Soldering spy chips inside firewalls is now a cheap hack, shows researcher

The tiny ATtiny85 chip doesn’t look like the next big cyberthreat facing the world, but sneaking one on to a firewall motherboard would be bad news for security were it to happen.

In fact, this has already happened as part of a project by researcher Monta Elkins, designed to prove that this sort of high-end hardware hack is no longer the preserve of nation-states.

Elkins soldered the 5mm x 5mm ATtiny85 chip from an Arduino board to his test firewall’s circuit board just in front of the system’s serial port.

After reading his account of the proof of concept in Wired, it’s not hard to grasp why soldering tiny chips to circuit boards is a threat – they’re impossible to see let alone detect once they’re installed inside equipment.

The proof of concept is also cheap, requiring little more than some knowhow, access to the supply chain of current products, and a few hundred dollars for parts.

Rumours of secret chips, or secret interfaces on legitimate chips, have long been the stuff of legend, but the implication of Elkin’s work is that anyone could now do this.

The admin will serial you now

The hack that can be achieved by Elkin’s chip is simple but powerful.  When the firewall boots up:

It impersonates a security administrator accessing the configurations of the firewall by connecting their computer directly to that port. Then the chip triggers the firewall’s password recovery feature, creating a new admin account and gaining access to the firewall’s settings.

With that level of access, a firewall would be putty in the paws of an attacker, who could configure it to allow remote access or disable security.

Even it that access was detected, the fact it depends on hardware might make it impossible to get rid of short of disabling the serial port or removing the chip itself.

It’s not a kind of attack that would scale well, requiring hackers to physically solder chips to boards for every compromised device they wanted to subvert.

Then again, one firewall – the right firewall – is all it would take to aid a major network incursion.

Supermicro

As Wired reminds us, the story echoes Bloomberg’s allegation last year that the Chinese Government had inserted spying chips inside equipment made by Supermicro.

No evidence has yet been found to stand up Bloomberg’s claim, but it did at least underline the possibility that someone might try to do such a thing.

Elkins, meanwhile, will give more detail on his POC at this month’s CS3sthlm conference.

Is it likely that the average firewall has an Elkins-style spy chip in it? Almost certainly not, mainly because there are so many other easier ways to compromise equipment, for example by exploiting misconfiguration, software vulnerability, or using credential theft.

But if that possibility comes to pass, stopping it won’t be easy, requiring as-yet-to-be invented hardware authentication at firmware level.

Just what admins need – another layer of security to watch over.