Malicious Component Found On Server Motherboards Supplied To Numerous Companies

October 4, 2018 by Inderpreet Singh 270 Comments

This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

How the Hack Works

The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus. The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

What Now?

Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

Update: We changed the penultimate paragraph to include the word if: “…simple one if servers with…” as it has not been independently verified that servers were actually out in the field and companies have denied Bloomberg’s reporting that they were.

[Note: Image is a generic photo and not the actual hardware]

DIY Rubber Ducky Is As Cheap As Its Namesake

September 17, 2018 by Tom Nardi 26 Comments

The “Rubber Ducky” by Hak5 is a very powerful tool that lets the user perform rapid keystroke injection attacks, which is basically a fancy way of saying the device can type fast. Capable of entering text at over 1000 WPM, Mavis Beacon’s got nothing on this $45 gadget. Within just a few seconds of plugging it in, a properly programmed script can do all sorts of damage. Just think of all the havoc that can be caused by an attacker typing in commands on the local machine, and now image they are also the Flash.

But unless you’re a professional pentester, $45 might be a bit more than you’re looking to spend. Luckily for the budget conscious hackers out there, [Tomas C] has posted a guide on using open source software to create a DIY version of Hak5’s tool for $3 a pop. At that cost, you don’t even have to bother recovering the things when you deploy them; just hold on tight to your balaclava and make a run for it.

The hardware side of this hack is the Attiny85-based Digispark, clones of which can be had for as low as $1.50 USD depending on how long your willing to wait on the shipping from China. Even the official ones are only $8, though as of the time of this writing are not currently available. Encapsulating the thing in black shrink tubing prevents it from shorting out, and as an added bonus, gives it that legit hacker look. Of course, it wouldn’t be much of a hack if you could just buy one of these little guys and install the Rubber Ducky firmware on it.

In an effort to make it easier to use, the official Rubber Ducky runs scripts written in a BASIC-like scripting language. [Tomas C] used a tool called duck2spark by [Marcus Mengs], which lets you take a Rubber Ducky script (which have been released by Hak5 as open source) and compile it into a binary for flashing to the Digispark.

Not quite as convenient as just copying the script to the original Ducky’s microSD card, but what do you want for less than 1/10th the original’s price? Like we’ve seen in previous DIY builds inspired by Hak5 products, the trade-off is often cost for ease of use.

[Thanks to Javier for the tip.]

Researcher uses antenna to clone Tesla key fob

Tesla Opens With Precomputed Key Fob Attack

September 13, 2018 by Jonathan Bennett 43 Comments

This clever precomputation attack was developed by a group of researchers at KU Leuven in Belgium. Unlike previous key fob attacks that we’ve covered in the past which have been essentially relay attacks, this hack precomputes a ton of data, looks for a collision in the dataset, and opens the door. Here’s how it works.

Continue reading “Tesla Opens With Precomputed Key Fob Attack” →

Source Of Evil – A Botnet Code Collection

September 9, 2018 by Sven Gregori 9 Comments

In case you’re looking for a variety of IRC client implementations, or always wondered how botnets and other malware looks on the inside, [maestron] has just the right thing for you. After years of searching and gathering the source code of hundreds of real-world botnets, he’s now published them on GitHub.

With C++ being the dominant language in the collection, you will also find sources in C, PHP, BASIC, Pascal, the occasional assembler, and even Java. And if you want to consider the psychological aspect of it, who knows, seeing their malicious creations in their rawest form might even give you a glimpse into the mind of their authors.

These sources are of course for educational purposes only, and it should go without saying that you probably wouldn’t want to experiment with them outside a controlled environment. But in case you do take a closer look at them and are someone who generally likes to get things in order, [maestron] is actually looking for ideas how to properly sort and organize the collection. And if you’re more into old school viruses, and want to see them run in a safe environment, there’s always the malware museum.

FOSSCON 2018: Developing The FreedomBox

September 3, 2018 by Tom Nardi 11 Comments

The modern Internet can be a dangerous place, especially for those who might not have the technical wherewithal to navigate its pitfalls. Whether it’s malware delivered to your browser through a “drive-by” or online services selling your data to the highest bidder, its gotten a lot harder over the last decade or so to use the Internet as an effective means of communication and information gathering without putting yourself at risk.

