Then it’s discuss how a microcontroller attached to the serial port of Cisco networking equipment can be used to reconfigure the equipment to allow access.
Given that the purpose of the serial port is reconfiguring the device, this is unsurprising.
They used a small commodity microcontroller. It’s not sitting on a footprint. It’s just bodies onto the PCB. It’s quite obvious from inspecting the board...
So... what’s the point of this article? If you have physical access to the hardware you can make a small but obvious change to the PCB? I’m not even sure where the $200 comes from. The part costs <50 cents. It’s so big many people could solder it by eye (I have in the past, and was soldering a similar pitch part last night using an iPhone as a magnifier).
So... this level of modification has been possible for at least 20 years. It’s pretty obvious, and is about a days work...
What I would have been a little more interested in seeing is a part placed on an existing footprint. I’ve actually done this myself. Maybe I should have billed it as security research...
Beyond that, I’d be interested in knowing how easy it is to get hold of dies are repackage them additional microcontrollers. This would mean there’s no physical visible difference on the PCB. But even this could be detected as automated XRay inspection is not uncommon.
Ultimately... if you are a state level actor. You have better and less easily detectable options than this.
But god damn, the paranoid person inside me can't let it go. It sounds like such an easy thing to do for such an amazing payoff. And of course both accused have a massive incentive to not disclose a vulnerability such as this one. Hell, the higher-ups might not even know about it if the company has gone through efforts to maintain plausible deniability in scenarios like this.
So, supply chain security is poor, and getting backdoored parts into the supply chain is a realistic possibility. Bunnie has a good recent talk on this.
The question in my mind, is is it worth the risk of detection. Particularly when other methods are less traceable, more easily deniable.
Specifically he says that adding an IC to the board doesn’t make sense. And that embedding something in an existing package/device is possible.
This is very different to what is described in the article being discussed here, and much more complex.
The Bloomberg article seems largely inaccurate in any case. I don’t think it’s worth using as a motivation for any security work.
Or something like this:
But a nearly magic rice-grain part with a microcontroller and networking?? You could make a fortune in IOT with something that capable.
Talking about fake items, fake items surely could have fake drivers, but even legitimate items could introduce fake (as in "unofficial") drivers. I think people are maybe naturally more paranoid of something that is "an intrusion". I think the unreasonable human element is when you perceive an intrusion that was not. As in: "They have hacked me look, my screen is blue!"
Given this, we have to believe that Apple, Amazon etc lied about this, knowing that there would be massive amounts of physical evidence easily available to rivals and security researchers, any of which could prove they were lying at any moment. Why on earth would they take such an insane and unnecessary risk?
I don't understand how spending tens of millions on making a custom chip design so that you can replace a resistor as a backdoor is an easy thing to do. Most surface mount components have standard form factors. You can just replace entire chips and it is also very easy to simply add a back door to the firmware but a rice grain sized backdoor chip? Come on. That's just some journalist's method of making a lot of money through ad revenue.
"With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn't notice, yet would give a remote attacker deep control."
(I don't agree that $200 is realistic, but TFA does at least justify the number)
It ignore the labour, high level engineering and resources needed to execute a supply chain attack like this.
If you’re looking at the time costs, as I’d estimate this would take maybe a day or two. The time/human resource cost isn’t that right either.
But.. I’m just not sure what the point of the article is...
The article breaks out the $200, most of it was a $150 hot air soldering iron. The chip used was taking off a $2 board, so yes, the chip was literally pocket change at best.
I mean, this quote is a pretty stellar example:
"Elkins says with a bit more reverse engineering, it would also be possible to reprogram the firmware of the firewall to make it into a more full-featured foothold for spying on the victim's network, though he didn't go that far in his proof of concept."
With a bit more effort, the researcher could make the chip wireless, very difficult to find, could enable it to reflash the bootloader, and could also include an embedded microphone!
But they didn't. (because that would actually be hard)
That whole story was just to easily - and too quickly - dismissed by the major companies...
The problem with that story was that it claimed that such an attack was in progress, while citing no sources and presenting no credible evidence. Using stock photos of unrelated components and basing part of the article on an interview where the expert explicitly speculated on the possibilities and not an actual attack didn't inspire confidence in Bloomberg reporting either.
That said if someone is interested in a specific target or small set of targets, this is a really stealthy way of compromising a system. I would be shocked if every major international spy agency hasn't at least tried this.
USB/Ethernet sockets with implants etc
The US hold a big share of the electronic's intellectual property. Most of the tools used to design silicon chips are proprietary, and it would be trivial for the NSA to implant hardware backdoors without anybody knowing it, and it would be very difficult for the public to audit this hardware.
I think this is exactly why Huawei routers were not trustworthy.
Detecting malware is child's play, now if they want to not be detected, they need to target the hardware. Even if you know your hardware has a backdoor, it becomes too expensive or impossible to patch it.
Always wondered why wifi chips always used binary firmwares? Me too.