Urban75 Home About Offline BrixtonBuzz Contact

Secret Chineses spy chips hidden in internet servers

Crispy

Crispy

The following psytrance is baṉned: All
Tiny chips smaller than the tip of a pencil were put into server motherboards, in the factory, by a dedicated branch of the PLA. These motherboards found their way into data centers all over the world. They sit behind all other security measures and allow unfettered access to the compromised machines.

-999x-999.gif


Bloomberg - Are you a robot?

The (American owned and run, but Chinese manufactured) server company in question's stock price:

upload_2018-10-4_16-40-9.png
 
No surprise theyre all denying it. No idea what to think... how can Bloomberg prove it?

Apparently it got discovered back in 2015 btw. :hmm:
 
<putting my sysadmin hat on top of my network security analyst beret, beneath both of which sits my regular cynical geek toupée>

There's plenty about the claims that don't make much in the way of any sense.

Easier by far to either a) hide backdoors in the BMC* firmware [this is all closed-source stuff so not that difficult to hide well by obfuscation] and/or b) modifying the silicon of the BMC chips themselves [these are sealed in epoxy and thus you'd really need to decap and physically inspect with a microscope to spot any major differences from the original mask].

If the hack is indeed related to the BMC then the company that makes it, ASPEED, also supplies Tyan, Asus and Gigabyte server/B2B server equipment, many of which also share the same factories. Given that as well as making whitebox servers and motherboards, Supermicro hardware forms the basis for a lot of specialised hardware appliances so any breach of this regard could have potentially huge impact. Normally for a hardhack of this ingenuity, magnitude, supposed commonality and security implications I would have expected to see people falling over themselves to publish hard evidence - X-ray or IR photography of the chip in question, literally picking the motherboard apart if need be, network traces of the CnC traffic, that sort of thing. Until I see some of that I remain sceptical that this isn't some yellow-peril-cum-short-selling concoction.

Not that I'm saying this sort of hack isn't possible; as Cripsy point out it totally is. But from where I'm sitting there's a number of important details absent from the story as well as other attack vectors that are harder to detect and easier to implement and I worry it's being too sensationalised.

<mandatory disclaimer - I personally own a number of Supermicro motherboards>

* BMC = Baseboard Management Controller, an out-of-band management chip typically found on server boards (HP iLO and Dell iDRAC also being examples of BMCs); it essentially provides remote keyboard/video/mouse access as well as other remote management functions, and it commonly runs "always on" in its own discrete chip, usually without auditable source code. Because of its elevated and low-level access it's almost always regarded as a security accident waiting to happen, and thus everywhere I've worked has always kept the BMCs on a locked-down management network with no internet ingress or egress. Of course the BMC usually also has its fingers in the pies of the onboard NICs (typically also not with direct internet access but not as locked down as the management network) so there is a possibility of cross-talk... but again without any hard evidence we could guess at possible attack surfaces all day...
 
Last edited:
If people are prepared to read a byt-geeks-for-geeks account, Serve The Home have had a couple of good articles on this (like me coming from a sceptical point of view) including an interview with one of the security researchers involved.

Original post pointing out how many points of the Bloomberg article don't make a huge deal of sense
Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate

Interview with Yossi Appleboum
Yossi Appleboum Disagrees with How Bloomberg is Positioning His Research Against Supermicro

Forum discussion from lots of people like me
Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate

Still sounds like a regular BMC vuln (two a penny TBH) to me rather than a hardhack - one of the people writing in that thread was one of those involved in discovering the so-called "iDRACula" vuln in Dell BMCs, quite by accident - worth a read if you find the anatomy of a BMC interesting, and Supermicro don't have nearly as many firmware crypto checks as Dell do.

: twiddles thumbs waiting for evidence :
 
Follow up in case anyone's still interested; Supermicro have completed their own investigation and have no chips, nor any other evidence of supply chain tampering. Open letter from the CxO's below along with a link to a video they've posted about their spy chain security;

CEO - 3rd Party Security Update | Super Micro Computer, Inc.

The audit was apparently done by a third party and currently remains nameless, I'm wondering if this is to do with pending legal action. Their share price still hasn't recovered since october.
 
