This seems not terribly interesting to me. The article motivates itself the allegations of devices embedded in supermicro products saying “But even as the facts of that story remain unconfirmed...”. But it’s not that the facts as unconfirmed, as far as I can tell there was literally no supporting evidence and the story didn’t really make much sense.
Then it’s discuss how a microcontroller attached to the serial port of Cisco networking equipment can be used to reconfigure the equipment to allow access.
Given that the purpose of the serial port is reconfiguring the device, this is unsurprising.
They used a small commodity microcontroller. It’s not sitting on a footprint. It’s just bodies onto the PCB. It’s quite obvious from inspecting the board...
So... what’s the point of this article? If you have physical access to the hardware you can make a small but obvious change to the PCB? I’m not even sure where the $200 comes from. The part costs <50 cents. It’s so big many people could solder it by eye (I have in the past, and was soldering a similar pitch part last night using an iPhone as a magnifier).
So... this level of modification has been possible for at least 20 years. It’s pretty obvious, and is about a days work...
What I would have been a little more interested in seeing is a part placed on an existing footprint. I’ve actually done this myself. Maybe I should have billed it as security research...
Beyond that, I’d be interested in knowing how easy it is to get hold of dies are repackage them additional microcontrollers. This would mean there’s no physical visible difference on the PCB. But even this could be detected as automated XRay inspection is not uncommon.
Ultimately... if you are a state level actor. You have better and less easily detectable options than this.
Honestly, the Supermicro story makes me uneasy. Yes, both accused corporations rebuffed the story. Yes, there was no real evidence or any follow-up to justify the story.
But god damn, the paranoid person inside me can't let it go. It sounds like such an easy thing to do for such an amazing payoff. And of course both accused have a massive incentive to not disclose a vulnerability such as this one. Hell, the higher-ups might not even know about it if the company has gone through efforts to maintain plausible deniability in scenarios like this.
I think the fact that fake components regularly make their way into the supply chain should be more of a concern than the supermicro story.
So, supply chain security is poor, and getting backdoored parts into the supply chain is a realistic possibility. Bunnie has a good recent talk on this.
You don't even need fake chips. Many servers come with out of band remote management. Some of them even hijack the built-in Ethernet port. Even many Intel CPUs have it built in. You can get by with just a software hack. Bundling a reverse telnet or similar would likely be trivial if you had access to the manufacturer.
bunnie himself says near the end of the presentation that he believes that something happened with supermicro but that the details were deliberately obfuscated by the usgov sources for the story
Yeah Occam's razor says your efforts would be much better spent on flashing custom firmware than a retrofit. That or a deliberate backdoor built into the chip from the ground up.
Did you see the post recently about System 76's laptops that will soon have open source hardware drivers?
Talking about fake items, fake items surely could have fake drivers, but even legitimate items could introduce fake (as in "unofficial") drivers. I think people are maybe naturally more paranoid of something that is "an intrusion". I think the unreasonable human element is when you perceive an intrusion that was not. As in: "They have hacked me look, my screen is blue!"
What makes me doubt the story is that these boards should be all over the place. If you did sneak parts into the supply chain, you’d have no control over where they went, so there should be dozens, perhaps hundreds of companies, government bodies, etc with these things.
Given this, we have to believe that Apple, Amazon etc lied about this, knowing that there would be massive amounts of physical evidence easily available to rivals and security researchers, any of which could prove they were lying at any moment. Why on earth would they take such an insane and unnecessary risk?
Why would Amazon have incentive to deny the story if it were true? According to Bloomberg, the issue was discovered at an acquisition while they were doing due diligence, not in their own servers. If it were true, they should be screaming to anyone who would listen about how they're so serious about security that they go to these depths to find threats, and how you can't trust anyone who doesn't.
I think the biggest problem with hardware implants is that you loose plausible deniability with it. For a state actor that seems a big risk. Especially China would have to lose big time as no one would trust their electronics any longer. You can have almost the same gain with a software implant. It's easier to pull off and you get plausible deniability as a bonus.
>It sounds like such an easy thing to do for such an amazing payoff.
I don't understand how spending tens of millions on making a custom chip design so that you can replace a resistor as a backdoor is an easy thing to do. Most surface mount components have standard form factors. You can just replace entire chips and it is also very easy to simply add a back door to the firmware but a rice grain sized backdoor chip? Come on. That's just some journalist's method of making a lot of money through ad revenue.
X-ray inspection is usually only looking for solder bridges and voids. You aren't really looking at dies unless you have a really good x-ray and actually are concerned about the integrity of the chip. Counterfeit parts end up in designs all the time. They could be knockoff versions that still work or just random parts relabeled. Even these are really only x-rayed as a last resort.
I use very good PCB inspection xrays and ct scanners, and it is critical to use energy levels which do not resolve the silicon, e.g. are not absorbed by the die. Otherwise, it is frustratingly easy to give the part a total ionizing dose which breaks it.
I wouldn't want to use an xray to do more than verify the die is the same shape and has the same wirebond layout.
"With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn't notice, yet would give a remote attacker deep control."
