Today you will not surprise anyone with software hacking - at the very least, you have learned how to deal with it. Unfortunately, the possibility of hardware hacking has now been finally proven. Moreover, the complexity and cost of such a procedure turned out to be small - it is quite accessible to anyone who knows how to handle a soldering iron and a programmer
Legends of "bookmarks" and backdoors in computer hardware have been around for a long time. By no means all of them have at least some basis, although in some cases various remote control mechanisms have vulnerabilities that experienced an attacker may well exploit.
In 2018, a scandal erupted when Bloomberg announced that Supermicro's boards might have a tiny chip that was not specified. This "modification" allegedly affected about 30 companies. However, all the "victims" in unison stated that there were no extra chips in their equipment, and Supermicro even conducted an independent study. The US government, however, believes that such attacks may be the work of the Chinese military.
Company Sepio Systems, whose specialty is security hardware solutions, has previously confirmed that such hardware can bookmark, and company experts meet with them for the first time. In particular, the case is described with the server of the same Supermicro, in which a malicious chip was embedded in the tracks leading to the Ethernet port. It was possible to detect its activity by atypical network traffic, but the specialists failed to fully figure out what data the device was transmitting or processing.
Hardware Bookmarks: Myth or Reality?
So how much does such a hardware modification cost, and can it be carried out not by special services and other organizations with practically unlimited resources? Enthusiasts have carefully tested all possible methods and proved that such an operation is possible. Researcher Monta Elkins promised to provide a detailed description of this type of attack at the CS3sthlm conference, which will be held October 21-24 in Stockholm.Elkins claims that there is nothing super complicated in it and no special skills are required - any sufficiently motivated attacker, be it a spy, hacker or criminal representative, can easily equip the server or network device he needs with the appropriate modification. For an experienced hacker who is friendly not only with software, but also with a soldering iron, such an operation will cost only $ 200, including equipment costs.
Digispark Attiny 85: Bookmark Chip Donor. Upper microcircuit - controller
At the same time, a hair dryer for soldering will cost $ 150, another $ 40 will go to a microscope, and the chips used for hacking can cost as little as $ 2 apiece. The author of the future report managed to modify the Cisco firewall in such a way that, in his opinion, most system administrators will not notice the hack.
For the chip, Elkins chose an Atmel ATtiny85 8-bit microcontroller from the Digispark Arduino board. This microcircuit is not as small as the "grain of rice" from the Bloomberg article, but its dimensions in the SOIC-8 package are only 4 × 5 mm. At the same time, the controller, operating at a frequency of 16.5 MHz, is a rather powerful device.
The researcher chose a place on the Cisco ASA 5505 motherboard that does not require additional wires and installed this chip there, having previously provided it with the appropriate firmware. Elkins says this modification is possible for other Cisco devices as well. The company, in turn, said: "If new information is found that our customers need to know, we will communicate it through normal communication channels."
Hacked Cisco ASA 5505 motherboard. "Extra" chip in the lower left corner
As you can see in the picture, it is not so easy to immediately find an extra microcircuit, although in the example a fairly small and not too complex motherboard was used. If soldered carefully, the chip gives the impression of being installed at the factory and does not attract attention at all. Elkins argues that a much more covert installation is possible, as well as the use of smaller microcircuits. He chose ATtiny85 simply because of the ease of programming.
The controller is soldered to the serial port pins. After turning on the device, the chip waits for the firewall OS to load, and then simulates human actions. He initiates the password recovery procedure, after which he creates a new administrator account and, thus, gains access to all device settings. The rest depends on the intentions of the attacker: it is possible to obtain full remote access to the system, disable all security settings, access network logs and other data.
TinyFPGA AX2: cost $ 19, dimensions of FPGA Lattice XO2-1200 - 2.5 × 2.5 mm
Another researcher, Trammell Hudson, also confirmed the possibility of a hardware hack. He reproduced the situation with the Supermicro board and connected to the BMC controller, which is responsible, among other things, for remote access to the system. As a "malware" Hudson chose a tiny FPGA with an area of only 2.5 mm2, replacing it with one of the resistors on the motherboard. Most likely, he used a Lattice XO2-1200 chip.
Thus, to date, the possibility of hardware hacking of various IT-equipment has been fully proven and confirmed. The most dangerous thing about this opportunity is that almost any sufficiently experienced enthusiast can use it, even if he does not have serious funds. Cybersecurity companies have a lot of work to do in the coming years. Even ordinary users can be advised to thoroughly inspect their devices for the experienced presence of "extra" chips.
