Last year Bloomberg Businessweek made the claim that Supermicro motherboard has been stealthily implanted with a chip the size of a grain of rice, to allow Chinese hacker to spy on the network, the same motherboards used by Apple and Amazon. A lot of people said this was fake news. Supermicro, Apple & Amazon all denied the report, NSA dismissed it as fake news, and the Defcon hacker conference even gave the report an award for ‘most epic fail’. Until now, no follow-up report as confirmed the possibility that is might actually be true.
Before we go into the specifics of the actual chip (that does exist), lets first look at some of the facts. The NSA, have already been doing supply chain attacks for years according to information leaked by Edward Snowden. Security experts say that a device like this is just oh so possible, and should not be dismissed so easily.
“It’s not magical. It’s not impossible. I could do this in my basement.”
MONTA ELKINS, FOXGUARD
Going even further than just stating it is possible, security researcher Monta Elkins has proved this, by showing how any motivated hacker, even with minimal skill could pull this off with shoestring budget. No need for state-sponsored spy agency backing or secret government technology to pull this off.
How is it built?
Elkins will demonstrate at the CS3sthlm security conference this month how he created the hardware in his basement with just $200 worth of equipment. Although the exact process has not yet been revealed, Elkins did state the equipment used was a $40 microscope, $150 soldering tool, and a bunch of $2 chips, all ordered online.
“Basically anyone who’s an electronic hobbyist can do a version of this at home.”
Is it really the size of a grain of rice?
Better, it can be invisible, the chip created would be undetectable by most IT systems and would give the hacker deep control. Here is how the chip looks in real life:
Ok, the example above may be slightly bigger than the gain of rice that Bloomberg claimed, this chip is smaller than the fingernail on your pinky finger. The ATtiny85 chip is just 5millimeteres square. This chip requires no extra wiring, in the image above Elkins soldered it directly onto an inconspicuous spot on the motherboard of a Cisco ASA 5505. A smaller chip could have been used, but the ATtiny85 is easier to program so it is more appealing to less skilled hackers. Elkins could have also hidden the chip more covertly, inside one of the radio-frequency shielding cans on the board, for example, but the placement above was chosen because the chip needed to be visible to show at the CS3sthlm conference.
How much harm can this actually do?
In this example, the tiny undetectable chip was programmed to carry out an attack as soon as the firewall is booted up. It acts as a port directly to that system and gains full access to the firewall and even acts as a security administrator. This firewall setting can offer the hacker remove access to the device and the hacker than then do whatever it likes, including disabling the security features.
This isn’t new either, in a conference last December Trammel Hudson mimics the methods of the Chinese hackers, as reported by Blumberg Business, a built a proof of concept Supermicroboard with a tiny reprogrammable malicious chip. Hudson did this by replacing a tiny resistor chip with a chip of his own, enabling him to edit the data coming in/out of the BMC in real-time! Exactly like Bloomberg reported.
This chip was only a proof of concept, and it is still (only slightly) noticeable, as the original chip was 1.2 millimetres square, and Hudson's replacement spy chip was 2.5 millimetres square, slightly bigger. But a for an adversary who wanted to spend money on this, a custom chip could have been created a custom chip that is the same size, making it much more stealthy.
But what makes Elkins hack far more impressive is how it’s just as effective and dangerous, but requires very little skill and even less funding, a $2 chip that can be hidden totally!
Supermicro said in a statement:
“There’s no need for further comment about false reports from more than a year ago,”
Elkins and Hundson both stress that a supply-chain hijacking via hardware-based espionage is a very real reality. A reality that is easier to carry out than most people realise.
If I can do this, someone with hundreds of millions in their budget has been doing this for a while.