Author Topic: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.  (Read 67948 times)

0 Members and 1 Guest are viewing this topic.


Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
I don't buy this.

1. The attack is terribly easy to identify once in place.
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
3. Just the supply chain and quantity of humans involved for these implant devices is huge and it's difficult to compartmentalise that number of people.
4. It requires extreme knowledge of the target design and ability to modify it so there is a huge infiltration identification risk.
5. Evidence is permanently left lying around after it is identified. No national entity would get away with being that brazen.

I'm calling either bullshit, propaganda or CYA here until I see a proper design analysis.
 
The following users thanked this post: tooki, tsman, a59d1

Offline funkyantTopic starter

  • Supporter
  • ****
  • Posts: 125
  • Country: au
    • YouTube Channel
It shouldn't be too hard for somebody to get their hands on one of the allegedly affected boards. There's millions of them.

Hopefully we hear something a bit more in depth/ reliable/ technical soon.
 

Offline MK14

  • Super Contributor
  • ***
  • Posts: 4527
  • Country: gb
It shouldn't be too hard for somebody to get their hands on one of the allegedly affected boards. There's millions of them.

Hopefully we hear something a bit more in depth/ reliable/ technical soon.

There are plausible rumors that the story is false.
To avoid starting a political discussion, I have left out the details, as to why.
I managed to carefully edit in some details, but have left out the stronger political stuff.

https://www.theinquirer.net/inquirer/news/3063945/chinese-spies-reportedly-used-microchips-to-infiltrate-apple-and-amazon

Quote
Both Amazon and Apple strongly refute Bloomberg's report.

I.e. They seem to be saying the story is NOT true.

Quote
However, Bloomberg's sources are adamant. "The companies' denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government's investigation." µ
« Last Edit: October 04, 2018, 01:28:16 pm by MK14 »
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Indeed. Ears peeled to see where this goes.

Honestly this is could even be posturing for a "friendly" attack being discovered. If you look at any supermicro boards they have proudly stamped on it "designed in USA" so either the design was modified after shipping, which design validation should pick up on production sampling, or it was modified at source of this is true which could be any actor in theory.

We may never know.
 

Offline MK14

  • Super Contributor
  • ***
  • Posts: 4527
  • Country: gb
This also seems to say that the story is not true.
I.e. That both Apple and Amazon, deny that the story is true.

https://www.scmp.com/tech/enterprises/article/2167032/apple-amazon-deny-report-chinese-use-tiny-chips-hack-their-networks

Quote
Apple, Amazon deny report on Chinese use of tiny chips to hack into their networks
 
The following users thanked this post: bd139, tsman

Offline NivagSwerdna

  • Super Contributor
  • ***
  • Posts: 2495
  • Country: gb
Not convinced.  Looks like some RF conditioning added during final fab,... more inductance they expected on memory traces?

Need some X-ray evidence of the device.
 

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 10576
  • Country: gb
I don't buy this.

1. The attack is terribly easy to identify once in place.
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
3. Just the supply chain and quantity of humans involved for these implant devices is huge and it's difficult to compartmentalise that number of people.
4. It requires extreme knowledge of the target design and ability to modify it so there is a huge infiltration identification risk.
5. Evidence is permanently left lying around after it is identified. No national entity would get away with being that brazen.

I'm calling either bullshit, propaganda or CYA here until I see a proper design analysis.

6. The story comes out of Bloomberg, an organisation famed for their in-depth investigative journalism, especially in the technology field, not.

Like you, I'm deeply sceptical until I see this from a reputable tech savvy person or organization who has been able to reproduce the findings first hand and properly documents them in a way that is reproducible by other third parties.
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 
The following users thanked this post: tooki, newbrain

Online wraper

  • Supporter
  • ****
  • Posts: 16795
  • Country: lv
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
Tampering with firmware is way easier to detect. And it's not that expensive compared to gains you can get, especially if you are Chinese government.
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Tampering with firmware is way easier to detect. And it's not that expensive, especially if you are Chinese government.

Not really. All you need is access to the signing key and method which is a single simple attack vector (rubber hose).

Hell I've been entrusted to many "signing keys" and "master passwords" before and had to explain to large financial companies that no it's not ok shipping your EV keys on an unencrypted laptop one of your junior developers lugs to and from work on a tube.

Firmware tampering's only defence is competence and there isn't a lot of that around in the human race and I suspect most of it works at Apple or somewhere where they pay is better.
 

