 Welcome to nation. Oh, I got us. I do have to say real close to this thing All right, nation states supply chain attacks for dummies and you Or a chipping Cisco firewall, so let's go. We got a lot of stuff to cover and not very long to do it in Hi, I'm Monta and I do coke and strippers. I mean Educational purposes only I mean I mean I do the YouTube channel coke and strippers. That's an educational channel. It's electronics And anyway, you should you should go watch it Okay, oh and and you should you should note this how many people yeah We got people take a good picture post some about this talk on Twitter and show it to me afterwards And I'll give you something till they run out. I've got a little prize a few of them. All right So super micro chipping news anybody remember this story from Bloomberg Bloomberg last year We got a few right big article that may be motherboards from super micro had small Implants on the motherboard that would allow remote ownership And that's kind of scary because that kind of stuff is pretty much impossible to detect it could be in You know in your equipment it may survive a reboot or re-imaging And it was introduced somewhere in the supply chain. You don't necessarily get a chance to see it to look at it there was a lot of Concern about it. They said it might be in you know some of the big data centers Maybe Apple or Google or whatever there there were a few mentioned But nobody ever found any real evidence. So as far as I know it was not real still little still little down Could you all hear me art? Can you hear me? Sort of yes. Okay. If you ever can't do this For the disc for the thumb music in the back, okay But we never found any real evidence of it. So You know still looking still looking for proof Instead of which I decided that doesn't matter. Let's make it real. So Why not that? Oh, and hopefully better than this. That's You know, right? We started that could be better So time to pick a device. I'm from the ICS space and my original thought was to pick maybe some of these But I eventually decided on the Cisco firewall, which is also used there the same attack back Basically will apply to all of those but the firewall has a little broader appeal. So so we'll do it there Try to consider what ways to do this After a little thought and decided probably the serial port was the cheapest and the easiest and the fastest To try to attack most of these devices are configured by a serial port one way or the other So a quick look at serial ports for your To refresh your memory if you haven't played with one in a few days Simplest form you need only three wires. You need a TX wire to talk to a device You need an RX wire to receive information from the vice and you need a ground They look like they look like those Connectors or on the Cisco device or RJ 45s There we go now I can make little circles So here's a USB serial they connect in those and that port that's the RJ 45 serial connection The way you would originally configure a Cisco firewall when you first get here It's configured a Cisco firewall before. Oh, we got like a half the audience at least maybe more excellent So you'll sign a lien goes something like this You're gonna pick a bar rate. There are various ones 9600 may be the most common you're gonna pick a number of data bits typically seven or eight, but like five is is legal You're gonna have a parody it can be none odd even mark space And a number of stop bits and that defines your your serial packet How it's actually going to be transmitted on the physical wire very common is this 9600 8 in 1 that's our bar rate number of data bits parody none and one stop bit To start dealing with the serial protocols one of the things that I found very useful was this a channel analyzer That you can get from all the usual places in China Yeah, it's a kind of ironic use cheap Chinese stuff to try to hack cheap China never mind Anyway that and free software Pulse view freely available on the net on the net. It's companion is sig rock As well so I can see signals going in both directions, right normally if you connect up to a serial port You're just getting the receive channel you won't necessarily see what's on the sin channel unless the device on the other end reflects it to you So I want to connect to both the send and receive receive both channels simultaneously I can set up pulse for you to do that. All right. I'm setting up eight in one A least significant bit first, right? That's what little Indian I want to see it as ASCII. I need to invert the signal So post view there's the link if you need it. It's great software I don't have anything to do with the project other than I like it in this case what we see is These are the little bits. I am pulling off the wire This is as I use this you are decoder for them I see a start bit I see a bunch of data bits and a stop bit if I interpret this as ASCII Which is what I've asked it to do I end up here with a letter C C-O-N-F-I-G and so forth So that's a sample of this run Typically you'll you run this when you're doing serial you'll use a UART and a driver to Help you communicate with the hardware and keep all of your your voltages at the right level These are the commonly seen voltage levels we got five and ten and twelve and fifteen And that's a problem on this device. It's swinging plus and minus 15 Which will totally? Destroy any type of microcontroller. I want to try to connect to it. So we've got a little bit of a problem But there's a trick so In doing some other work with with attacking power supplies. I found this application note and Basically what it says is that these microcontrollers at least the family I'm used to working with the at mel and various other ones have Have protection diodes built in on every input so that if the voltage swings Above your positive voltage above VCC it gets tied there and if the amount of current is low enough Right that keeps that pin from going above your VCC voltage or it also keeps it from going below ground But the