Posted on 10/17/2019 2:37:01 PM PDT by Zhang Fei
Almost a year to the day after Bloomberg reported that the US government, Apple, Amazon, and others had their servers compromised by China, a security researcher has shown a similar hack can be pulled off with $190 worth of tools and a $2 chip.
Citing six senior national security officials and several higher-ups within Apple and Amazon, Bloomberg claimed that the manufacturing facilities constructing Supermicro motherboards had been infiltrated by a branch of China’s People’s Liberation Army. The PLA was reportedly adding a rice grain-sized chip capable of monitoring and altering communications with the motherboard’s BMC (baseboard management controller). The compromised motherboards had allegedly been sold in the tens of thousands to US customers, who could all, theoretically, be leaking their data to China.
Supermicro, Apple and Amazon all denied claims that they’d discovered the chips vehemently, the NSA said the threat was a false alarm, and the debate ended there. Last December, however, the hack was proven possible by Trammell Hudson, who’d found a spot on the Supermicro motherboard where a tiny chip could replace a small resistor and remain unnoticed. He connected a proof-of-concept chip only slightly larger than the resistor through external wires and completed the hack, concluding that anyone with a fab would be able to do a better job and remain undetected.
Monta Elkins, who’s the “hacker-in-chief” for security firm Foxguard, can do it without the budget. Elkins, who’ll be formally presenting his work at the CS3sthlm security conference this month, was able to gain control over a Cisco ASA 5505 firewall server with a chip lifted from a $2 Digispark Arduino board. He assembled his hack using a $150 hot-air soldering tool and a $40 microscope.
"We think this stuff is so magical, but it’s not really that hard," Elkins told Wired.
(Excerpt) Read more at techspot.com ...
ping
If we ever go to war with China they will know our moves before the field-grade officers even get the orders.
For those non-technical, it requires someone to open the box, de-solder devices and then wire in an additional PCB.
Its probably wired into the interface with the keyboard controller for tracking key strokes.
Its actually easier to send someone a gif in email with embedded software to do the same thing.
Could the Chicoms be making the boards with the chips already installed new from factory?
Is such possible?
“Is such possible?”
Beyond ‘possible’ it is ‘likely’.
$100 will buy you a USB cable which has the ability to inject spyware, key log, etc. and nobody would every tell it’s any different than a normal cable without cutting it open or x-ray.
Possible to do, yes. Possible to do without Apple or Amazon noticing? Probably not. Could China drop a spy chip into a motherboard that some random consumer buys on Newegg without getting caught? For a while, but someone would eventually notice. I’m sure the NSA has done similar hack on electronics destines for foreign countries.
Building your own computer with a 500 dollar motherboard includes the 200 dollar spy chip.
Actually not. The documented attacks rely on using a Baseboard Management Controller which is a special purpose hardware interface that lets system administrators have direct, hardware level access to a motherboard for maintenance purposes. Apparently people in the server business feel that it is worth the convenience factor to put a hardware level back door into their computers.
And needless to say those same people that think a back door to a server is a good idea, also think some low level scheme to bypass and reset the password is a good idea. After all, don't you leave a key taped to the outside of your house next to the back door? It makes it much more convenient for plumbers, cleaners, electricians, etc. who you hire to work on your house to get in and do their work. And if you are really smart, you make your alarm code 1234 and put a post it note with that information with the key.
I never fail to be amazed by engineers who add some convenience feature and then are surprised that it gets exploited. Even Microsoft and Intel create this kind of back door to keep their OEMs and corporate customers happy.
Look at the fun stuff you can do from a Baseboard Management Controller
The chip will still stand out like a sore thumb in QUALITY ASSURANCE REVIEW of the product.
Just because this guy can add it to the board does NOT mean the $2 chip can do a damn thing! Being able to place a chip on the motherboard and doing it so it cannot be found are two entirely different things. A video QA scan of that hacked board, something every manufacturer does, would red flag that board immediately. I could spot it with my bare eye as something not designed to be on the board even if they had not put a red circle around it.
Ok. Thank you.
[A video QA scan of that hacked board, something every manufacturer does, would red flag that board immediately. I could spot it with my bare eye as something not designed to be on the board even if they had not put a red circle around it.]
In this case, we are talking about a seven year old, obsolete, double sided board that has long been replaced by an IC which handles its functions. . . who is going to open up the IC and stick this bulky chip inside it in a modern system?
Hell, we were adding chips with additional function to Commodore 64 motherboards back in the early 1980s using this same technique, just a bit sloppier. This is nothing new or revolutionary!
Pong
“something every manufacturer does”
Only for high volume stuff. I have had to fight to get X-ray, clamshells, and boundary scans for every board that I’ve been part of qualifying over the last 20 years.
Due to volumes of 1000 or less a year on things like MRIs, CTs, etc the cost is too high for the business to justify. I work in a regulated industry and later stage testing in a higher level assembly is considered acceptable - though I have been able to show time and time again that it does not provide anywhere near full test coverage.
Forgot to say ... it’s still difficult if they intend to use the PCB as the circuit since the board has to be relaid out to accommodate he extra chip...unless they are using manual solders and wire jumpers with means that it becomes exceptionally easy to spot....and also less reliable. Also means more people are involved and it’s not a pick and place machine operation.
QA is done not just by the manufacturer/assembler, nut also by the designer/customers as well. As I wrote on the original thread when Bloomberg’s article came out with its accusation about a specific line of server logicboards imported and sold by a California company, they had designed and engineered them from scratch, and every board was QA’d in California on arrival to their reference boards, and tested completely before shipping to the companies that made servers. Those companies also did QA checks. Amazon, through its AWS due diligence, was a customer of one of the server makers as was Apple, and they BOTH did QA on them. In fact, Amazon wound up BUYING both companies! They stated then that there was no way a spurious chip could have been snuck onto the motherboards and been overlooked by their QA. The NSA looked into these reports and found nothing.
Bloomberg itself did NOT publish any photos of an in situ chip on a motherboard, instead accepted their source’s word. They cited "experts" saying "if this was done, here’s how it could be done" quotations. . . But no one was willing to say it was done.
Everything is so tiny now, it was so much easier in the old days. I modified my Apple II in 1979, replacing the ROM sockets with EPROM sockets with piggybacked chips within the sockets because the pinouts were different, and reprogrammed EPROMs with my own subroutines and boot programs. Instant on, no boot disk necessary. I can't imagine modifying modern motherboards, my eyes aren't so good now.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.