There are many diseases,
That strike people's kneeses,
Scorflufus! is one by name
It comes from the East
Packed in bladders of yeast
So the Chinese must take half the blame.
Click to expand...
Spike Milligan
 
19sixtysix said:
Just how much american spy stuff is built into intel chips?
Click to expand...
There is speculation that backdoors exist in some FPGAs and ASICs. Then there are the concerns raised recently by ‘C’ and others regarding Huawei/ZTE (valid or politics or a bit of both?). Certainly some apparently have backdoors (but put here by who and for what purpose - the vendor for debugging, but even those could be abused). Possibly TAO and similar exploit these but they most definitely exploit holes in other vendor hardware and software all the time - there’s so many to choose from. For example, there’s a repurposed banking trojan doing the rounds at the moment, causing a lot of damage by exploiting security holes that the puzzle palace discovered, used to keep to themselves to compromise specific targets, but eventually had to tip M$ off about when they realised it had escaped into the wild and was being abused by criminal gangs.
 
19sixtysix said:
Just how much american spy stuff is built into intel chips?
Click to expand...

Loads :) Have fun reading about the Intel Management Engine (IME) - that's an actual bit of silicon with god-rights to most of what's going on in your computer. Part of the reason the last thing you'd do to intel machines is start adding extra chips to motherboards when software attacks on the existing silicon are generally much less visible, and attacks on the IME black box might be functionally undetectable.

AMD has pretty much the same sort of deal BTW, albeit licensed from ARM (and called TrustZone) rather than developed in-house. It's had less in the way of bad press than IME but it's also received less scrutiny.

Crispy said:
Aw, this was such a fun story. A shame it turned out to be cobblers.
Click to expand...

Well, I've been highly sceptical about the story from the start, but I'd be wary of calling it cobblers wholly - it's exactly the sort of thing an evil nation-state might do given access to the hardware supply chain, but I'm reasonably certain there's much easier ways to go about it by exploiting the software side of things. With a trojan chip you can yank out the board and go "look, there's a trojan chip!" but if someone monkeys with the firmware of the NIC to send out CnC messages interposed between regular traffic only on the nights of a full moon, you will have a high-impossible job of spotting it unless you've got some proper IDS running - or just refuse to have your computers talk directly to the internet.

2hats said:
There is speculation that backdoors exist in some FPGAs and ASICs. Then there are the concerns raised recently by ‘C’ and others regarding Huawei/ZTE (valid or politics or a bit of both?). Certainly some apparently have backdoors (but put here by who and for what purpose - the vendor for debugging, but even those could be abused). Possibly TAO and similar exploit these but they most definitely exploit holes in other vendor hardware and software all the time - there’s so many to choose from.
Click to expand...

Sadly there seems to be a new backdoor uncovered monthly. Cisco have had several this year (mostly in software), and of course there's been the barrels'o'fun meltdown and spectre vulns exploiting hardware fundamentals - and those are just the accidental ones. As the proverbial infosec litany goes, as a good guy you have to win every time in order not to get hacked, but the bad guys only have to win once. And most places relying on tech haven't the faintest idea, or even care about adequately securing stuff even on what a tinfoil-loving IT professional like myself would call a reasonable basis.

2hats said:
For example, there’s a repurposed banking trojan doing the rounds at the moment, causing a lot of damage by exploiting security holes that the puzzle palace discovered, used to keep to themselves to compromise specific targets, but eventually had to tip M$ off about when they realised it had escaped into the wild and was being abused by criminal gangs.
Click to expand...

A great deal of malware recently has been based on 0day vulns that have been discovered by various nations and kept hidden (instead of telling the vendor so it could be fixed or mitigated) so as to be weaponised more effectively.
 
Last edited:
You must log in or register to reply here.

Similar threads

P
My talktalk Internet is down
Replies
5
Views
140
stethoscope
S
E
Help Wifi wont connect to internet on laptop
2
Replies
33
Views
668
Chz
Chz
teuchter
Recommendation How do you listen to internet radio?
Replies
11
Views
384
Sir Belchalot
Sir Belchalot
singsongfun
Do only sad losers still post on internet forums?
4 5 6 7 8
Replies
229
Views
9K
DotCommunist
D
K
Self hosting a remote desktop server
Replies
20
Views
783
Saul Goodman
Saul Goodman
Back
Top Bottom