but the key point to this is that it you have to limit the current right? Otherwise you will just smoke those diodes and still blow the chip up So what you need is just an appropriate sized resistor coming in in this case They're using one mega or one mega ohm and they can connect it to the AC outlet well I only need to work for 15 volts, so That should be something like a 15 kilo ohm resistor Turns out maybe five point one K is close enough I That's what started using the testing and it was working and I just never I never changed back right? It's what what's the number one rule in ICS? You know reliability Yes, it's working. Don't touch it You should you should get a reward for that. No, I will see you afterwards. No, no hang on Yeah, I don't have them near my back So I want to be able to test this can I actually use this configuration to talk to This Cisco device, you know, this is a little big. I'm using this Arduino mega You know what are they 10 15 bucks? Maybe less if you if you get them from from the China's and Set up a couple of resistors and this Zero cable in and sure enough I find out yes, I can talk to this device I can receive these 15 volt signals without blowing it up and also surprisingly Just by sending it five volts and ground I can transmit to it Which is which is out of spec right that the minimal spec is like negative three volts, but For RS 232 well now TIA, but you know So but it works so so far I'm in right out I'm going down this path how am I going to attack it what hardware software to use is this possible it looks like I'm It looks like I'm good. It looks like I'm I'm prepared to do this. It was a fairly quick and easy test right get a piece of hardware you plug it up Not too hard. It works The next thing is decide what actual kind of chip that I want to use in this Part of the fun of the attack. I think is Using very small devices right if you remember the picture from the Bloomberg. It was a pretty small device Start out with this 80 tiny tin Which as I say here is not just tiny. It's minuscule that that's the one here in the tweezers And technically the the attack That we'll see here in a little while you could technically run it with that microcontroller There's also the 80 tiny 85. I chose that one because of some additional capabilities in particular eProm So that allows me to store information In the chip so like I could count number of reboots or or or maybe store some data if I could collect it so I chose the 80 tiny 85 for maybe some advanced features that Actually at this point. I haven't implemented But it doesn't matter There was also another advantage and what and we'll see of choosing this 80 tiny 85 But technically you could use the 80 tiny 10 other couple more advantages One of them being This carrier board this did you spark you can pick these up again from from where Yeah, China Amazon even five of them for $10 The actual microcontrollers over here. This is a power supply chip This bind in this format just makes it quicker and easier. I can program it by shoving the straight in a USB port so I Get them got in a cheap and and that's my I've got a few of these so Take a picture tweet me and catch me afterwards and show it to me and I'll give a few of them away That's your did you spark board So I don't have to worry too much about programming it and also I can use existing tools that saves me a little bit of time I can use the Arduino IDE interface So now this is my second round of test hardware that I'm not using the The Mega anymore. I'm actually using this digit spark. Can I do this same thing with this other piece of hardware? There shouldn't be any reason why I couldn't But you know you you want to you want to test it it is a little more complicated to program There's some limited amount of space and and then some kind of libraries to play with but Connect it up start running the tests and At that point find out that we are all good I can use this little device to To communicate across the serial port, so now I'm getting closer, right? I've got a device. I've run the test I just need to be able to hide this on the motherboard somewhere Oh, and I also mentioned that you can use the Arduino IDE to control this. There's the You really can't see it here. I assume this will be available somewhere online Links to all these parts and pieces are are there you shaking your head, so it's going to be online and If you want to follow along I'll by the way though for programming this board usually in the Arduino world You just hit program and it programs for this board You have to disconnect it and reconnect it the bootloader will only allow it to program the first few seconds You're in power up so I struggle with that for a few minutes of first time Well, maybe more than a few minutes the first time I started fiddle with these so I'm plugged it hit the program. I'm plugged them plug them back up. They program great So now what do I do so I've picked the chip it looks like it works I've tested it I can program it on this board. I don't want to install that whole board That's ugly. That's big. It's obnoxious So after I program it I pull that chip off this board. I use a little air rework hot air rework now. It's just because I have it in in my Basement, right? That's my below my below ground layer In the basement so But you could use a soldering iron or whatever but for again for all these things like I don't get any money from Being good, which is actually a cool place to buy electronics online. Don't ask There's the links if you want them, but I pull the chip off of that board right now. I have my chip It's all programmed. It's all ready to go and so far. It's been relatively easy. I didn't have to you know get any kind of special Programmers or or anything else any small PC boards because it came already connected for me So one of the advantages of starting with these Digi sparks and it's cheap So we talked about Well, what ended up being four wires that's RX and TX transmit receive you also need