By: Kevin G (kevin.delete@this.cubitdesigns.com), October 4, 2018 1:47 pm
Room: Moderated Discussions
David Kanter (dkanter.delete@this.realworldtech.com) on October 4, 2018 8:23 am wrote:
> Bloomberg released a fantastic report on Chinese intelligence inserting malicious
> HW into supply chains for servers: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies?srnd=premium
>
> It sure gives a different angle to the move to a hardware root-of-trust by the industry. In reality though,
> I'm not sure if HW RoT is sufficient. You can always sniff capacitance across an exposed wire!
>
> David
A couple of notes from my read through of the article:
SuperMicro's engineers themselves are not taking part in this. Only the manufacturing wing seems to be compromised. This will certainly have ramifications within the company.
The server compromise with Apple seems to have happened based upon luck rather than explicit targeting. However, Apple's cloak of secrecy seemingly prevented the reverse engineering of these chips when they were discovered. Also Apple has a robust enough internal security team to actually catch this kind of compromise which is something that could easily be overlooked.
The pictured chip only has six pins which my novice guess would some sort of SPI module. This would explain how they were able to interface with various other components on motherboards and sneak the chip into so many designs: often the traces for SPI ports remain after debugging is complete but the headers are no populated once a board reaches production. What stands out here is that it seemingly communicated with system management as a means of by passing OS level restrictions. This also has me wondering if this some how ties into various Intel AMT/Management Engine exploits that were made public a bit over a year ago. Or this could be something new as well.
The line about embedding some of these chips into the layers of the motherboard seems a bit improbable. It would only make sense if the existing manufacturing lines supported this but my impression of the market is that such manufacturing is only used in mobile applications where space is at a very high premium. Various network and server hardware doesn't use that level of board level integration to my knowledge (though I will admit if it is used, slipping in a chip between PCB layers is indeed a very clever means of hiding a chip). The intent here doesn't seem to be aimed at mobile either as it is very arbitrary who would get a particular phone and there are fewer interfaces to leverage against mobile hardware. With phones coming from so many suppliers outside of Chinese influence, it doesn't seem that it'd be useful as a wide spread attack vector (ie shutting down mobile infrastructure).
> Bloomberg released a fantastic report on Chinese intelligence inserting malicious
> HW into supply chains for servers: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies?srnd=premium
>
> It sure gives a different angle to the move to a hardware root-of-trust by the industry. In reality though,
> I'm not sure if HW RoT is sufficient. You can always sniff capacitance across an exposed wire!
>
> David
A couple of notes from my read through of the article:
SuperMicro's engineers themselves are not taking part in this. Only the manufacturing wing seems to be compromised. This will certainly have ramifications within the company.
The server compromise with Apple seems to have happened based upon luck rather than explicit targeting. However, Apple's cloak of secrecy seemingly prevented the reverse engineering of these chips when they were discovered. Also Apple has a robust enough internal security team to actually catch this kind of compromise which is something that could easily be overlooked.
The pictured chip only has six pins which my novice guess would some sort of SPI module. This would explain how they were able to interface with various other components on motherboards and sneak the chip into so many designs: often the traces for SPI ports remain after debugging is complete but the headers are no populated once a board reaches production. What stands out here is that it seemingly communicated with system management as a means of by passing OS level restrictions. This also has me wondering if this some how ties into various Intel AMT/Management Engine exploits that were made public a bit over a year ago. Or this could be something new as well.
The line about embedding some of these chips into the layers of the motherboard seems a bit improbable. It would only make sense if the existing manufacturing lines supported this but my impression of the market is that such manufacturing is only used in mobile applications where space is at a very high premium. Various network and server hardware doesn't use that level of board level integration to my knowledge (though I will admit if it is used, slipping in a chip between PCB layers is indeed a very clever means of hiding a chip). The intent here doesn't seem to be aimed at mobile either as it is very arbitrary who would get a particular phone and there are fewer interfaces to leverage against mobile hardware. With phones coming from so many suppliers outside of Chinese influence, it doesn't seem that it'd be useful as a wide spread attack vector (ie shutting down mobile infrastructure).
