More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.
But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off—just a motivated hardware hacker with the right access and as little as $200 worth of equipment.
"It's not magical. It's not impossible. I could do this in my basement."
Monta Elkins, FoxGuard
At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of that hardware hack in his basement. He intends to demonstrate just how easily spies, criminals, or saboteurs with even minimal skills, working on a shoestring budget, can plant a chip in enterprise IT equipment to offer themselves stealthy backdoor access. (Full disclosure: I'll be speaking at the same conference, which paid for my travel and is providing copies of my forthcoming book to attendees.) With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn't notice, yet would give a remote attacker deep control.
"We think this stuff is so magical, but it's not really that hard," says Elkins, who works as "hacker in chief" for the industrial-control-system security firm FoxGuard. "By showing people the hardware, I wanted to make it much more real. It's not magical. It's not impossible. I could do this in my basement. And there are lots of people smarter than me, and they can do it for almost nothing."
Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board; not quite the size of a grain of rice, but smaller than a pinky fingernail. After writing his code to that chip, Elkins desoldered it from the Digispark board and soldered it to the motherboard of a Cisco ASA 5505 firewall. He used an inconspicuous spot that required no extra wiring and would give the chip access to the firewall's serial port.
-- submitted from IRC
(Score: 2, Touché) by Anonymous Coward on Monday October 14 2019, @08:46AM (3 children)
Sounds a bit like an Al-qaida or ISIS tranings camp what you describe here.
(Score: 3, Insightful) by Runaway1956 on Monday October 14 2019, @10:00AM (2 children)
It does, doesn't it? Or, most any military or paramilitary organization. And, that is pretty much what is described in the article. They want to send someone to surreptitiously install some chips into specific, targeted mainboards. There is little to indicate whether these chips will be installed at a warehouse, in transit, at the customer's facility, or maybe even at the manufacturer's plant. But, yes, some specially trained person is supposed to gain access, get the job done quickly, and get out without being discovered, OR having the chip discovered by casual inspectors.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by Reziac on Tuesday October 15 2019, @02:39AM (1 child)
Disguise it as a capacitor, and install it at whatever point you can get access. Make the reasonable assumption that no one counts stuff that's present in groups, even if they know how many are supposed to be there. I don't know if it's possible to put your chip inside a capacitor, but surely it could be hidden inside some other legit chip, or under the CPU socket, or...
My guess is at-the-factory is the point of risk, where it could be worked into the design specs.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by DannyB on Tuesday October 15 2019, @04:04PM
It's more than just the design specs.
In high school days decades ago I had a job sweeping, trash, etc, at a company that made some of the early dual chamber smoke alarms. These devices were made by a group of mostly women who were skilled at soldering. They would mount a circuit board, grab and place various components from bins into holes in the board, solder all those components in place. The finished boards went into bins, that went to other rooms for final assembly of the units. Then burn in testing, packaging, etc.
Now in modern manufacturing, done by machines, a new chip would require altering the manufacturing process to accommodate this new chip. Even if the board were not designed for the chip (eg, holes, circuit traces, etc), some step in the process must pick the new chip from a bin, attach it to the board, and solder its wires to connections. This new chip does not get onto the board and connected by magic.
Now maybe by "design specs" this could mean all of the documentation about how the board is assembled. The BOM (bill of materials) would include this extra chip. It would be purchased in bulk, a bin of those chips would exist along with all other bins of parts that go onto each board. The connections would all be neatly labeled. Humans would, or programmed robots, would add this special chip, and connect it just like all other parts. The people putting the boards together (or setting up the robots to do it) would have little understanding of how the board or its parts actually work. They are simply skilled at putting them together. (or "programming" the robots)
Santa maintains a database and does double verification of it.