power and ground But for this attack right now is I'm just running it blind. I'm just pushing Commands out. I'm not listening to anything coming back so I can cut off one of those wires I only need transmit and power and ground So we end up with this little chip with three wires coming off of it and at this point I should be able to take that chip and solder it anywhere on this motherboard and Send the commands that that will run through here briefly But These wires on a motherboard sometimes called bodge wires They look ugly right and they sort of indicate something weird is going on I mean occasionally you will see them for real like the picture there on the left But they're fairly rare and what I really don't want is it to look like this picture on the right where somebody's you know Just soldering all kinds of stuff right that's gonna look really suspicious on your new equipment If it has all kind of warts and stuff grown off of it, so I Wanted to look better than that if possible. So what can I do about this three-wire? installation Well, I came up with a three-wire solution it turns out that next to The port on this device that is the rj-45 zero connection. There are also two usb ports And this is the bottom of the motherboard Already the way it's already set up This is factory original schmoo here. So, you know, we'll talk about later looking for this thing You might look for sort of strangeness on the motherboard and this was already here from the factory That wasn't even my doing but what I found was at this location Here are the pins for the rj-45 serial connection And my tx line and there's a ground and then I pull power off of this These are the usb ports or two usb ports power ground and I don't need the data connections So I solder this small chip directly to the to the motherboard Like this now I've got power and transmit and it's awesome, right? I am in Probably way too far away in this process. Wait a minute. Yeah All right, so by the way Any who here are like electrical engineers or electrical hobbyists? What we got we made more electrical minded folks in this in any case so What is its value? What is the value of this thing? You don't have to be electrical engineer to figure it out. Anybody Have a penny have a cent No Yes No, I'm playing a little bit of word game here What the value of it as a resistor is its resistance and ohms is? Zero and it only costs like half a cent but we're games. Thank you for playing It's value as a resistor value is zero. Why do we use a zero value resistor? What do we use that for? No, it's got zero protection value Yeah, maybe maybe because it's small Yeah, you might use it like a fuse in this case. I'm just using it. So I don't have to use a wire Because I needed this one Resistor right that's the one protected me from the 15 volts. I use this one to ground just set off to put a wire in there So it turns out to be valuable. It makes this a lot more Indivisible on this motherboard and at this point Success right I've got this thing on the motherboard. I've got a program. I've got it hidden Golden except When I got to this point, which was really not too long ago because I don't the test I knew it was fine on to do was was do this and I'm ready for this presentation When I booted it up it didn't work My attack came too late in the boot process and we'll see why that is in a minute It turns out that this motherboard does not turn the power on To the usb port until after the thing is booted Who knew right Well, when I'm putting around on the board. I'm looking for five volts and I plug it up You know five minutes later. I find it who knew I had to wait for the boot cycle So now it's like it's the middle of the night. What am I going to do? I've got you know I've got the perfect place for it. I Guess worst case is I can pick another Bodge wire and you know run it halfway across the motherboard and find five volts somewhere But I found something else instead. I found this chip This is the chip that controls the power to those usb ports the computer sends it a signal And it takes five volts from this inline and it sends it out to the two ports use out a and out B Those are those two usb ports So if I can manipulate this device, then I can have power there all the time and Actually the easiest way to manipulate this device was actually this Anybody know what a solder bridge is? Generally, are they a good thing? No, right there on their mistake you accidentally connected two pins together with a big glob of solder It might be overlooked maybe but in this case what it did was that it took the the the in five volts and directly connected it to That serial port all the time And also did that that this chip also will do like overcurrent protection. So you lose that but you know Who really cares not me So I could use a solder bridge as part of an attack. I just think that's cool And no Bodge wire to find five volts So it's installed. You've seen it. You know what it looks like. Where is the chip on this motherboard? Yeah, okay the picture of a kind of ugly it is there All right, there it is Okay You can find it look I can take a high school or and I could teach him to look for bad solder joints All right, because this is hand soldered. It's not going to look as good as a machine soldering, but It can take a little while So I put it on the motherboard, right? I'm gonna put it somewhere In this case, it's on the bottom of the motherboard because that's where it fit better Which means you have to take out 14 screws pull off the front plate Pull out these little light pipes take the motherboard out and turn it over to even be able to see it So when you get a brand-new piece of equipment designed to protect your network Who at first takes it all apart and lays it across their desk before they begin? All right, so your boss would probably give you funny looks if if you take off your equipment apart very first There's also another place to hide it and this is my trade secret, so I'm just sharing it with you