Sunday, October 13, 2019

Hardware subversion for cheap.

Something I've been wondering about for a long time is now officially a thing.

More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off—just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

Here's what was actually done:

With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn't notice, yet would give a remote attacker deep control.

"We think this stuff is so magical, but it's not really that hard," says Elkins, who works as "hacker in chief" for the industrial-control-system security firm FoxGuard. "By showing people the hardware, I wanted to make it much more real. It's not magical. It's not impossible. I could do this in my basement. And there are lots of people smarter than me, and they can do it for almost nothing."

Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board; not quite the size of a grain of rice, but smaller than a pinky fingernail. After writing his code to that chip, Elkins desoldered it from the Digispark board and soldered it to the motherboard of a Cisco ASA 5505 firewall. He used an inconspicuous spot that required no extra wiring and would give the chip access to the firewall's serial port.

The article goes on to explain the exploit in some detail. Short version, wiring a pre-programmed ATtiny onto the motherboard of a router is a piece of cake. Its not the smallest or cheapest thing that could be used either, just the one this guy found convenient.

Okay, so now I want you to imagine some guy soldering something the size of kosher salt to a motherboard in your Tesla. He's now got remote access to everything electronic in there. Which is -everything-. Door locks to steering and brakes, all electronic control.

Pretty bad, right? Now make your car a transport truck. Much worse. How about an airplane? Instant cruise missile.

Somebody out there is thinking about this, I guarantee you. Probably a lot of them.

What's your defense? Manual controls.

The Phantom 

1 comment:

  1. Overgrown HobbitMonday, October 21, 2019

    You might enjoy Death Truck

    https://tempestinateardrop.com/2019/09/03/death-truck/

    ReplyDelete