Installing spy hardware in PCs and smartphones costs little

A computer security researcher has shown that all it takes is a two-dollar device to take control of your smartphone

A chip that can spy on our Internet-connected devices costs less than $2. And it can be installed on a firewall of a network in a few minutes, by staff without great technical skills and even in a basement, without any need for large equipment.

This is what says the researcher Monta Elkins, who at the next CS3sthlm security conference to be held in Sweden from October 21 to 24 will show his colleagues a fully functional experiment of tampering with a Cisco firewall. Elkins is the "chief hacker" of the electronic security company FoxGuard and has tried to replicate what was claimed more than a year ago by Bloomberg Businessweek: many Supermicro motherboards present in the servers of Apple, Amazon and other Web bigwigs have been tampered with by a group of Chinese hackers to spy on data traffic. The news has since been widely debunked, but Elkin will prove that a scenario like the one described by Bloomberg Businessweek is not at all that unlikely.

Two dollars for spying on us

Elkins' experiment involves buying an Arduino Digispark board over the Internet, costing just $2. $150 buys an air soldering iron and $40 buys a microscope. From the Digispark board you easily desolder the ATtiny85 chip, and solder it to the motherboard of Cisco's ASA 5505 firewall. Elkins chose this model only because it was the cheapest on the market, but he says the experiment works on plenty of other firewalls as well. The ATtiny85 chip, which is just 5 millimeters square, practically can't even be seen on the firewall's motherboard, but it allows the user to take total control of the firewall.

Elkins programmed the tiny chip to execute an attack as soon as the firewall boots up, activating the password recovery feature and creating a new administrator account and gaining access to the firewall's settings. Immediately thereafter, the chip can offer the hacker remote access to the device, disable the firewall's security features, and give the hacker access to the log of all connections the device sees, without alerting the administrator to anything. All PCs and smartphones whose Internet traffic passes through that firewall, then, can be spied on.

Spying on Supermicro Motherboards

Elkins' experiment allows spying on communications that pass through a firewall in a data center. But there's another experiment that replicates even better what Bloomberg speculated: that of Trammel Hudson, a former Sandia National Labs researcher who has now gone out on his own. Hudson soldered a chip just 2.5 millimeters square onto a Supermicro motherboard. This chip can control the operation of the motherboard's "baseboard management controller" (BMC), a component that can be remotely managed allowing a hacker to take full possession of the server with the modified motherboard. This type of tampering is much more expensive and complicated than the one shown by Elkins. But it clearly shows that what Bloomberg speculated is not science fiction.