Offline NiHaoMike

  • Super Contributor
  • ***
  • Posts: 8973
  • Country: us
  • "Don't turn it on - Take it apart!"
    • Facebook Page
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #10 on: October 04, 2018, 02:11:58 pm »
I'd imagine it would be way easier to replace one of the chips with a "tampered" version than to design what they are calling a tiny spy chip.
Cryptocurrency has taught me to love math and at the same time be baffled by it.

Cryptocurrency lesson 0: Altcoins and Bitcoin are not the same thing.
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #11 on: October 04, 2018, 02:15:08 pm »
Yes like the large Chinese Aspeed SoC IC on the board :)
 

Online wraper

  • Supporter
  • ****
  • Posts: 16795
  • Country: lv
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #12 on: October 04, 2018, 02:17:49 pm »
Tampering with firmware is way easier to detect. And it's not that expensive, especially if you are Chinese government.

Not really. All you need is access to the signing key and method which is a single simple attack vector (rubber hose).

Hell I've been entrusted to many "signing keys" and "master passwords" before and had to explain to large financial companies that no it's not ok shipping your EV keys on an unencrypted laptop one of your junior developers lugs to and from work on a tube.

Firmware tampering's only defence is competence and there isn't a lot of that around in the human race and I suspect most of it works at Apple or somewhere where they pay is better.
If servers are going to be used by secret agencies, you can be pretty sure they'll check the firmware. Moreover they also receive source code from suppliers. These are not home PCs FFS.
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #13 on: October 04, 2018, 02:22:21 pm »
I worked in defence sector IT security for a few years and was cleared.

No.

They don’t check the firmware and 99% of hardware is commodity even on classified stuff. And on top of that even with escrow and shared source you don’t get everything. For example on windows shared source you don’t get the cryptographic service providers even if your company makes stark industries look like a Hasbro.

Edit: also don’t assume the competent people work in defence sector. They’re all in finance, like me, where the $$$ is.
« Last Edit: October 04, 2018, 02:24:08 pm by bd139 »
 
The following users thanked this post: rx8pilot, newbrain, NivagSwerdna, MK14, a59d1

Offline CJay

  • Super Contributor
  • ***
  • Posts: 4136
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #14 on: October 04, 2018, 02:37:13 pm »
Tampering with firmware is way easier to detect. And it's not that expensive, especially if you are Chinese government.

Not really. All you need is access to the signing key and method which is a single simple attack vector (rubber hose).

Hell I've been entrusted to many "signing keys" and "master passwords" before and had to explain to large financial companies that no it's not ok shipping your EV keys on an unencrypted laptop one of your junior developers lugs to and from work on a tube.

Firmware tampering's only defence is competence and there isn't a lot of that around in the human race and I suspect most of it works at Apple or somewhere where they pay is better.

Indeed, I've had a similar conversation with womeone this morning who considered it OK to have an unencrypted laptop with his unencrypted secure certificate and keys on the desktop.

So far I've been very nice to him and just deleted the files then requested he encrypts the machine before he leaves the building

If I dont see it registered as encrypting/encrypted by close of business then I'll delete his machine from the network, lock his account, revoke his keys and certificate then report him to Infosec who won't be as nice to him.

 

Offline VintageTekFan

  • Regular Contributor
  • *
  • Posts: 82
  • Country: us
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #15 on: October 04, 2018, 03:11:35 pm »
The timeline would fit for when DELL started including signed firmwares and encryption in their BIOSs and hardware. https://www.infoworld.com/article/3029728/security/dell-bios-verification-extends-security-focus.html
The three laws of thermodynamics:
1. You can't win.
2. You can't even break even.
3. You can't get out of the game.
 

Offline Dave3

  • Regular Contributor
  • *
  • Posts: 55
  • Country: au
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #16 on: October 04, 2018, 03:13:49 pm »
It is difficult to "disprove" the Bloomberg article and I assume it is directionally correct for now, without evidence to the contrary.

Apple, Amazon, etal. may be ordered by government to deny attack or not comment at all. The government may provide precise wording the companies may disclose. Those corporate "comments" should be dismissed outright.

Bloomberg runs ultra-high end, ultra secure, trading systems for the largest global banks and investment managers, so the "journalists" will have access to top-tier engineers in-house.

From a profit perspective, Bloomberg risks quite a lot of future Chinese banking business with this article so I can't understand how the bean counters allowed this article to be published.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 6877
  • Country: ca
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #17 on: October 04, 2018, 04:00:00 pm »
Or it is the other way around, government telling Bloomberg what to say.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: all_repair, bd139

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #18 on: October 04, 2018, 04:41:41 pm »
That article reeks of bullshit and FUD to me.
Unfortunately written by someone who doesn't understand the tech, losing any details that might be informative.
Something inline with SPI flash is about the only thing I can guess based on the sparse info there, maybe even just disabling any write protection.
 
