Much too easy: Planting a two-dollar spy chip on hardware with a technique that can be pulled off on a less than $200 budget?
Yet that was the work of a proof in concept investigation by a security researcher and tech-watching sites were discussing the story on Monday.
Turns out you can slip a spy chip into any hardware for no more than $198 to $200, said reports.
The spotlight was on security researcher Monta Elkins, Hacker-in-Chief, FoxGuard Solutions. He has a proof-of-concept version of a hardware implant.
John Dunn, Naked Security, talked about the chip as bad news for security were it to happen.
“In fact, this has already happened as part of a project by researcher Monta Elkins, designed to prove that this sort of high-end hardware hack is no longer the preserve of nation-states.”
Elkins now intends to show organizations how easily cyberterrorists can plant one of these spy chips in company IT equipment for backdoor access to their systems, said Tech Times.
Elkins drove home the point that the hack was not magic, and not impossible to pull off.
“I could do this in my basement,” he said in Wired.
“And there are lots of people smarter than me, and they can do it for almost nothing.”
It’s a tiny spy chip. Elkins used an ATtiny85 chip smaller than a pinky fingernail to write his code to that chip and ready it as a spy chip, said Ankush Das, Ubergizmo.
According to Wired, Elkins suggested he could have even used a smaller chip but ATtiny85 looked good because it was easier to program.
The chip was around 5mm squared found on an Arduino board. He soldered it to a motherboard of a firewall.
(He de-soldered the chip from the board after reprogramming it, said Computing.
The chip was then soldered on to the motherboard of firewall, giving the chip access to the serial port of the firewall.)
Andy Greenberg in Wired said, “He used an inconspicuous spot that required no extra wiring and would give the chip access to the firewall’s serial port.”
According to the Wired report, none of the following would alert an administrator: Elkins said his attack could change firewall settings to offer remote access to the device, disable its security features, and give the hacker access to the device’s log of connections it sees.
One might think about Dunn’s other observation: “they’re impossible to see let alone detect once they’re installed inside equipment.”
And getting rid of it? Dunn said, “the fact it depends on hardware might make it impossible to get rid of short of disabling the serial port or removing the chip itself.”
The story in Wired drew particular attention. Andy Greenberg walked readers through the modest costs: A soldering tool, $150; a microscope, $40; and chips ordered online.
What’s the message that Elkins would like to share through his work? Chip implants are relatively straightforward.
“If I can do this, someone with hundreds of millions in their budget has been doing this for a while.”
A Fingernail in the Firewall
Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board; not quite the size of a grain of rice, but smaller than a pinky fingernail. After writing his code to that chip, Elkins desoldered it from the Digispark board and soldered it to the motherboard of a Cisco ASA 5505 firewall. He used an inconspicuous spot that required no extra wiring and would give the chip access to the firewall’s serial port.
The image below gives a sense of how tough spotting the chip would be amidst the complexity of a firewall’s board – even with the relatively small, 6- by 7-inch dimensions of an ASA 5505.
Elkins suggests he could have used an even smaller chip but chose the ATtiny85 because it was easier to program. He says he also could have hidden his malicious chip even more subtly, inside one of several radio-frequency shielding “cans” on the board, but he wanted to be able to show the chip’s placement at the CS3sthlm conference.
Elkins programmed his tiny stowaway chip to carry out an attack as soon as the firewall boots up in a target’s data center. I
t impersonates a security administrator accessing the configurations of the firewall by connecting their computer directly to that port.
Then the chip triggers the firewall’s password recovery feature, creating a new admin account and gaining access to the firewall’s settings.
Elkins says he used Cisco’s ASA 5505 firewall in his experiment because it was the cheapest one he found on eBay, but he says that any Cisco firewall that offers that sort of recovery in the case of a lost password should work.
“We are committed to transparency and are investigating the researcher’s findings,” Cisco said in a statement. “If new information is found that our customers need to be aware of, we will communicate it via our normal channels.”
Once the malicious chip has access to those settings, Elkins says, his attack can change the firewall’s settings to offer the hacker remote access to the device, disable its security features, and give the hacker access to the device’s log of all the connections it sees, none of which would alert an administrator.
“I can basically change the firewall’s configuration to make it do whatever I want it to do,” Elkins says. Elkins says with a bit more reverse engineering, it would also be possible to reprogram the firmware of the firewall to make it into a more full-featured foothold for spying on the victim’s network, though he didn’t go that far in his proof of concept.
Paul Lilly in HotHardware thought that “this is something companies need to be on the lookout for, particularly big ones that operate massive data centers and cloud computing infrastructures.”
A substantial number of reader responses turned up in Ars Technica, reacting to the report there.
Readers sent in pro and con arguments about whether or not such an exploit was easy to pull off.
They asked if it was entirely plausible a person within the supply chain could alter the design.
One reader wrote, “Now, some may scuff at the notion of someone breaking into a high security facility, Mission: Impossible style, and soldering the chip on – this is doable but not very likely.
However, a factory operating on behalf of a state actor or someone else with a good bribe, could easily do this.
In all likelihood they already are. And no, nobody checks their router or server down to the smallest black dot on the motherboard against the official blueprints (and where would you get them from)! As a rule – if something can be done, it is being done.”
Also, a reader comment in Ars Technica pointed out that “this isn’t about breaking into a datacenter to plant the chip.
But about having access to the hardware before its even shipped to the datacenter and put something that can’t be detected or prevented with normal methods.”
Elkins will present his proof-of-concept attack at the CS3sthlm security conference later this month in Sweden.
This is a summit on security in SCADA and industrial control systems. The event dates are October 21 to 24.