Adding a Hardware Backdoor to a Networked Computer

Interesting proof of concept:

At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of that hardware hack in his basement. He intends to demonstrate just how easily spies, criminals, or saboteurs with even minimal skills, working on a shoestring budget, can plant a chip in enterprise IT equipment to offer themselves stealthy backdoor access…. With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn’t notice, yet would give a remote attacker deep control.

Tags: , , , , ,

Posted on October 18, 2019 at 5:54 AM14 Comments

Comments

Gweihir October 18, 2019 6:57 AM

Not really surprising and not really difficult to do. But it is nice that somebody put it together and shows it off.

CallMeLateForSupper October 18, 2019 8:15 AM

Sorta off-topic.
A while back, one of my nephews pointed out something about one of my old momentos that I’d never noticed. I’ve possessed the item since “liberating” it from my middle school in 1961, when I moved on to high school. “It” was a Master combination padlock, one of hundreds of the same type that were loaned to students to secure their lockers.

Said nephew discovered said padlock while rummaging in a disused desk that had seen me through college and has been a momento ever since. He is a lock hound and a lock picker (he prefers the two-dollar name for lock picker, which I don’t recall). Why does this combination lock have a keyway?, he asked. I took it from him, and looked. Oh yeah … I’d forgotten. The school principal carried a little key that could open any lock in his school …. Occasionally a student having a bad brain day would forget their combination, or some joker (cough) would swap locks among two or more lockers(1). Nephew looked at me for a moment and then said with no little contempt, “So this lock is BACKDOORED.” Very perceptive (and spot on), for a nine-year-old.

Apparently, Master still sells several models of backdoored, dial, combination padlocks. “Mine” looks identical to this one (except the knurled knob is unfinished instead of black).
https://www.masterlock.com/business-use/product/1525

(1) It was common to dial in the first two numbers of one’s combination and dial toward, but stop before reaching, the third and last number. The object was to minimize the time required to open one’s locker at next class change. The practice was so common that jokers (cough..cough) could easily find at least one “primed” lock, open it, and replace it upside-down, i.e. with dial facing the locker.

Mr. Verhart October 18, 2019 10:03 AM

@CallMeLateForSupper

The practice was so common that jokers (cough..cough) could easily find at least one
“primed” lock, open it, and replace it upside-down, i.e. with dial facing the locker.

My middle school required us to buy our own combination locks and provide the administration with the combinations. My mates and I all closed our locks “upside-down” to hassle them and slow things down during random locker checks. Authorization service slow-down during a brute-force attack as a security measure.

lowell October 18, 2019 10:36 AM

It’s a great PoC! I think this will be food for thought for many & should certainly raise awareness around hardware/device security (this one went straight unseen to the firewall CLI as a privileged user!).
Having read around the Wired article & programming the ATTiny85 chip what’s interesting to me is how low the technical barrier to entry appears (ignoring the complexity in accessing the mainboard etc)

Henk October 18, 2019 12:56 PM

@CallMeLateForSupper

Naturally one could make that key with some effort to open the lockers yourself. 😉

My school had a master key for all the doors that the maintenance people used. It was obvious, form observation, that it was set to 00000. All one had to do was obtain any key that fit and file it all the way down to flat and presto all doors open. After all these years I wounder how many locks in practice have this default password.

Back in the 70’s my lab at a government location was housed in a double wide. When I forgot the key I would just open the locked door with a handy pin or nail.

Jack October 18, 2019 1:53 PM

@Henk : That is known as a bump-key.

Go on youtube and watch some lockpicking vids. There is no such thing as a pick-proof lock, as with computers physical access means game over.

Henk October 18, 2019 2:19 PM

@Jack

Yes like a bump key but the key I used did not require the bump step. Locks were “programmed” to require either the bump-like key or the normal key.

Clive Robinson October 18, 2019 3:37 PM

@ Henk,

All one had to do was obtain any key that fit and file it all the way down to flat and presto all doors open.

This is unusual, because with a split pin lock, you usually try to make maintanence keys the “high cuts” as you end up with the physically strongest keys going to the people who not just use them the most but are also most likely to break them.

@ jack,

That is known as a bump-key.

Probably not, whilst the keys do look alike when you line them up they are different. Ordinary keys are usually cut to have a flat under a pin when fully inserted with the lifting slop between the two pin positions on the inwards side of the split pin. Bump keys work like a Newton’s cradle and have a slope under the pin with the middle of the slope being at the top of the bevel of the bottom of the split pin (this would be so much easier to draw than describe in words). That is their profile is offset by half a split pin spacing when at it’s resting out position.

The reason for this is that when you insert the bump key you need it in it’s resting “out” position to be just under the pin but not quite touching it. Thus when you hit the bump key inwards it gives all the pins a hard sharp upwards hit causing the top of the pin to go up against the cylinder block “pin return springs”, whilst the bottom of the split pin recoils back into the cylinder towards the key which is now returning or returned to it’s resting “out” position. This gives the maximum gap beyween the top and bottom of the split pin thus with a little practice on timing enables you to turn the cylinder because there is no part of the top or bottom of any split pin crossing the cylinder to block interface.

SpaceLifeForm October 23, 2019 5:31 PM

BiLock. Tough to bump.

Not saying impossible.

An electro-mechanical key can open anything.

Simple keys can be cloned easily by those skilled in the art, just by observing the key.

They see the key, cut their own key just based on observation.

A Bilock is trickier to look at and get the cut info.

Clive Robinson October 23, 2019 10:17 PM

@ SpaceLifeForm,

BiLock. Tough to bump.

Yes and perhaps that might help.

Locks are mechanical devices where trade-offs have to be made with regards the different properties desired.

It’s hard to tell from the cutaway drawings, but as far as I can see the key raises the back half of a split pin to a given hight, into which the sideways pin recesses into, thus alowing two split locking bars to be retracted (by what mechanism is unclear).

If I was going to attack the lock I would have a look at how that retracting mechanism worked as a first step.

Because there have been other “right angle” split pin systems in the past that were designed to be “bump proof” but ended up making the lock easier to pick…

Thus the second area I would look at is not the fact that they have two keyways in the cylinder, but that the keyways are straight/flat, which means that picking jigs can be made.

I might just get me a couple of their locks to play with and take appart as something to do over the Xmas holidays.

stormwyrm October 24, 2019 2:44 AM

As Bruce himself has said many timess, locks don’t get you absolute security. Nothing does. What they do is buy you time. The cheap combination lock I use at the gym can probably be opened in less than five minutes by a skilled thief, but since I’ll probably notice what they’re doing within that time and be able to drop a barbell on their head before they’re done, it’s secure enough as far as that goes. A heavy bank vault might be opened within a few hours given dynamite, but it’s still secure enough if the police can be at the vault to apprehend the thieves in less time than that once they hear the first explosions.

- November 19, 2019 8:47 AM

@ Moderator,

The above from “Edward mosan” is unsolicited service advertising.

Worse it’s for AOL that have probably single handedly used more floppy disks and CD Rom’s that went “Direct to land fill” than any other entoty in the world…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.