More than a year ago, "Bloomberg Business Week" with an explosive topic to seize the field of network security: the server Apple, Amazon and other large technology companies used by Advanced Micro Devices motherboard was quietly implanted chip the size of a grain of rice, a hacker these networks can drill spying. Apple, Amazon and Supermicro have strongly denied the report. NSA claimed it was a false alarm. Hackers World Assembly awarded its two "safe Oscars", they are "the most exaggerated vulnerability Award" and "Award for the most epic failure." No follow-up report to confirm its contents mentioned.
But even the fact that this story has not yet been confirmed, the security department warned of possible supply chain attack it describes is all too real. After all, according to the whistleblower Edward Snowden leaks, the US National Security Agency has been doing similar things. Now, researchers further demonstrate how easy it inexpensively implanted difficult to detect in the company's hardware supply chain in tiny spy chips. One of the researchers have proven that it does not even need state-funded government spy agencies can be implemented - just an aggressive hardware hackers have the correct access rights, and as little as $ 200 worth of equipment, can be implemented .
In CS3sthlm security conference later this month, the Security researcher Monta Elkins will show how he created this hardware hackers in their basement proof of concept version. He intends to prove to the world, spies, criminals or vandals with the lowest skills of how easy it is to implant chips in low-budget enterprise IT equipment, providing backdoor access to the stealth of their own. (Full disclosure: I will be speaking at the same meeting, the conference paid for my travel expenses, and provided a copy of my forthcoming book participants.) Online only ordered a $ 150 hot air welding tool , $ 40 microscope, and some $ 2 chip, Elkins can change the Cisco firewall in some way. He said that most IT administrators probably will not notice it, but it can allow a remote attacker to gain control of the deep.
"We think these things are so magical, but it is not difficult," Elkins said he was an industrial control system security companies FoxGuard "chief hacking." "By showing the hardware to the people, I want to make it more real. It's not magic, but not fantasy. I can do it in my basement. There are a lot of people smarter than me, they can hardly make money on it. "
Firewall nails
Elkins in a $ 2 Digispark Arduino board found an area of about 5 square millimeters ATtiny85 chip. It is not the size of a grain of rice, but smaller than a fine finger nails. After the code into the chip, Elkins remove it from Digispark board and soldered to the motherboard Cisco ASA 5505 firewall. He put in place a discreet, no additional wiring, and allows access to the serial port chip firewall.
The following figure shows the complex in the case of a firewall plate - even at ASA 5505 is relatively small firewall plate 6 by 7 inches in size, the chip is difficult to be found. Elkins said he could use smaller chips, but he finally chose Attiny85, because it is easier to program. He said he could board a firewall in several RF shielding one "can" more cleverly hide their malicious chip, but he wanted to show the position of the chip in CS3sthlm meeting.
ASA 5505 firewall bottom board Cisco, red oval represents a 5 mm square chip Elkins added.
Once the firewall in the data center target started, Elkins programming on his small chip can sneak attack. It posing as security administrator, to connect their computers directly to the port, to access the firewall configuration. Then trigger the chip firewall password recovery, create a new administrator account and gain access to the firewall settings. Elkins said he used the Cisco ASA 5505 firewall in the experiment, because this is the cheapest of the firewall he found on eBay. But he said any such recovery function provides Cisco firewall in case the password is lost, this method will work. Cisco said in a statement: "We are committed to transparency in, and researchers are investigating the discovery of new information, if customers need to pay attention to the findings, we will communicate through normal channels.."
Elkins said that once the malicious chip can access these settings, his attack could change the firewall settings, so that hackers can remotely access the device, disable its security features, and a hacker can access the logs and see all the devices connected, and these We will not alert the administrator. "Basically, I can change the configuration of the firewall, make it do anything I want." Elkins said. Elkins said that if more reverse engineering, also can be reprogrammed firewall firmware, making the establishment of a more comprehensive network for monitoring the standpoint of the victims, although still in progress to prove the concept's.
Dust spots
Before working Elkins, who tried to more accurately reproduce the kind of hardware hacking Bloomberg described in its supply chain hijack scene. As part of last December published in Chaos Computer Conference of the General Assembly on the study, an independent security researcher Trammell Hudson established proof of concept for the Supermicro board, the board tried to imitate hacking techniques described in the Bloomberg story. This means that the implanted on a Super Micro motherboard chip, which can access the baseboard management controller (or BMC), BMC is an assembly allows remote management provides control of the depth of the target server for hackers.
Hudson has worked in the past Sandia National Laboratories, and now runs his own security consulting firm. He found a super micro-board point where he can use his own chip to replace a tiny resistor, so you can change out of BMC's data in real time, this is the kind of attack described by Bloomberg. He then used the so-called field re-programmable gate array (a kind of prototype for custom chip design sometimes can be reprogrammed chip) to act as a malicious interception element.
"For a competitor who wants to spend money, this will not be a difficult task." Security researcher Trammell Hudson said.
Hudson's FPGA area of less than 2.5 mm2, only slightly larger than the resistor it replaces super micro plate 1.2 mm area. But he said the real proof of concept style, he did not actually try to hide the chip, but with a bunch of wires and alligator clips to connect it to the board. However, Hudson believes that a real attacker have the resources needed to manufacture custom chips - may have to spend thousands of dollars - may be a more subtle attack, creating a tamper BMC perform the same function, specific resistance accounts to a much smaller chip area. Hudson said the results may be even a square millimeter percent, far less than the size of a grain of rice Bloomberg said.
Hudson said: "For a competitor wants to spend money, this is not a difficult task."
Advanced Micro Devices said in a statement: "For false reports more than a year ago, we do not need to comment further."
But Elkins pointed out that his attacks on the firewall does not require much less complicated, all without the custom chips, only $ 2 a chip just fine. Elkins said: "Do not you think someone needs to do the chip fab and despise the attack Basically, any electronic enthusiasts can do such a version at home.."
Elkins and Hudson stressed that their job is not to confirm the Bloomberg story on the supply chain attack implanted microchip in the device. They do not even think it may be the usual common attack; two researchers have pointed out that, although not necessarily with the same concealment, traditional software attacks often allows hackers to gain as much access.
But Elkins and Hudson agree that the supply chain hijacked by hardware-based espionage is still a reality technology, and better than many of the world are aware of the security administrator to be easy to implement. "I want people to realize that, chip implants are not imaginary. They are fairly simple," Elkins said. "If I can do that, there are hundreds of millions of people may have the budget to do for some time."