At the CS3sthlm security conference in Stockholm, Sweden later this month, security researcher Monta Elkins, the "Hacker-in-Chief" at FoxGuard Solutions, will demonstrate a proof-of-concept hardware hack involving spy chips implanted onto enterprise IT equipment, with a budget of less than $200.
The idea of implanting spy chips onto hardware is not new. Back in 2018, an explosive Bloomberg Businessweek article claimed Chinese spies had installed malicious microchips the size of a grain of rice on Supermicro hardware at the supply chain level, creating a "stealth doorway into any network that included the altered machines."
This was concerning because (A) of how difficult it would be to detect something like this, and (B) how many companies use Supermicro, including Apple and Amazon. Incidentally, Supermicro denied finding evidence of any spy chips, and both Apple and Amazon did as well.
The report's claims were later shrugged off by the NSA and deemed "overhyped" at the Defcon hacker conference. Be that as it may, the concept of using spy chips is a disturbing one, and apparently possible with a big investment, according to Elkins.
The security researcher created his proof-of-concept hardware kit using a $150 hot-air soldering too, $40 microscope, and a few $2 chips he ordered online. This equipment in hand, Elkins modified a Cisco firewall in a way that would give a remote attacker deep control of a network, and do so in a way that would likely go unnoticed by the majority IT admins, according to Elkins.
"We think this stuff is so magical, but it’s not really that hard," Elkins told Wired. "By showing people the hardware, I wanted to make it much more real. It’s not magical. It’s not impossible. I could do this in my basement. And there are lots of people smarter than me, and they can do it for almost nothing."
Creating A Spy Kit Using Off-The-Shelf Parts
The chip at the heart of this proof-of-concept is an ATtiny85. It measures around 5mm squared, so it's larger than a grain of rice, but small enough to not stick out like a sore thumb. He plucked the chip from a $2 Digispark Arduino board after having written code to it, and implanted it onto the motherboard of a Cisco ASA 5505 firewall.
Elkins says he could have used an even smaller chip, but notes the ATtiny85 is easier to program. In this case, he programmed it to attack a network right when the firewall boots up. It essentially impersonates a security administrator, then enables remote access to the affected server.
This proof-of-concept does not mean last year's startling report was accurate. However, it does indicate this is something companies need to be on the lookout for, particularly big ones that operate massive data centers and cloud computing infrastructures.