More than a year has passed since Bloomberg published an article describing the hardware “bookmarks” that were allegedly found on Supermicro server boards and allowed Chinese hackers to compromise them. Since this equipment is used by large technical companies, including Apple and Amazon, a huge scandal erupted. Representatives of Amazon and Apple rushed categorically disprove statements by Bloomberg, and even the NSA reportedthat it was a "false alarm." As a result, this whole story was immediately awarded two Pwnie awards: as "the most overpowered bug" and "the largest epic fail".
Although Bloomberg's messages have not found any evidence, the possibility of creating such “bookmarks”, of course, cannot be completely discounted. So, FoxGuard specialist Monta Elkins decided to demonstrate that there is nothing complicated, and he will present the results of his work at the CS3sthlm conference, at the end of this month. In the meantime, the researcher demonstrated the results of his work to the publication Wired.
To implement the bug in the Cisco firewall, Elkins needed a soldering station for $ 150, a microscope for $ 40, several chips for $ 2, which he ordered online.
“It seems to us that all this is some kind of magic, but in fact it is not so difficult,” says Elkins. – Having demonstrated iron to people, I want to make all this more realistic. This is not magic. This is not impossible. I could do it in my basement. And there are many people smarter than me who can do this from virtually nothing. ”
To create his “bookmark,” Elkins used the miniature ATtiny85 chip, which he found on the Digispark Arduino for $ 2. Having written his own code on the chip, Elkins removed it from the Digispark board and soldered it to the motherboard of the Cisco ASA 5505 firewall. To place the chip, he used an inconspicuous place that did not require additional contacts and allowed access to the COM port.
From the picture below you can understand how difficult it will be to notice such an “extra” chip on the board, even with the relatively small sizes of the ASA 5505 (6×7 inches). Elkins suggests that he could use an even smaller chip, but chose ATtiny85 to simplify the part of the experiment that involved programming.
Elkins programmed his bug to attack immediately after the firewall was placed and turned on in the target's data center. The chip impersonates an administrator who accesses the firewall settings by connecting the computer directly to the port. Then the chip starts the firewall password recovery function, creates a new administrator account and gets access to the settings. After that, it is possible to change the firewall settings and provide attackers with remote access to the device.
The researcher explains that he used the Cisco ASA 5505 in his experiment because the firewall turned out to be the cheapest on eBay. But the attack should work against any Cisco firewall that offers password recovery in this way. Cisco experts have assured that they are already studying Elkins research and, if necessary, will take the necessary measures.
In essence, Elkins' research continues another, earlier experiment, conducted by an independent information security expert, Trammell Hudson. Last year, as part of the Chaos Computer Conference, demonstrated Supermicro's PoC board, on which the bookmarks of Chinese hackers were recreated, as they were described in a Bloomberg article. That is, a chip with access to BMC (baseboard management controller) was installed on the board.
At the same time, both experts emphasize that they did not try to confirm the story of Bloomberg about widespread attacks on the supply chain and did not even claim that such attacks are often found in reality. Researchers also note that traditional software attacks in most cases work just as well, giving hackers the same access. However, Elkins and Hudson argue that hardware spying through attacks on the supply chain is a reality, and it’s much easier to implement this than many people think.
“I want people to recognize that such implants are not a figment of someone’s imagination. They are relatively simple, says Elkins. “And if I can do this, it means someone with hundreds of millions of budgets has been doing this for some time.”