Proof-of-Concept Spy Chips?

Back at the tail end of last year Bloomberg published a piece called “The Big Hack,” claiming that a supply chain attack originating in China had affected almost 30 companies, including Apple, Amazon, and Super Micro. The story was immediately, and vehemently, denied by pretty much everyone, with Tim Cook, Apple’s CEO, calling for the story’s retraction.

In the days following the story an official at the National Security Agency went as far as to declare, ”We’re just befuddled.” But despite the denials, and no evidence of the hack surfacing in any of the followup reporting, or in any of the independent audits that followed, Bloomberg stood by their story.

They even submitted it for an award, and promoted the reporter that wrote it. While in the end it did get an award, the Defcon hacker conference awarded the story two Pwnie Awards, for “most overhyped bug” and “most epic fail,” that probably wasn’t what Bloomberg was looking for when they published.

Although nobody could find any evidence to suggest ‘The Big Hack’ was really happening, nobody denies that the idea of a supply chain hack is possible. In fact, it’s pretty much the worst possible nightmare scenario when it comes to security, because there’s no way to fix things other than to burn everything to the ground and start again. Which isn’t going to help for most people.

However, while most of us argued that a supply chain attack was possible, we also argued that it was unlikely to happen in real life because of the difficulty involved in actually carrying it out.

But at the CS3sthlm security conference, which will be held later this month in Stockholm, Sweden, security researcher Monta Elkins, the “Hacker-in-Chief” for FoxGuard Solutions, will present a proof-of-concept attack that can be implemented on a budget of under two hundred dollars and carried out on your lab bench at home.

Although this isn’t the first proof-of-concept attempt to replicate the attack, it is the first to reproduce the attack while ‘successfully’ hiding the additional chip. Elkins took a Microchip ATtiny85 from a Digispark board and programmed it to carry out and attack. He then desoldered it from the Digispark board and soldered it on to the motherboard of a Cisco ASA 5505 ‘security appliance’ giving it access to the server’s serial port.

This allows the programmed chip to ‘impersonate’ a security administrator accessing the server directly via the serial port, and trigger password recovery allowing it to create a new administrator account with access to the server’s settings. Remote access to the server can then be enabled, compromising the server’s security and exposing a company data center to attack.

While this proof-of-concept ‘supply chain’ attack doesn’t provide any evidence that last year’s Bloomberg story was true, and Elkin has gone out of his way to indicate that, it does go to show that a supply chain attack isn’t as hard as a lot of us previously thought it might be. It doesn’t need a custom chip, or any expensive hardware beyond a hot air solder station, and that’s worrying.

[h/t: Wired]