Up to $200!Hackers can crack hardware firewalls with tiny chips

More than a year ago, Bloomberg Businessweek took over the cybersecurity arena with an explosive topic: Supermicro motherboards in servers used by big tech companies like Apple and Amazon were quietly implanted with chips the size of a grain of rice, so hackers could. It is possible to penetrate deep into these networks for espionage. Apple, Amazon and Supermicro have all vehemently denied the report. The NSA claimed it was a false alarm. The World Hacker Conference awarded it two “Security Oscars” for “Most Exaggerated Vulnerability” and “Most Epic Failure”. There has been no follow-up report confirming what it mentions.

But even if the facts of this story have not been confirmed, security services warn that the possible supply chain attack it describes is all too real. After all, according to whistleblower Edward Snowden’s leaks, the NSA has been doing something similar. Now, researchers have gone a step further, showing how tiny, hard-to-detect spy chips can be easily and cheaply implanted in a company’s hardware supply chain. One of the researchers has shown that it doesn’t even require a national government-funded spy agency to implement it — all it takes is an aggressive hardware hacker with the right access rights and equipment worth as little as $200. .

At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of this hardware hack in his basement. He intends to show the world how easily spies, criminals or saboteurs with minimal skills can chip in corporate IT equipment on a low budget to give themselves stealthy backdoor access. (Full disclosure: I will be speaking at the same conference that paid for my travel and provided attendees with copies of my upcoming book.) Ordered only a $150 hot air soldering tool online , a $40 microscope, and some $2 chips, Elkins was able to change the Cisco firewall in some way. He said most IT administrators probably won’t notice it, but it could give a remote attacker deep control.

“We think this stuff is so magical, but it’s not that hard,” said Elkins, “lead hacker” at FoxGuard, an industrial control systems security company. “By showing people this hardware, I hope to make it more real. It’s not magical, and it’s not a fantasy. I can do it in my basement. There are a lot of people smarter than me who can barely It pays to do it.”

nails in the firewall

Elkins found an ATtiny85 chip about 5mm square on a $2 Digispark Arduino board. Not exactly the size of a grain of rice, but smaller than a thin fingernail. After writing the code to this chip, Elkins removed it from the Digispark board and soldered it to the motherboard of the Cisco ASA 5505 firewall. It fits in an inconspicuous place, requires no extra wiring, and gives the chip access to the firewall’s serial port.

The diagram below shows that with the complex firewall board—even with the relatively small 6-by-7-inch firewall board size of the ASA 5505—the chip is hard to spot. Elkins said he could have used a smaller chip, but he settled on the Attiny85 because it was easier to program. He may also have hidden his malicious chip more subtly in one of several RF-shielding “cans” on the firewall board, he said, but he hopes to show the chip’s location at the CS3sthlm conference.

On the bottom of the Cisco ASA 5505 firewall motherboard, the red oval represents a 5mm square chip added by Elkins.

Once the firewall was up in the target’s data center, Elkins programmed his small smuggled chip to attack. It impersonates a security administrator and connects their computer directly to this port to access the firewall’s configuration. The chip then triggers the firewall’s password recovery feature, creates a new administrator account, and gains access to the firewall’s settings. Elkins said he used Cisco’s ASA 5505 firewall in his experiments because it was the cheapest firewall he could find on eBay. But he said any Cisco firewall that offers this kind of recovery in the event of a lost password will work. “We are committed to transparency and are investigating the researchers’ findings. If we discover new information that customers need to be aware of, we will communicate through our normal channels,” Cisco said in a statement.

Once the malicious chip had access to those settings, Elkins said, his attack could change the firewall’s settings, giving hackers remote access to the device, disabling its security features, and allowing hackers to access and see all connected device logs, and these Neither will alert the administrator. “I can basically change the firewall’s configuration to do whatever I want,” Elkins said. Elkins also said that with more reverse engineering, the firewall’s firmware could also be reprogrammed to establish a more comprehensive foothold on the network used to spy on victims, although a proof-of-concept is still in progress.

specks of dust

Before Elkins’ work, he had attempted to more precisely reproduce the kind of hardware hacking that Bloomberg described in its supply chain hijacking scenarios. As part of a research presentation presented last December at the Chaos Computer Conference, independent security researcher Trammell Hudson built a proof-of-concept for a Supermicro circuit board that attempts to mimic the techniques of the hacker described in a Bloomberg story. That means implanting a chip on a supermini motherboard with access to its baseboard management controller, or BMC, a component that allows remote management, giving hackers deep control over a targeted server.

Hudson used to work at Sandia National Laboratories and now runs his own security consulting firm. He found a spot on the Super Micro Board where he could replace a tiny resistor with his own chip, allowing him to update the BMC’s data in real time, exactly the kind of attack Bloomberg describes. He then used a so-called field-reprogrammable gate array, a type of reprogrammable chip sometimes used to prototype custom chip designs, to act as a malicious interception component.

“It’s not going to be a difficult task for an adversary who wants to spend money,” said security researcher Trammell Hudson.

Hudson’s FPGA is less than 2.5mm square, only slightly larger than the 1.2mm resistors it replaces on the supermini board. But in true proof-of-concept style, he said, he didn’t actually try to hide the chip, but instead used a bunch of wiring and alligator clips to connect it to the board. However, Hudson believes that a real attacker with the resources needed to make a custom chip — which could cost tens of thousands of dollars — could carry out a more stealthy attack, creating a more stealthy attack than a resistor that performs the same BMC tampering function. A chip with a much smaller floor area. The result could even be just one hundredth of a square millimeter, Hudson said, far smaller than what Bloomberg says is the size of a grain of rice.

“It’s not a difficult task for an adversary who wants to spend money,” Hudson said.

“There is no need for us to comment further on the false reports that were reported more than a year ago,” Supermicro said in a statement.

But Elkins points out that his firewall-based attack is far less sophisticated than that custom chip at all, just a $2 chip. “Don’t take this attack lightly because you think someone needs a chip factory to make this kind of chip,” Elkins said. “Basically, any electronics hobbyist can make a version of this at home.”

Both Elkins and Hudson stressed that their work was not intended to corroborate Bloomberg’s story of supply chain attacks on microchips implanted in devices. They don’t even think it could be a commonplace attack; both researchers point out that traditional software attacks can often give hackers the same amount of access, though not necessarily with the same stealth.

But both Elkins and Hudson argue that hardware-based espionage through supply chain hijacking remains a technical reality and easier to achieve than many of the world’s security administrators realize. “I want people to realize that chip implants aren’t what they’re supposed to be. They’re pretty simple,” Elkins said. “If I can do that, someone with a budget of a few hundred million has probably been doing it for a while.”

The Links:   LM150X08-A4NA LP150X09-A3K1