At one point in time I had a conversation about how I would put a hardware implant into a system. I'm delighted to see @qrs had a very similar assessment:
Given a photo of a server motherboard, this was my response after a few minutes. You'll have to take my word i wrote this 4 Sept 2017.
" Well, you picked an easy one, it already has a backdoor :)"
" Well, you picked an easy one, it already has a backdoor :)"
"The ASPEED chip (1) is the BMC or Board Management Controller. It's an extra CPU on the system that is supposed to 'manage' the actual server that does all the work, like negotiating power supplies and storage connections with the rest of the servers in the rack."
"The ASPEED chip is likely running an ancient, outdated linux kernel that has documented vulnerabilities. Even if it is not, it's entire firmware is stored on a simple 8 or 16 pin chip (2 or 3, most likely #3)"
"In the event that wouldn't work, the other chip (probably #2) is almost certainly the PC bios. You can add a bootkit that loads some code at boot and configures it to be run once the operating system has loaded."
"there's a space (4) for yet another chip. From the looks of it it might be an alternate place for the PC bios (2) in case they wanted to cut costs and use an 8 pin part instead of a 16 pin part, but it could have a different purpose"
"Lastly there are tons of testpoints (5) that could include a debug port to the board management controller, or could be to monitor the interface between BMC and the main CPU"
"My hardware attack scenarios in order: (assuming software were out of scope)"
"1. Modify the ASPEED flash chip to give a backdoor that can drop a payload into the host CPU's memory sometime after boot."
"2. Modify the PC Bios flash chip to drop a bootkit backdoor into the OS sometime after boot."
"3. Solder a device onto the board to intercept/monitor/modify the values read from the flash chip as they are accessed to inject malicious code somewhere"
"4. Find debug connections on the testpoints to allow debugger controll of the ASPEED BMC, allowing you to direct it to drop a payload into memory"
"I think that #4 would probably be the coolest illustration of the point. you could glue the microcontroller you've got upside-down to the top of the ASPEED chip, and then solder its legs to some nearby testpoints (AKA dead-bug-style soldering)"
"If you wanted the implant to look more discrete, you could place it on the spot labeled '4' but don't solder the legs down to those pads, instead run fine wires to testpoints. That would look more 'factory rework' than 'malicious implant'"
"The more advanced attack is much more difficult an would require more than just an 8-pin micro controller. In the part below, there's 4 pairs of wires routed to the connector on the left with nothing on the right side - they're just not used."
"It would be conceivable to attach to those lines (almost certainly PCI Express) with a malicious device that could do direct memory attacks on the system as long as the OS doesn't properly enable those protections."
Also in 2017, i presented this slide w/ @r00tkillah a few times. These are supposed to be 'stateless' logic-only devices. Quad XOR on the right, microcontroller with code implementing a Quad XOR on the left. That also stores the last 1024 bits XORed. Can you tell the difference?
