Planting Tiny Spy Chips in Hardware Can Cost as Little as $200

An anonymous reader shares a report: More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off -- just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

Dupe

[mammothx]

Go back to sleep. Nothing to see here.

Re:

[rtb61]

Actually there is. The most at risk element in tech design is low efficiency cheap capacitors which are much larger than high efficiency cheap capacitors, which of course exist in the energy supply of computers. What you can do is put a high efficiency capacitor in a low efficiency capacitor casing, from the outside everything in fine, on the inside, that space left, is filled with a chip, which can do what ever it is programmed to do. The simplest hack, it waits for a digital encrypted signal to come in on

Re:

[CastrTroy]

How would you send the digitally encrypted signal down the energy supply without it getting messed up as it travelled through the electrical grid? You'd have to be pretty close to the actual system. Also, many high end systems are behind a UPS, which would be difficult to send a signal through as it cleans out the power signal as part of its usual operations.

Re:

[skids]

Wouldn't necessarily have to come in on the power bus. The chip could have RF capabilities.

Re:

[rtb61]

It is not much of a signal, you do realise that and the only reason to encrypt is to create a really random signal, so it is not accidentally triggered and you repeat the signal over and over and over for days. It would obviously be a wireless signal, targeting the receptive capabilities of the various conductive elements of construction. This is not one long signal with instructions, a simple short trigger, that you want to ensure will not to readily be accidentally triggered. So encrypted "Short Now" that

Re:

[garyisabusyguy]

*FNORD*
There is no risk, there is nothing to worry about
The people who bring you these products have no intention of exposing your secrets
What about that Trump (Biden, Hillary, etc...), boy, everybody should be doing something about that
*FNORD*

Re:

[paralumina01]

Are you saying that SMD caps are replaced with a hybrid of SMD cap + IC? How do you handle the signals to and from the IC?

Re:

[LynnwoodRooster]

They are probably thinking about using something like Dallas Semiconductor's 1-Wire system [wikipedia.org]. Of course, the data would be pretty wiped out by all the filtering it would have to endure as the signal supposedly migrates out through the PCBA, local DC power regulation, the AC/DC power supply, and any UPS - before it hits the local transformer...

Re:

[paralumina01]

Oh. I didn't know 1-wire also provided power. Learn something new everyday.

Re:

[LynnwoodRooster]

Yeah, it's a really cool, low-bandwidth system. Really pretty robust as long as there isn't too much capacitance on the power line (which kills the signaling). Low power, low bandwidth - great option.

Re:

[AHuxley]

2X the ads. That keeps the internet working.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[garyisabusyguy]

Everybody needs a back door to their own hardware, but it should be limited to those with physical access

Of course there is a down side to this and what operator would rather muck around in racks to find the right server (i.e. The website is down) when there is a cushy management tool that they can use instead

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mark-t]

One is compelled to ask how an untrusted entity would have acquired physical access to the device in the first place. It bears noting that the answer to *THAT* question, if you can find one, is the actual attack vector, which should be plugged, not mere physical access in the first place.

Physical access trumps root. Always. If you don't believe me, consider the relative ease with which a malicious entity with physical access can create a 100% effective DOS attack that root can do nothing to prevent, i

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Junta]

I suspect the mechanism would be *detectable* if the user went to look for it. It sounds like it would leave a ton of 'mysterious' configuration if you dumped it.

The ability to recover the password through console is the key here. The fact that the password can be reset without otherwise perturbing data or configuration is a risk factor.

The harder part as complexity goes up is assurance that even if the data were cleared, that there is no malicious configuration in a 'clean' setup. There's been a lot of

Re:

[mark-t]

Take out the back door, and that task becomes effectively impossible for the attacker.

The task becomes entirely impossible if they don't have physical access in the first place. I stand by what I said: The vulnerability would be not in having physical back door, but in whatever security policy permitted a malicious agent to access the device.

Not to mention that even with a physical back door, there is still no way for anyone to non-destructively block the activities of otherwise authorized persons who

Re:

[Junta]

They recovered your system from a dumpster after decommissioning.