(I don't agree that $200 is realistic, but TFA does at least justify the number)
That is like saying <insert app here> only cost $99 to develop (cost of apple dev account). Or suxnet cost $2.50 (the cost of a cheap 2gb USB pen drive)
It ignore the labour, high level engineering and resources needed to execute a supply chain attack like this.
Right, so I’m not sure what the purpose of the cost estimate is. To show you don’t need expensive tools? If that’s the case, then 200USD is massive over-estimate. You only need a soldering iron, and the parts.
If you’re looking at the time costs, as I’d estimate this would take maybe a day or two. The time/human resource cost isn’t that right either.
But.. I’m just not sure what the point of the article is...
The article breaks out the $200, most of it was a $150 hot air soldering iron. The chip used was taking off a $2 board, so yes, the chip was literally pocket change at best.
I found your hack (http://41j.com/blog/2016/09/mirrorswitch/) very interesting. Enough to pop open a dumb switch I had laying around...
RTL chipset. Googled the DS in 2 minutes. What do you know... VLANs, port mirroring, IGMP snooping, ACLs and an embedded 8051!
The entire article is a guy doing a serial port hello world on a slightly more "advanced" arduino. This, like a good chunk of security research, is designed to generate press first and foremost, but isn't really an educational or useful piece unless you didn't know what a serial port was or that soldering was possible.
I mean, this quote is a pretty stellar example:
"Elkins says with a bit more reverse engineering, it would also be possible to reprogram the firmware of the firewall to make it into a more full-featured foothold for spying on the victim's network, though he didn't go that far in his proof of concept."
With a bit more effort, the researcher could make the chip wireless, very difficult to find, could enable it to reflash the bootloader, and could also include an embedded microphone!
But they didn't. (because that would actually be hard)
The Supermiro story was quite fascinating and I absolutely believe in its feasibility. We know that China attempts to hack into American security and government systems, so it raises a very valid fear that a company like Huawei could, and likely would, do something like this.
That whole story was just to easily - and too quickly - dismissed by the major companies...
Nobody claimed that it's impossible to have hardware implants in principle. You can find papers that predate the Bloomberg story and discuss much more advanced approaches than what was presented there.
The problem with that story was that it claimed that such an attack was in progress, while citing no sources and presenting no credible evidence. Using stock photos of unrelated components and basing part of the article on an interview where the expert explicitly speculated on the possibilities and not an actual attack didn't inspire confidence in Bloomberg reporting either.
As the article mentions, there probably aren't a lot of instances of this, given that software exploits are often easier to implement. And once discovered, can be re-used hundreds of not millions of times very easily.
That said if someone is interested in a specific target or small set of targets, this is a really stealthy way of compromising a system. I would be shocked if every major international spy agency hasn't at least tried this.
The US hold a big share of the electronic's intellectual property. Most of the tools used to design silicon chips are proprietary, and it would be trivial for the NSA to implant hardware backdoors without anybody knowing it, and it would be very difficult for the public to audit this hardware.
I think this is exactly why Huawei routers were not trustworthy.
Detecting malware is child's play, now if they want to not be detected, they need to target the hardware. Even if you know your hardware has a backdoor, it becomes too expensive or impossible to patch it.
Always wondered why wifi chips always used binary firmwares? Me too.
Huawei routers and equipment are not trustworthy because they are literally insecure at a firmware level. If you want an interesting read check out the Finite State’s “Supply Chain Assessment” of Huawei’s IoT and networking devices[0] released back in June. The latest episode of Enterprise | Security Weekly, “Please Don’t Go - ESW #156”[1]has Matt Wyckhouse (co-founder and CEO) to discuss the findings and IoT security. You’ll want to go to 1:08:08 to get to it should you opt for the full episode rather then the linked segment.
An intelligence agency put an ad in for a "break-in specialist." The ad promised a very diverse line of work, for a tidy guy who knows how to "cover his tracks." If agencies are putting "ads in the paper" to hire such guys, I don't think it's unreasonable to claim that they also have guys who can covertly plant a chip.
NSA could easily tell these corporations that they have to deny existence & feasibility of such technology. Anyone who takes their word for it is a sheep.
Then it’s discuss how a microcontroller attached to the serial port of Cisco networking equipment can be used to reconfigure the equipment to allow access.
Given that the purpose of the serial port is reconfiguring the device, this is unsurprising.
They used a small commodity microcontroller. It’s not sitting on a footprint. It’s just bodies onto the PCB. It’s quite obvious from inspecting the board...
So... what’s the point of this article? If you have physical access to the hardware you can make a small but obvious change to the PCB? I’m not even sure where the $200 comes from. The part costs <50 cents. It’s so big many people could solder it by eye (I have in the past, and was soldering a similar pitch part last night using an iPhone as a magnifier).
So... this level of modification has been possible for at least 20 years. It’s pretty obvious, and is about a days work...
What I would have been a little more interested in seeing is a part placed on an existing footprint. I’ve actually done this myself. Maybe I should have billed it as security research...
http://41j.com/blog/2016/09/mirrorswitch/
Beyond that, I’d be interested in knowing how easy it is to get hold of dies are repackage them additional microcontrollers. This would mean there’s no physical visible difference on the PCB. But even this could be detected as automated XRay inspection is not uncommon.
Ultimately... if you are a state level actor. You have better and less easily detectable options than this.