all This is the this is the RJ45 and the two USB ports in this metal can If you flip this board over and unsolder these four Points that holds this can on in the back of this can There's a whole about the same volume as in the front. I can stack up like 15 of those chips in there So you can put it in there solder this tin back on it now for somebody to find it Let's take all the 14 screws out there that took motherboard out turn it upside down They have to start desoldering all these cans. There are actually several of them around the motherboard if you look and see if Montes hidden some stupid in In one of them, so not very likely I didn't do that for this because I thought it wasn't fair right if you couldn't somehow see it. This is my This is my you know emergency safety trick solve all the problems I found these really nice Warranty voided for moon stickers. They have holograms. They are individually serial number They have a barcode they even say if you look carefully it says it says genuine authentic in the hologram Right So you slept out on the outside of the box You've already eliminated 80% of the population right there It takes a new piece of equipment the first thing you do is cut the warranty avoid if we yeah, all right That's my backup plan All right, so we are going to look at the video of the demo normally Normally I plug these up, but we're on a kind of short time frame. It's actually built in the bottom of this motherboard Here is my test rig by the way in TSA friendly Tupperware so that I can travel with it, but Instead let's go through a video All right, so I will Scrub this as we go along this top window is just Capturing the data as it would look to the Cisco device I'm not typing or anything This is all anything that happens up here is the result of the Cisco device in this embedded chip that we've put in so far You notice it. There's a little timer that says that's just me highlighting it The timer that says you can press escape to go into Ramam mode All right, so it presses escape and then it does this Configure register o x41. This is what allows you to modify an existing piece of hardware I got this off eBay with a full config installed. We'll talk about that offline It allows me to boot it without knowing the password so now the implanted device after it does that and it boots I May not know what the it's booting blank, but I got it without a password I don't know what their existing network is like really often existing network configuration is so the first thing that it does is it loads up the existing config that's stored on this device and We'll see that come up in a second and then we're going to take that existing config and modify it Adding a SSH port opening up a connection to the outside interface Which is probably connected to the internet along with credentials that are only known to us Right, that's nice. And this down here in the bottom is just a testing script. I have running I'm trying to ping this file while we see it's not responding yet because it's not booted It's going to the config it's generating the right if we're going to control this device remotely We're gonna do it securely right SSH all the way for the win And so forth so You can follow on there for a second one other little piece of magic tip is that You cannot see this happen if you plug into the console port if you plug into the console port it Overrides the voltage overrides that small resistor and it doesn't happen. So imagine you get this box you plug it up You configure it. It's all great. You will never see this happen You unplug it you put it in the rack and then when you power it up your own Now assuming you go back around and scan the machine and see there's something wrong with it What do you do? Well, you try to three times it keeps getting owned every time you reboot it you pull it out You put on your desk. You connect the serial cable up to it. You're like, oh, this is you reconfigured. It's great Right, you put it back in the rack you reboot it. All right, so if you test your configs every month, right? I get an average of 15 days to screw with it and you're gonna pull it out at least once Back so I'll get two times 15 days. All right in the bottom. We got the ping back and we Look it back up just a little bit We saw that the SSH port was open. We connected with air Credentials only known to us and now we have enabled which is admin level access and just printed out Part of the config of this device. So that that's the plate demonstration At some point, maybe we can do it live for real That's pretty much it I've got So Cisco defines this attack as a password recovery. There's a document there that basically describes how you do this sort of sort of adding the accounts we could make this more sophisticated but Not really. I used to call these attacks the Miyagi style attacks. You remember the movie He says right the crates like if do right no can defend, right? So but you can't see in the firmware. You can't detect it. It happens on its own. You can reflash it. It doesn't work That's not quite true If you pull your brand new equipment apart and look very carefully look for rework look for bad solder joints And regularly baseline your equipment look to see if it's changed in map it check the configs and so forth That's your opportunity All right That's it. What I learned is this really isn't very hard. I did this in my basement You know, I'm okay, but I'm not that good at it You could get this and fall along if you've done any hobbyist work I think really though it's a pain in the butt to do and nobody's going to do that This is currently only for targeted attacks. Why only targeted attacks? Because your security sucks, right? Cisco's had lots of vulnerabilities in their firmware and you don't even have to you don't even have to modify to get there So I'm Monte Elkas catch up with me on Twitter. Don't forget to do coke and strippers. I mean the YouTube channel And we'll see you next time deaf gone. Thank you very much