You had a data volume on a disk that went 'bad' locking out your ability to erase it per a normal decommisioning process, but left it intact enough for a more resourceful scavenger to get at it.

If an adversary can have access to your live running systems, then the point is well taken that you have an impossible problem with respect to denial of service. If your systems are run in such a way a 'decomissioning' process is required to protect se

Re:

[Duh-People-Really]

So how do I control the decommissioning of systems I use in the cloud? Ya know, the ones where I keep all of my corporate assets because managing my own data center is (whiney voice) TOO HARD and I have to hire IT people who think they know more that I do.

Besides, why can't the data center discover that there are "wayward" signals going in an out of the system? Ya know --- I only do business in the Continental US, why are all of these packets going off to China???

Re:

[mark-t]

If you are discarding a device that can compromise your system security, it would be in your best interests to destroy the device before doing so, or at least reset it to factory default settings so that there is nothing useful that anyone can gain from it.

Re:

[skids]

Nit-wits do design a lot of these systems, though. Config-wipe on password reset has been the
de-facto standard for ages, but lately they've been putting in password recovery features
that keep the config and/or flash files that might be backup configs intact. Which is totally
butt-fuck stupid. But even established vendors have been doing it because apparently their
customers don't have a plan for restoring a wiped device with a fresh backup in place and come
to them all frownies when they fall on their face.

Pushback from customers

[Junta]

Problem is that customers get themselves all tied up and blame the vendor when they screw up and lose the password but still need the config.

So vendors are stuck in a difficult place, either design things with proper security and forego repeat business from a client after a client screws themselves over, or accommodate those users and have a backdoor.

Even in general purpose computing equipment, the default is 'rescue-disk' friendly and you have to opt-in to tighter security mechanisms that would break rescu

Re:

[garyisabusyguy]

There are numerous use-cases that break your provided method for re-initialization that I imagine many customers disable it as soon as they hit the brick wall

Re:

[Junta]

This accommodates the value of having a recovery mechanism when password is lost for continued use of the equipment without compromising the data/configuration. It is a pretty sane strategy that can be replicated other places that just isn't replicated enough.

For example, on full grown servers, LUKS with keys sealed to the TPM PCRs. Want to use a boot disk? Sure but you won't be able to decrypt the volume without knowing a recovery password. You want to reuse a system that you don't know? Sure, but you

Re: easy answer

[LostMyBeaver]

Agreed... I thought $200 seemed a bit high. Iâ€(TM)ve bought JTAG cables for $15. In the old days, I would reflash XBox firmware using a $12 heat gun, a $15 roll of copper tape (heat shield) and a $50 flash programmer.

The cost was never the parts. It was the hundreds or thousands of hours learning to disassemble firmware and patch it. 25 years ago, this know-how was pretty common in some circles.

Systems like Cisco are generally more difficult because for some time, Cisco has placed great

Dupe

[Admiral Krunch]

Dupe of this article still on the front page. [slashdot.org]

That's Inflation!

[nagora]

It only cost "pennies" when this story was posted yesterday, now it's two hundred bucks!

Re:

[110010001000]

Canadian dollars.

Re:

[LynnwoodRooster]

Don't be so insulting... It's the Canadian Peso...

Re:

[phantomfive]

Hey, it's Two for the price of One!

Re:

[Solandri]

First article was pennies per device (implantable chip). Second article is $200 of equipment to make the devices. Presumably the difference is because you can use the equipment over and over to make multiple devices. Same way it's worth it for a company to spend $100k on a CNC machine to fabricate $5 parts.

Re:

[omnichad]

The clickbait conversion rate is pretty variable. The currency would be stabilized with the introduction of actual research.

Slashcode

[Areyoukiddingme]

Rather than hire competent editors, the code simply filters application of the 'dupe' tag. Way to go Slashdot.

Hey, Pay Wall!

[thedarb]

At least state the link goes to Pay Walled Wired.