Supply chain attack: spy chips can be soldered easily and cheaply

Just over a year ago, Bloomberg magazine reported an attack on Supermicro's supply chain. The designs for the motherboards should be added microchips later, with which data should be read from the servers and inject code. Evidence was not presented by Bloomberg. Now security researchers have been able to show that the introduction of spy chips is possible with simple means. The cost of the equipment needed was $ 200 – an amount that could make such an attack attractive not only to government hackers but also to criminals, like this Magazine Wired reports,

Job market

  1. GK Software SE, Schöneck, Jena, Cologne, St. Ingbert, Hamburg
  2. KION Group IT, Hamburg

Security researcher Monta Elkins wanted to show how easy it is to infiltrate a backdoor through the hardware. To solder the chip, you only need a microscope, a hot air soldering iron and the chip itself, he reports. The cost is under $ 200. Elkins used the $ 2 Attiny 85 microchip, which is used among other things on Digispark Arduino boards. The chips reported by Bloomberg should be about the size of a grain of rice. With a diameter of about 5 millimeters, the Attiny 85 is slightly larger and therefore easier to recognize. Elkins could have used a smaller chip as well but opted for the Attiny 85 because it was easy to program, he told Wired.

The spy chip in the hardware firewall

As a proof-of-concept, he soldered the chip onto the motherboard of a Cisco ASA 5505 hardware firewall. He chose an inconspicuous place to connect the chip directly to the serial interface – without additional cabling. Once the firewall is started, the chip performs a previously programmed attack. The chip imitates an administrator who connects his computer directly to the serial port. The chip triggers the password recovery of the firewall, creates a new admin account and gets access to the settings of the firewall. Password recovery also works with other Cisco firewalls, according to Elkins. He had chosen the ASA 5505 only because it had been the cheapest on Ebay.

Then, according to Elkins, the chip changes firewall settings to allow it access over the Internet, allowing it to remotely log in, configure the firewall to suit their needs, disable security settings or view logs. Soldering can be done by every hobbyist, says Elkins. With his proof-of-concept he wanted to show that the attacks are realistic, simple and cheap.

Proof-of-concept for Supermicro board

Safety researcher Trammell Hudson also succeeded in developing an FPGA chip with a diameter of less than 2.5 millimeters to place on a motherboard from Supermicro and get over this access to the Baseboard Management Controller (BMC). The interface allows remote control and monitoring of the server and should also have been used by the spy chips in the Bloomberg report. "For an attacker with enough financial resources, the attack is not particularly complicated," says Hudson.

Both researchers show with their proof-of-concepts that the introduction of spy chips is possible – and in the case of Elkins neither complicated nor expensive must be. Although this proves that the attacks described by Bloomberg are basically feasible, but not the report itself. This is also emphasized by both security researchers. The National Security Agency (NSA) also uses software and hardware implants to attack servers and computers. In order to deploy a hardware implant, the NSA intercepts packets by mail and solves the monitoring chips, then the packet is forwarded to the recipient. According to the Snowden documents, placing such an implant on motherboards of Poweredge servers costs $ 500.