Supply chains and trust

By: Adrian (a.delete@this.acm.org), October 4, 2018 12:36 pm
Room: Moderated Discussions
Maynard Handley (name99.delete@this.name99.org) on October 4, 2018 12:08 pm wrote:
>
> No-one is denying that the PRC engages in cyber-espionage (just like Russia, just like the US).
> What is being denied is the precise details of the Bloomberg story, that a physical device (a
> "chip") of certain character was placed on multiple boards with the capability of doing certain
> things. THAT is the part that looks like "stupid people trying to write technolingo".
> There are too many details that seem to make no sense --- for example this device
> is tiny, right, "grain of rice". So how do data and power get to it? Microbumps? But
> then where exactly does it sit, because microbumps are going to require something
> bizarre like peeling the ceramic off the CPU. And that's not going to stand out?
>
> "This happened at a crucial moment, as small bits of the operating system were being stored
> in the board’s temporary memory en route to the server’s central processor, the CPU."
>
> So what, it's sitting on the traces between the DRAMs and the CPU? And what? Injecting
> enough current into those traces to rewrite the signal? Using what power?
>
> Or
> "The illicit chips could do all this because they were connected to the baseboard management controller"
>
> So what is it? Where exactly WERE they connected? To the CPU? the DRAM? the BMC?
>


Obviously the technical details from the Bloomberg article are very confused, maybe intentionally so that they cannot be accused of explaining how to do this.

Nevertheless, what they say is consistent with inserting a microcontroller on the SPI link between the BMC and the flash memory that contains the BMC programs. That flash memory is copied into BMC RAM at boot.

Most of the time the backdoor microcontroller can be transparent for the SPI data, so its presence will never be detected by electrical tests, but sometimes it could provide a program that will be executed by the BMC, taking thus control over the computer.

Such a microcontroller would require an 8-pin package (power & ground, SPI clock and chip select, 4 SPI data to & from bothe BMC & flash). There are 8-pin packages (e.g. from NXP) with an area just a little over one square millimeter, which would be hard to detect at a normal optical inspection, which only searches for bad soldering.


So from a technical point of view, this exploit can be easily done.

Nevertheless, it would require a lot of compliant people at the Chinese subcontractors.

Whoever would do this would need to obtain the original PCB design documents, modify them, provide the modified documents in 2 places, both at PCB manufacturing and at PCB assembly (pick & place) and mount there an extra reel with the trapdoor component, which will not come from the normal part suppliers.

Not impossible for the Chinese state but also not easy to do undetected.



Because Bloomberg quotes a large number of independent anonymous sources, if the story is fake then some large organization would have been required to orchestrate such a disinformation campaign that would have convinced Bloomberg to publish such fake news.


So it is very hard to assess whether the Bloomberg article contains fake news or the strong denials from Apple & Amazon are fake news.


If the story were true, it would not be a surprise as China would not have done something really new but it would have just joined USA & Russia on the list of countries known to have done such operations (i.e. designing special spying integrated circuits and planting them in IT equipment used by their targets).






















< Previous Post in ThreadNext Post in Thread >
TopicPosted ByDate
Supply chains and trustDavid Kanter2018/10/04 08:23 AM
  Supply chains and trustMaynard Handley2018/10/04 09:57 AM
    Supply chains and trustMaynard Handley2018/10/04 10:01 AM
      Supply chains and trustwumpus2018/10/04 04:35 PM
      Supply chains and trustRobert Williams2018/10/08 06:30 PM
        Supply chains and trustMaynard Handley2018/10/08 07:21 PM
          Supply chains and trustRobert Williams2018/10/09 09:03 AM
            Supply chains and trustRobert Williams2018/10/09 09:08 AM
              Supply chains and trustMaynard Handley2018/10/09 09:27 AM
    Supply chains and trustdmcq2018/10/04 10:31 AM
      Supply chains and trustGabriele Svelto2018/10/04 11:32 AM
        Supply chains and trustBrett2018/10/04 11:52 AM
          Supply chains and trustMaynard Handley2018/10/04 12:08 PM
            Supply chains and trustAdrian2018/10/04 12:36 PM
              Supply chains and trustMaynard Handley2018/10/04 12:51 PM
              Supply chains and trustRob Thorpe2018/10/04 01:09 PM
            Supply chains and trustDavid Hess2018/10/04 12:38 PM
            Supply chains and trustBrett2018/10/04 12:52 PM
          Supply chains and trustDoug S2018/10/04 01:33 PM
        Supply chains and trustDavid Hess2018/10/04 12:09 PM
      Supply chains and trustDavid Hess2018/10/04 12:03 PM
    Supply chains and trustDoug S2018/10/04 01:45 PM
      Supply chains and trustGabriele Svelto2018/10/05 01:53 AM
        Supply chains and trustdmcq2018/10/05 03:51 AM
          Supply chains and trustGabriele Svelto2018/10/05 04:34 AM
        Supply chains and trustDoug S2018/10/05 12:46 PM
          Supply chains and trustGabriele Svelto2018/10/06 02:59 PM
            Supply chains and trustDavid Hess2018/10/06 04:12 PM
    Supply chains and trustJ2018/10/04 10:24 PM
      Supply chains and trustAndrew Clough2018/10/05 06:38 AM
        Supply chains and trustDavid Hess2018/10/06 04:16 PM
        Supply chains and trustMaxwell2018/10/06 04:37 PM
    Hit job on Super Micro?Maxwell2018/10/04 10:46 PM
      Hit job on Super Micro?Brett2018/10/05 12:55 AM
        Hit job on Super Micro?David Hess2018/10/06 04:15 PM
  Supply chains and trustKevin G2018/10/04 01:47 PM
    Raptor Engineering's RaptorGabriele Svelto2018/10/05 04:42 AM
    Supply chains and trustGroo2018/10/06 06:49 AM
      Supply chains and trustDavid Kanter2018/10/06 09:04 AM
        Supply chains and trustGroo2018/10/06 03:42 PM
          Supply chains and trustDavid Kanter2018/10/06 03:46 PM
            SuperMicro boards are not made in USAAdrian2018/10/07 12:08 AM
              SuperMicro boards are not made in USAAdrian2018/10/07 12:28 AM
          Supply chains and trustjuanrga2018/10/07 07:12 AM
        Supply chains and trustDavid Hess2018/10/06 04:24 PM
      Supply chains and trustWes Felter2018/10/07 03:35 PM
  What did the BOM entry look like?Mark Roulo2018/10/04 02:21 PM
  Supply chains and trustMaynard Handley2018/10/04 04:01 PM
    Supply chains and trustdmcq2018/10/05 01:27 AM
      Here's what I think happenedDoug S2018/10/05 12:56 PM
        Here's what I think happenedBrett2018/10/05 04:17 PM
          FBI wants to be your first contactex-apple2018/10/05 04:41 PM
          Here's what I think happenedDoug S2018/10/05 10:59 PM
            Why call CIA?David Kanter2018/10/06 09:01 AM
              Why call CIA?Doug S2018/10/06 09:33 AM
                Why call CIA?David Kanter2018/10/06 03:43 PM
        Here's what I think happenedMaynard Handley2018/10/05 04:23 PM
          Here's what I think happeneddmcq2018/10/06 04:52 AM
    Supply chains and trustDavid Hess2018/10/06 04:34 PM
  Supply chains and trustGroo2018/10/06 07:01 AM
    Supply chains and trustetudiant2018/10/07 04:36 AM
Reply to this Topic
Name:
Email:
Topic:
Body: No Text
How do you spell purple?