A cybersecurity expert is warning the public about the threat of tiny malicious chips implanted in popular hardware products being used for spying by criminals.
Monta Elkins, a so-called "hacker-in-chief" at cybersecurity firm FoxGuard, has found a way to stealthily place a spy chip into a tech company's hardware supply chain. The supposed hack is so easy to pull off that criminals only need $200 worth of equipment and some know-how to carry it out.
Elkins is scheduled to present his discovery at the CS3sthlm security conference on Monday, Oct. 21, in Stockholm, Sweden.
Easy-To-Create Spy Chips
At the upcoming cybersecurity conference, Elkins plans to show attendees a proof-of-concept version of the hack he was able to create in his basement. It was built using a $150 hot-air soldering tool, a $40 microscope, and $2 microchips that the researcher was able to buy online.
Through these tools, Elkins successfully altered a standard Cisco firewall to give himself remote access to a company's computer system without its IT admins even noticing it.
He now intends to show organizations just how easily cyberterrorists, including those with only minimal skills in IT work and a small budget, can plant one of these spy chips in company IT equipment to provide themselves with backdoor access to their systems.
"We think this stuff is so magical, but it's not really that hard," Elkins said.
"By showing people the hardware, I wanted to make it much more real. It's not magical. It's not impossible. I could do this in my basement."
The cybersecurity researcher pointed out that there are people who are more knowledgeable about the technology than he is, and that they could pull off the same hardware hack as he did for almost nothing.
Developing The Chip
To create his tiny spy chip, Elkins used a 5 mm. Square ATtiny85 chip commonly found on a Digispark Arduino board. He first wrote his hacking code into the chip before removing it from the board and transferring it to a Cisco ASA 5505 firewall. He chose a spot on the Cisco motherboard that would allow the chip to access the firewall's serial port without needing any additional wiring.
Elkins said he could have chosen a smaller chip for his hack, but he decided to go with the ATtiny85 because it was relatively easier to program than other chips.
As for the spy chip's placement on the Cisco ASA 5505 firewall motherboard, he said he chose the spot because he wanted to show it to the attendees at the CS3sthlm conference. He said he could have also planted the chip inside one of the board's radio-frequency shielding "cans."
Elkins designed the spy chip so that it would launch an attack on the target system as soon as its firewall boots up. It could dupe the system into thinking that it is a security administrator trying to access the firewall's configurations by connecting a computer directly to a specific port.
The malicious chip would then initiate the firewall's password recovery feature to allow it to create a new administrator account and gain full access to the system's settings.
While Elkins chose to use a Cisco ASA 5505 firewall for his proof-of-concept because of how cheap it was, he said the same hardware hack can be used on other Cisco firewalls as long as it uses the same password recovery system.
In response to Elkins claims, Cisco said it is already looking into the researcher's findings. It will inform its customers about any potential threat through its normal channels if the company were to discover any new information.