bloomberg story. This means that a chip is embedded on the super micro motherboard that can access its substrate management controller (or BMC), a component that allows remote management and provides hackers with a pair of targetsThe serverDepth control.
Hudson used to work at Sandia National Laboratory and now runs his own security consulting company. He found a point on the super-microboard where he could replace a tiny resistor with his own chip to change data in and out of the BMC in real time, an attack described by Bloomberg. Then, he used so-called field reprogrammable gate arrays (a kind of reprogrammable chip sometimes used for prototype custom chip design) to act as malicious interception components.
"it won't be a difficult task for an opponent who wants to spend money." Security researcher Trammell Hudson said.
The FPGA area of Hudson is less than 2.5 square millimeters, which is only slightly larger than the 1.2mm resistor it replaces on the superminiature board. But in the real proof-of-concept style, he says, he doesn't actually try to hide the chip, but connects it to the board with a bunch of wiring and crocodile clips. However, Hudson believes that a real attacker has the resources to make custom chips-which could cost tens of thousands of dollars-to make a more covert attack, creating a chip that performs the same BMC tampering function, much smaller than resistance. Hudson said the result could even be only 1% square millimeters, far smaller than what Bloomberg says.
"It's not a difficult task for a competitor who wants to spend money," Hudson said.
"We don't need to comment further on false reports more than a year ago," Ultramicro said in a statement.
But Elkins said his firewall-based attack was far from so complicated, it didn't need the custom chip at all, it just needed a $2 chip. "Don't despise this attack just because you think someone needs a chip manufacturer to make it," Elkins said. Basically, any electronics enthusiast can make such a version at home. "
Both Elkins and Hudson stressed that their work was not to confirm Bloomberg's supply chain attack story about implanting microchips into devices. They didn't even think it might be a common attack; both researchers pointed out that, although not necessarily with the same concealment, traditional software attacks usually give hackers the same access rights.
But Elkins and Hudson agree that hardware-based espionage through supply chain hijacking is still a technological reality and easier to implement than many security managers around the world realize. "I want people to realize that chip implants are not what they think they are. They're fairly simple, "Elkins said. "If I can do that, hundreds of millions of people with budgets may have been doing it for some time."