Speaking at the Black Hat Europe conference in London, trainer and researcher Joe FitzPatrick from SecuringHardware.com asked delegates if their risk assessment considers $5 hardware attacks and if not, “why worry about $1m [hardware attacks], as what is more likely?”
In his talk 'A Measured Response to a Grain of Rice,' which took a strong look at the controversial Bloomberg article about tiny chips found on motherboards, FitzPatrick said that we first heard of malicious implants as part of the Snowden leaks in 2013, and the “Ant Catalogue” as reported by Der Spiegel.
“Usually we think of keystroke loggers via USB but they have been around for decades, as have Modchips,” he said.
Asking when hardware attacks make sense, he said it makes sense to have air gaps and heavily monitored networks, as well as to be aware of physical access which would not be possible remotely, and supply chain access to firmware.
Focusing on the Bloomberg story, which alleged that a chip affected 30 companies, FitzPatrick said that there was a lot of reaction to the story, as well as questions on how to test and what the indicators of compromise are. “By the time the board gets to you, something has changed to the schematics to figure out what chips are what,” he added.
FitzPatrick said that there was little in the article on what the chip did, and using the term “component graffiti” he argued that the article caused “a lot of assumptions and doom and gloom.”
He said: “Was it real or a hoax? I don’t know: we don’t have information and I am no expert, however I can say it is possible and the things described are possible and I see challenges as a technical person.”
He asked why there were no first-hand accounts of what it did, and went on to say that a typical server has more than 10 components with firmware, hundreds of active components, and thousands of passive components, meaning that there is a “huge surface to look at.”
Concluding by discussing what we can do, FitzPatrick said that ripping up servers “is a waste of time” and asked delegates if they review what a supplier does and where hardware was acquired, and if they look inside systems.
“Actual risk is a combination of impact and frequency,” he said. “We need to respond to the threat and not to the hype.”