 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: amyk, all_repair, tooki, CJay, BrianHG, bd139, tsman, a59d1

Offline T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 21606
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #19 on: October 04, 2018, 05:13:03 pm »
I don't buy this.

1. The attack is terribly easy to identify once in place.
2. This is the least cost effective way of doing an attack. Custom silicon, target modification, infiltration are stupidly expensive compared to other vectors like firmware and post-manufacturing implants.
3. Just the supply chain and quantity of humans involved for these implant devices is huge and it's difficult to compartmentalise that number of people.
4. It requires extreme knowledge of the target design and ability to modify it so there is a huge infiltration identification risk.
5. Evidence is permanently left lying around after it is identified. No national entity would get away with being that brazen.

I'm calling either bullshit, propaganda or CYA here until I see a proper design analysis.

All your points suggest someone knew; the article says the CIA knew since 2014.  Presumably it wasn't hard to find information around the design, fab and distribution of these chips, just as you suggest.

The article also notes that they wouldn't be wise to release a public statement about the hazard.  The difference between Chinese and US intel: the former can control whatever they want, through direct intimidation, network filtering and so on; the latter can only monitor and covertly plant.

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #20 on: October 04, 2018, 05:20:14 pm »
Its all for the quick bucks from the short sale on the affected companies stocks. Like the Trump did on Amazon, easy money.  :-DD

Offline Red Squirrel

  • Super Contributor
  • ***
  • Posts: 2748
  • Country: ca
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #21 on: October 04, 2018, 05:25:10 pm »
Yikes I have several supermicro servers at home.  :o   looks like they only went after the blade servers though?  I might be safe.  Then again if it's not China putting backdoors, it's the US, via Intel chips.  Seems everything is backdoored now. 
« Last Edit: October 04, 2018, 05:27:07 pm by Red Squirrel »
 

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 10576
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #22 on: October 04, 2018, 05:27:20 pm »
Let's apply Ockham here. Which is more likely:

1) China try a high cost, high probability of detection, low probability of success, exploit of limited applicability.

2) In a political climate of 'post truth' someone who wants to provoke a trade war with China 'leaks' propaganda. Everybody else (FBI, DNI, Apple, Amazon etc.) who ought to know about it denies that there is any veracity to it, including people who have the clout to tell the truth and damn anyone who tries to shut them up.

In the absence of verifiable evidence of this exploit, I think Ockham tends towards (2).
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 
The following users thanked this post: tooki

Offline ajb

  • Super Contributor
  • ***
  • Posts: 2582
  • Country: us
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #23 on: October 04, 2018, 05:29:12 pm »
Hacakaday pointed out something interesting:

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

If that's the case, then perhaps there is a vulnerability that could be exploited by only changing a few bytes of data in, say, external flash.  The malicious part then simply needs to be able to watch for the appropriate addresses to be read, and insert its doctored data onto the data lines.  That could easily be done in a small device that straddles an SPI interface.  However, I would expect that it would be a lot simpler to substitute a malicious flash IC, which would allow you to have plenty of extra storage and processing to carry out more sophisticated (and updateable!) attacks, and wouldn't require modifying the board layout.
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Chinese manufacturer puts hardware backdoor onto Supermicro server boards.
« Reply #24 on: October 04, 2018, 05:39:21 pm »
Let's apply Ockham here. Which is more likely:

1) China try a high cost, high probability of detection, low probability of success, exploit of limited applicability.

2) In a political climate of 'post truth' someone who wants to provoke a trade war with China 'leaks' propaganda. Everybody else (FBI, DNI, Apple, Amazon etc.) who ought to know about it denies that there is any veracity to it, including people who have the clout to tell the truth and damn anyone who tries to shut them up.

In the absence of verifiable evidence of this exploit, I think Ockham tends towards (2).

I’m heading in the same direction on that line of thought. The Chinese aren’t idiots.

In fact I’d go as far as to say the only likely vector here is an infiltration into Supermicro themselves from a US based actor (three letter agency) and that’s only if there is some credible evidence that this isn’t horse dung. This might just be finger pointing for plausible deniability in the future.

Hell perhaps there is nothing yet but when they do find something it will be China’s fault by default then.
« Last Edit: October 04, 2018, 05:41:32 pm by bd139 »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf