Is there any truth to this?
Supermicro, Apple, Amazon, and others have said thereâs no truth to the story and have demanded a retraction of the story. Meanwhile one expert is saying itâs not a problem for Supermicro, itâs a problem for everyone including anywhere along the supply chain, not just the manufacturing.
My guess is the truth is somewhere in the middle. Itâs likely a real thing but maybe not as prevalent as the Bloomberg article makes it out to be. Iâm waiting for Bloomberg to present more evidence as is everyone else following the story. This could lead to some interesting legal battles for Bloomberg.
Dude! You need to spend more time on âleftyâ websitesâŚ
Based on his inspection of the device, Appleboum determined that the telecom companyâs server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the `Silicon Valley of Hardware,â and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.
The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication companyâs technicians couldnât answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine. Itâs not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokeswoman declined to comment on whether it was aware of the finding.
The motherboard failed the factory final assembly test. The âembedded chipâ is a factory repair.
1 Like
Or, conversely âŚ
1 Like
Very true âŚ
Also, Iâm sure there are many backdoors in many devices and software we have around. Notably, I recently found a backdoor some software we, at the space, were using for the RFID door locks. And there most likely are backdoors in our IP cameras, I will have to check the versions now.
For me, this is just a reminder that not all hardware or firmware is trustworthy.
1 Like
Working in the industry that specialises in this, we all concluded this article is BS/FUD.
There are numerous issues with the description on how the devices supposedly worked, and what they were like. First, the devices in question donât even remotely have the pin counts required to tamper with memory between the CPU/RAM due to the way address space is randomized, so one canât bank on certain instructions going to certain RAM modules.
Second, the BMCs canât access hard disks and sensitive data when the machine is off. The BMCs only draw 5W, and even an SSD turning on would have noticeable power draw increases. The BMC may be on but that doesnât mean the SATA/SAS/PCIe lanes are able to operate without the primary power initiated.
Third, in hardened targets like Apple, Amazon, and others BMC controllers canât access the internet; theyâre on isolated networks. They are not a good target to infect with this type of attack.
Fourth, the denials. Unlike an average company denying such an incident, Apple/Amazon/others are large public corporations. They arenât allowed to lie to shareholders, and an incident of this magnitude would be one of particular scrutiny by various groups and auditing.
Fifth, the chipâs sheer size, for the capabilities advertised by bloomberg, would require significant advances in silicon lithography to do reliably (let along in quantity)
Sixth, and most important of all, is there isnât a reason to use a hardware attack in this scenario. First, BMC firmwares have already been riddled with holes over the years and exploited to that effect. Additionally flashing a malicious firmware in the factory, if not just exploited after deployment, doesnât require nearly the level of effort nor leave a physical trace. If you somehow tampered in the factory with a PCB, which is a massive undertaking, you could have spent far less time tampering with the firmware, not left a physical evidence trail, and ended up with far more spying capabilities.
Serve the Home does a good breakdown on the issues here: https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/
Another hardware security researcher has a good way of describing why this doesnât make sense for this type of attack: " Installing malicious software on 10,000 systems is a system management problem. Installing malicious hardware on 10,000 systems starts out as an HR problem and moves on from there. Itâs just not scalable." ( https://twitter.com/securelyfitz/status/1047942844738981889 ). These particualr reporters also refused to retract previous infosec articles that were widely found to be inaccurate, such as a pipeline explosion they claimed was an ICS malware (Archive.org used to bypass paywall): http://archive.is/tE1jJ
SANSâ response, one of the leading ICS security groups including the team I trained with: https://ics.sans.org/blog/2015/06/19/closing-the-case-on-the-reported-2008-russian-cyber-attack-on-the-btc-pipeline
In short, Bloomberg refused to retract the story even after it was found that the alleged attack vectors didnât even exist, and that the forensics investigation confirmed the use of explosives at the site.
Itâs not all even backdoors, but often just super shoddy firmware and software life-cycle processes. Often times one cannot think of a legitimate, non-malicious reason some software or hardware is acting the way it is, but often itâs just some idiot developer.
Case in point, I was doing hardware and software analysis of a certain unnamed Point of Sale system. I found what seemed to be a backdoor added to the device through a channel that should not be capable of code execution by basic kernel design. Turns out the developers did some convoluted thing and opened up these capabilities because they didnât know any better.
As a final thought, and take this as you will, Bloomberg reporters (unlike most firms) gain bonuses if their reports âmove markets.â Most reporters get paid the same regardless of what comes from an article, but Bloomberg reporters have an incentive for certain levels of sensationalism. Whether or not that contributed to this remains to be seen, and given the large amount of technical and practical issues that lend credence to this being FUD I put those forward first and use that to base my point of view but this certainly doesnât help them.
Cheers,
-Jim
6 Likes
Iâve had the same desktop machine at home for almost 10 years now. Unlike machines previous it just didnât seem to grow so long in the tooth so fast for a variety of reasons - my gaming fell off, it was a quad-core machine, and the realized performance gap between subsequent generations of Intelâs ix processors didnât loom as large as during the mono-core era.
But two things have happened somewhat recently-ish to change this.
- A few years ago the Row hammer vulnerability was discovered which is a hardware vulnerability that can be mitigated but not fully hardened against - the physical memory itself will always be vulnerable to this exploit
- More recently, speculative execution exploits - Meltdown and Spectre - have been discovered; OS vendors and CPU vendors have released software and firmware patches to mitigate these, however âŚ
- Thereâs a performance hit since speculative execution is a significant percentage of the performance advantage modern hardware offers
- intel was quite reluctant to patch my generation CPU - not sure if the microcode patch for first-gen i3/i5/i7 is out yet; future vulnerabilities are highly unlikely to see a patch if theyâre even possible
As such, the desktop needs replacing sooner rather than later. Hardware, like software, has a shelf life not just in terms of performance but also in terms of security. Like computing appliances, manufacturer support is to a degree contingent upon present and future revenue potential.
1 Like
This reminds me that thereâs efforts to increase trusting and audibility within the manufacturing industry with block chain.
And it looks like thereâs some big players behind the movement.
https://www.blockchainresearchinstitute.org/manufacturing-1/
Correct me if Iâm wrong, but doesnât/hasnât CALEA (communications assistance for law enforcement act) already provide a similar problem for US manufactured equipment? I am a CS neophyte still working on my CCNA RS/Security, so if thatâs a thing of the past already I havenât gotten there yet.
There is basically zero reason to use blockchain for that purpose and doesnât actually add any security / reliability. NIST has a great graphic on when itâs a suitable replacement for a traditional DB
To be a little less terse, the issue is that supply chains canât have random groups provide data into the trust chain. Blockchain is only valuable in the case anyone can enter without trust, without central groups or controlling authorities (the factories and supply chain users). You can do a trustful blockchain, but it doesnât have any value over a database.
1 Like