But those are just the passive threats that we all have to contend with. What if you’re being actively targeted? Perhaps your government has shut down access to the Internet, or the authorities are looking to prevent you from organizing peaceful protests. What if you’re personal information is worth enough to some entity that they’ll subpoena it from your service providers?

It’s precisely for these sort of situations that the FreedomBox was developed. As demonstrated by Danny Haidar at FOSSCON 2018 in Philadelphia, the FreedomBox promises to help anyone deploy a secure and anonymous Internet access point in minutes with minimal user interaction.

It’s a concept privacy advocates have been talking about for years, but with the relatively recent advent of low-cost ARM Linux boards, may finally be practical enough to go mainstream. While there’s still work to be done, the project is already being used to provide Internet gateways in rural India.

Continue reading “FOSSCON 2018: Developing The FreedomBox” →

New Mooltipass Begins Development With Call For Collaborators

August 31, 2018 by Mike Szczys 14 Comments

One of the most interesting aspects of our modern world is the ability to work collaboratively despite the challenges of geography and time zones. Distributed engineering is a trend which we’ve watched pick up steam over the years. One such example is the Mooltipass offline password keeper which was built by a distributed engineering team from all over the world. The project is back, and this time the goal is to add BLE to the mini version of the hardware. The call for collaborators was just posted on the project page so head over and check out how the collaboration works.

The key to the hardware is the use of a smartcard with proven encryption to store your passwords. Mooltipass is a secure interface between this card and a computer via USB. The new version will be a challenge as it introduces BLE for connectivity with smart phones. To help mitigate security risks, a second microcontroller is added to the existing design to act as a gatekeeper between the secure hardware and the BLE connection.

Mathieu Stephan is the driving force behind the Mooltipass project, which was one of the first projects on Hackaday.io and has been wildly successful in crowd funding and on Tindie. Mathieu and five other team members already have a proof of concept for the hardware. However, more collaborators are needed to help see all aspects of the project — hardware, firmware, and software — through to the end. This is a product, and in addition to building something awesome, the goal is to turn a profit.

How do you reconcile work on an Open Source project with a share of the spoils? Their plan is to log hours spent bringing the new Mooltipass to life and share the revenue using a site like colony.io. This is a tool built on the Ethereum blockchain to track contributions to open projects, assigning tokens that equate to value in the project. It’s an interesting approach and we’re excited to see how it takes shape.

You can catch up on the last few years of the Mooltipass adventure my checking out Mathieu’s talk during the 2017 Hackaday Superconference. If this article has you as excited about distributed engineer as we are, you need to check out the crew that’s building this year’s Open Hardware Summit badge!

Foreshadow: The Sky Is Falling Again For Intel Chips

August 14, 2018 by Brian Benchoff 46 Comments

It’s been at least a month or two since the last vulnerability in Intel CPUs was released, but this time it’s serious. Foreshadow is the latest speculative execution attack that allows balaclava-wearing hackers to steal your sensitive information. You know it’s a real 0-day because it already has a domain, a logo, and this time, there’s a video explaining in simple terms anyone can understand why the sky is falling. The video uses ukuleles in the sound track, meaning it’s very well produced.

The Foreshadow attack relies on Intel’s Software Guard Extension (SGX) instructions that allow user code to allocate private regions of memory. These private regions of memory, or enclaves, were designed for VMs and DRM.

How Foreshadow Works

The Foreshadow attack utilizes speculative execution, a feature of modern CPUs most recently in the news thanks to the Meltdown and Spectre vulnerabilities. The Foreshadow attack reads the contents of memory protected by SGX, allowing an attacker to copy and read back private keys and other personal information. There is a second Foreshadow attack, called Foreshadow-NG, that is capable of reading anything inside a CPU’s L1 cache (effectively anything in memory with a little bit of work), and might also be used to read information stored in other virtual machines running on a third-party cloud. In the worst case scenario, running your own code on an AWS or Azure box could expose data that isn’t yours on the same AWS or Azure box. Additionally, countermeasures to Meltdown and Spectre attacks might be insufficient to protect from Foreshadown-NG

The researchers behind the Foreshadow attacks have talked with Intel, and the manufacturer has confirmed Foreshadow affects all SGX-enabled Skylake and Kaby Lake Core processors. Atom processors with SGX support remain unaffected. For the Foreshadow-NG attack, many more processors are affected, including second through eighth generation Core processors, and most Xeons. This is a significant percentage of all Intel CPUs currently deployed. Intel has released a security advisory detailing all the affected CPUs.