The tiny ATtiny85 chip doesn’t look like the next big cyberthreat facing the world, but sneaking one on to a firewall motherboard would be bad news for security were it to happen.
In fact, this has already happened as part of a project by researcher Monta Elkins, designed to prove that this sort of high-end hardware hack is no longer the preserve of nation-states.
Elkins soldered the 5mm x 5mm ATtiny85 chip from an Arduino board to his test firewall’s circuit board just in front of the system’s serial port.
After reading his account of the proof of concept in Wired, it’s not hard to grasp why soldering tiny chips to circuit boards is a threat – they’re impossible to see let alone detect once they’re installed inside equipment.
The proof of concept is also cheap, requiring little more than some knowhow, access to the supply chain of current products, and a few hundred dollars for parts.
Rumours of secret chips, or secret interfaces on legitimate chips, have long been the stuff of legend, but the implication of Elkin’s work is that anyone could now do this.
The admin will serial you now
The hack that can be achieved by Elkin’s chip is simple but powerful. When the firewall boots up:
It impersonates a security administrator accessing the configurations of the firewall by connecting their computer directly to that port. Then the chip triggers the firewall’s password recovery feature, creating a new admin account and gaining access to the firewall’s settings.
With that level of access, a firewall would be putty in the paws of an attacker, who could configure it to allow remote access or disable security.
Even it that access was detected, the fact it depends on hardware might make it impossible to get rid of short of disabling the serial port or removing the chip itself.
It’s not a kind of attack that would scale well, requiring hackers to physically solder chips to boards for every compromised device they wanted to subvert.
Then again, one firewall – the right firewall – is all it would take to aid a major network incursion.
Supermicro
As Wired reminds us, the story echoes Bloomberg’s allegation last year that the Chinese Government had inserted spying chips inside equipment made by Supermicro.
No evidence has yet been found to stand up Bloomberg’s claim, but it did at least underline the possibility that someone might try to do such a thing.
Elkins, meanwhile, will give more detail on his POC at this month’s CS3sthlm conference.
Is it likely that the average firewall has an Elkins-style spy chip in it? Almost certainly not, mainly because there are so many other easier ways to compromise equipment, for example by exploiting misconfiguration, software vulnerability, or using credential theft.
But if that possibility comes to pass, stopping it won’t be easy, requiring as-yet-to-be invented hardware authentication at firmware level.
Just what admins need – another layer of security to watch over.
epic_null
Maybe chip scanning programs are a coming feature: the manufacturer uploads an image of the correct firewall, you scan inside your firewall, and then it automatically highlights any discrepancies.
smash591
This is where machines must become self-aware. The ability to utilize as-yet-to-be invented hardware authentication at firmware level will be required in the near future. Just like you would know if you woke up with an extra toe or belly button.
Gabriel
Really makes you think twice about buying any used components, don’t know what the person selling it has done. Plus, the SuperMicro incident also makes you also question new. I’m guessing detailed component maps need to be released and examined until Skynet makes the components self-aware.
Tom Van Alst
This going to be a real challenge for admin’s to detect since all physical admin access is granted via ps/2, serial, usb or ethernet during and after kernel / os is loading. sending a break command within a short few seconds after boot load allows access without login credentials or default login. developers and manufactures should create a special hardware and software dongle to test circuit for any additional bus line signal that is outside of manufactures specs.
Anthony Maw
I would suspect such a hack might be more likely done by the American CIA and NSA working in cahoots with American hardware manufacturers than Chinese companies who have a motivation not to jeopardize their market shares.
anthonymaw
I’d be more inclined to believe soldering miniature spy chips is more of a stunt that the American NSA and CIA would do in cahoots with American computer electronics manufacturers for the “export versions”. The sensational but unsubstantiated Bloomberg article that the Chinese manufacturers are doing just feeds the passions of certain peoples of Neanderthal extraction.
Mahhn
You should learn more about the extent of China’s hacking teams. They dwarf the NSA. And most of our computer stuff is made there, so it’s already been made available to them. US spooks want user data, China spooks want industrial data as well as gov and users.