Is your charger listening to you right now? đź‘€
The Biggest Hack Ever?
In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers.
This is where things got ugly. Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.
Elemental’s servers could be found in Department of Defense data centres, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of the hundreds of customers of Supermicro, the mastermind of this attack.
Being a Chinese startup, Supermicro owned various manufacturing subcontract centres across China, which were confirmed to be the source of this chip.
Why should you care?
China, which by some estimates makes 75 per cent of the world’s mobile phones and 90 per cent of its PCs. Interdiction consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favoured by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden.
In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.
With over 30,000 Apple servers running Supermicro chips at the time, Billions of user data was up for grabs. Microchips found on altered motherboards in some cases looked like signal conditioning couplers. Thus they can be hidden in plain sight and we know nothing.
The issue however is that, why stop at servers? China manufactures the majority of chargers, motherboards, chips, mouses and other devices the world that people use in abundance. Is China weaving the Ultimate Chinese Handcuffs? Are we already too deep into this web? Only time will tell.
What exactly happened?
Side Channel Analysis(SCA) . Simple. It allows an attacker to infer information about a secret by observing nonfunctional characteristics of a program, such as execution time or memory consumed. It can also be used to install a doorway into the network and hackers, well they do what they do best, Hack it.
Covert channels can also exist in hardware implementation, where a stealthy malicious circuit with a very rare triggering condition is injected into the system during the design phase. When triggered, this circuit can leak sensitive information to the primary outputs of the system, and only the attacker would know how to trigger this circuit.
The decreasing effort to perform these attacks, and diminishing cost of the measurement instruments, make it easy to exploit side-channel vulnerabilities and help break traditional cryptographic systems.
Amazon’s security team conducted its own investigation into AWS’s Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fibreglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip
Thus the world today is in a Gordian Knot. We have become so dependent on technology that purging it would be impossible and yet, that very technology compromises our data security and privacy. Do we act or do we submit? That is the question.
BugBase is India’s first consolidated platform for companies to host crowdsourced bug bounty programs that can be reached out to by ethical hackers and develop a security enthusiasts community all over the country.
Our website: https://bugbase.in/