Tiny $2 spy chip can be added to IT hardware, claims security researcher Monta Elkins

Bloomberg has been widely derided for its Supermicro spy-chip story, but Elkins claims it's feasible and low cost

Implanting tiny spy chips onto server motherboards can be done with a chip costing just $2 - together with tools adding up to around $198. That's according to a security researcher in a new report.

The research lends weight to a Bloomberg report from last year that claimed that China-backed attackers infiltrated factories making Supermicro motherboards and covertly implanted spy chips the size of grains of rice on them.

These motherboards were later used in servers purchased by Amazon, Apple and many of the US government departments, enabling network traffic to be monitoried and communications modified with the motherboard's baseboard management controller (BMC).

The Bloomberg story was widely debunked at the time, although the newswire didn't retract the report.

Indeed, each firm named in the story rejected Bloomberg's report, and the US National Security Agency (NSA) also described the threat as a false alarm. Reviews of SuperMicro boards conducted by some external experts also found no such evidence of spy chips being added in those boards.

Now, security researcher Monta Elkins, who works as the "hacker-in-chief" for cyber security firm Foxguard, claims to have developed a technique to pull off a similar hack with $190 worth of tools and a $2 chip.

Elkins said all he needed was a $150 air-soldering tool, a $40 microscope, and a tiny programmable chip used in personal electronics projects.

"It's not magical. It's not impossible," Elkins told Wired. "I could do this in my basement. And there are lots of people smarter than me, and they can do it for almost nothing."

Elkins selected an ATtiny85 microchip from a Digispark Arduino board. He de-soldered the chip from the board after reprogramming it to conduct an attack. The chip was then soldered on to the motherboard of a Cisco ASA 5505 firewall, giving the chip access to the serial port of the firewall.

The chip was programmed to start attacking once the firewall boots up in a data centre.

Having access to the serial port enabled the chip to "impersonate" a security admin accessing the firewall configuration by connecting their machine directly to that port.

Then the chip initiates the password recovery feature of the firewall, enabling it to create a new admin account with access to the firewall's settings.

Remote access to the server can then be enabled, compromising its security and exposing a firm's data centre to attack.

Elkins will present his proof-of-concept attack at the CS3sthlm security conference later this month in Stockholm, Sweden.