5331 private links
A new proof-of-concept hardware implant shows how easy it may be to hide malicious chips inside IT equipment. //
At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of that hardware hack in his basement. He intends to demonstrate just how easily spies, criminals, or saboteurs with even minimal skills, working on a shoestring budget, can plant a chip in enterprise IT equipment to offer themselves stealthy backdoor access. (Full disclosure: I'll be speaking at the same conference, which paid for my travel and is providing copies of my forthcoming book to attendees.) With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn't notice, yet would give a remote attacker deep control. //
Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board; not quite the size of a grain of rice, but smaller than a pinky fingernail. After writing his code to that chip, Elkins desoldered it from the Digispark board and soldered it to the motherboard of a Cisco ASA 5505 firewall. He used an inconspicuous spot that required no extra wiring and would give the chip access to the firewall's serial port. //
Elkins programmed his tiny stowaway chip to carry out an attack as soon as the firewall boots up in a target's data center. It impersonates a security administrator accessing the configurations of the firewall by connecting their computer directly to that port. Then the chip triggers the firewall's password recovery feature, creating a new admin account and gaining access to the firewall's settings. //
Once the malicious chip has access to those settings, Elkins says, his attack can change the firewall's settings to offer the hacker remote access to the device, disable its security features, and give the hacker access to the device's log of all the connections it sees, none of which would alert an administrator.
