Proof-of-concept supply-chain poisoning: tiny, undetectable hardware alterations could compromise corporate IT

A little over a year ago, Bloomberg stunned the world with a report that claimed that Chinese intelligence services had figured out how to put undetectable, rice-grain-sized hardware implants into servers headed for the biggest US cloud and enterprise companies, and that when some of the victims discovered this fact, they quietly ripped out whole data-centers and replaced all their servers.

The story was all the more infamous because it prompted rare, detailed denials from the companies involved, like Apple, who have historically dealt with bad news and leaks with parsimonious, closed-lipped denials. Then came the hardware experts and security experts who delved deep into the implausibility of Bloomberg’s story, though some highly reputable experts did admit that supply chain attacks were a grossly underrated risk with potentially catastrophic outcomes.

A year later, we still don’t know what happened: how did all those nameless senior officials and ex-officials from big IT/tech companies end up telling Bloomberg the same story, especially if that story turns out to be false. The idea that a bunch of rival tech execs would cook up a conspiracy to defraud Bloomberg is, if anything, even weirder and more implausible than the idea that Chinese spooks were poisoning Supermicro’s servers and raiding data from Big Tech’s supposedly impregnable data-vaults.

That kind of Kremlinology is hard to investigate: all the facts are held by secretive giants (and maybe Chinese spies). Barring leaks, we’re just left proffering unfalsifiable theories about which conspiracy took place.

On the other hand, the plausibility of a hardware implant is much easier to investigate. Security researchers have been building proof-of-concept hardware implants for enterprise hardware and presenting them at security conferences. Late last year, Trammell Hudson presented a Supermicro implant at Germany’s Chaos Communications Congress, revealing a spot on Supermicro’s board where you could swap out a tiny resistor and replace it with an FPGA that could compromise the remote administration capabilities of the baseboard management controller.

Now, Foxguard’s Monta Elkins is about to present further work at the CS3sthlm conference in Stockholm, demonstrating a hardware implant on an enterprise Cisco firewall, using a 5mm ATtiny85 controller he removed from a $2Digispark Arduino board. The implant fits neatly — and very inconspicuously — on the mainboard of a Cisco ASA 5505 firewall. Moreover, Elkins says he deliberately made choices that could compromise the implant, for the sake of easy presentation: if he’d hidden the chip inside a radio-shielding can, it would have been even harder to detect — likewise, he could have used an even smaller controller, but it would have been harder to program.

Elkins’s implant uses the board’s serial port to recover the firewall’s password, login as its admin, and open a pathway for a hacker’s intrusion to the network. And as both Elkins and Hudson have pointed out, this is with stock hardware: a custom chip designed for this kind of thing would be much smaller and more powerful.

Neither researcher claims to have validated Bloomberg’s article, but both have demonstrated that supply chain attacks are certainly possible and potentially catastrophic.

Elkins and Hudson both emphasize that their work isn’t meant to validate Bloomberg’s tale of widespread hardware supply chain attacks with tiny chips planted in devices. They don’t even argue that it’s likely to be a common attack in the wild; both researchers point out that traditional software attacks can often give hackers just as much access, albeit not necessarily with the same stealth.

But both Elkins and Hudson argue that hardware-based espionage via supply-chain hijacking is nonetheless a technical reality, and one that may be easier to accomplish than many of the world’s security administrators realize. “What I want people to recognize is that chipping implants are not imaginary. They’re relatively straightforward,” says Elkins. “If I can do this, someone with hundreds of millions in their budget has been doing this for a while.”

Planting Tiny Spy Chips in Hardware Can Cost as Little as $200 [Andy Greenberg/Wired]

(Image: Monta Elkins)