Source: Trace Bellassai, Client Operations Engineer
“It’s not possible,” they said when they saw the Bloomberg article. “There’s no chip that small capable of doing that”. Well, that’s what everyone thought, until our very own Hacker-In-Chief, Monta Elkins, proved that it is indeed possible to add a (very) small hardware chip to a device to compromise your system. If you haven’t seen that story, make sure to check it out here: https://www.wired.com/story/plant-spy-chips-hardware-supermicro-cheap-proof-of-concept/?fbclid=IwAR0xP4Ddjjet5Vd8Hp4SiHW-ZWWpe666IJ25ZbG2gy3QCUIxlFn41NAhfsA
The tl;dr (too long, didn’t read) version of that article is that, for less than $200 and your laptop, you have all the equipment you need to program and insert a chip into a Cisco firewall that is nearly impossible to detect. This chip would allow you to reprogram the firewall to open ports, change admin passwords, etc. This goes to show how important it is to trust your supplier, and make sure you have a secure supply chain. One level of trust your provider can show is providing you a build of materials (BOM). This shows every component that goes into building the unit, which would then allow you review the hardware components on your device to make sure there are no unknown components. This would be a very slow process and unreasonable to be performed on every unit purchased, but still possible.
BOM’s are an established document in the hardware realm, and are available on request from most major vendors. Equally as important, though not yet as mainstream, are software BOM’s. This is the same concept, in that every software component in a project is listed, whether it be Open Source or commercial, instead of being a black box. This allows the customer to monitor those components for possible vulnerabilities, and create a mitigation plan before the vendor has the opportunity to patch them. Trusting the vendor and knowing the full BOM will get you part of the way to a better security posture, but when dealing with a threat that has extreme resources (millions of dollars, ninja spies, power of coercion), another thing to consider is the delivery of the hardware or software. How can you be sure nothing was tampered with before you received it?
So, how could we detect if a similar exploit was actually being used in our infrastructure? Well, there are a few ways something like this could be caught, though none of them easy. The first method of catching this exploit would be configuration management and review. In the proof of concept, Monta changed configuration points in the Cisco firewall. Using a solution like TDI’s Console Works to review device configurations would allow you to detect that a port was opened, and a user added, likely before the attacker could utilize their backdoor. The other possible way of detecting this attack would be with a network intrusion detection system or network behavior analysis. The goal is to catch abnormal network traffic from the firewall, such as ssh traffic. This would be of note, especially if you do not have ssh enabled as part of your configuration.
FoxGuard Solutions provides patch and update validation, delivered using secure methods to ensure you are getting genuine patches. Our Sentrigard appliance also has the capability of configuration change detection and management, as well as network intrusion detection. Using these tools, we can help prevent this very threat.