| Topic | Posted By | Date |
|---|---|---|
| Supply chains and trust | David Kanter | 2018/10/04 08:23 AM |
| Supply chains and trust | Maynard Handley | 2018/10/04 09:57 AM |
| Supply chains and trust | Maynard Handley | 2018/10/04 10:01 AM |
| Supply chains and trust | wumpus | 2018/10/04 04:35 PM |
| Supply chains and trust | Robert Williams | 2018/10/08 06:30 PM |
| Supply chains and trust | Maynard Handley | 2018/10/08 07:21 PM |
| Supply chains and trust | Robert Williams | 2018/10/09 09:03 AM |
| Supply chains and trust | Robert Williams | 2018/10/09 09:08 AM |
| Supply chains and trust | Maynard Handley | 2018/10/09 09:27 AM |
| Supply chains and trust | dmcq | 2018/10/04 10:31 AM |
| Supply chains and trust | Gabriele Svelto | 2018/10/04 11:32 AM |
| Supply chains and trust | Brett | 2018/10/04 11:52 AM |
| Supply chains and trust | Maynard Handley | 2018/10/04 12:08 PM |
| Supply chains and trust | Adrian | 2018/10/04 12:36 PM |
| Supply chains and trust | Maynard Handley | 2018/10/04 12:51 PM |
| Supply chains and trust | Rob Thorpe | 2018/10/04 01:09 PM |
| Supply chains and trust | David Hess | 2018/10/04 12:38 PM |
| Supply chains and trust | Brett | 2018/10/04 12:52 PM |
| Supply chains and trust | Doug S | 2018/10/04 01:33 PM |
| Supply chains and trust | David Hess | 2018/10/04 12:09 PM |
| Supply chains and trust | David Hess | 2018/10/04 12:03 PM |
| Supply chains and trust | Doug S | 2018/10/04 01:45 PM |
| Supply chains and trust | Gabriele Svelto | 2018/10/05 01:53 AM |
| Supply chains and trust | dmcq | 2018/10/05 03:51 AM |
| Supply chains and trust | Gabriele Svelto | 2018/10/05 04:34 AM |
| Supply chains and trust | Doug S | 2018/10/05 12:46 PM |
| Supply chains and trust | Gabriele Svelto | 2018/10/06 02:59 PM |
| Supply chains and trust | David Hess | 2018/10/06 04:12 PM |
| Supply chains and trust | J | 2018/10/04 10:24 PM |
| Supply chains and trust | Andrew Clough | 2018/10/05 06:38 AM |
| Supply chains and trust | David Hess | 2018/10/06 04:16 PM |
| Supply chains and trust | Maxwell | 2018/10/06 04:37 PM |
| Hit job on Super Micro? | Maxwell | 2018/10/04 10:46 PM |
| Hit job on Super Micro? | Brett | 2018/10/05 12:55 AM |
| Hit job on Super Micro? | David Hess | 2018/10/06 04:15 PM |
| Supply chains and trust | Kevin G | 2018/10/04 01:47 PM |
| Raptor Engineering's Raptor | Gabriele Svelto | 2018/10/05 04:42 AM |
| Supply chains and trust | Groo | 2018/10/06 06:49 AM |
| Supply chains and trust | David Kanter | 2018/10/06 09:04 AM |
| Supply chains and trust | Groo | 2018/10/06 03:42 PM |
| Supply chains and trust | David Kanter | 2018/10/06 03:46 PM |
| SuperMicro boards are not made in USA | Adrian | 2018/10/07 12:08 AM |
| SuperMicro boards are not made in USA | Adrian | 2018/10/07 12:28 AM |
| Supply chains and trust | juanrga | 2018/10/07 07:12 AM |
| Supply chains and trust | David Hess | 2018/10/06 04:24 PM |
| Supply chains and trust | Wes Felter | 2018/10/07 03:35 PM |
| What did the BOM entry look like? | Mark Roulo | 2018/10/04 02:21 PM |
| Supply chains and trust | Maynard Handley | 2018/10/04 04:01 PM |
| Supply chains and trust | dmcq | 2018/10/05 01:27 AM |
| Here's what I think happened | Doug S | 2018/10/05 12:56 PM |
| Here's what I think happened | Brett | 2018/10/05 04:17 PM |
| FBI wants to be your first contact | ex-apple | 2018/10/05 04:41 PM |
| Here's what I think happened | Doug S | 2018/10/05 10:59 PM |
| Why call CIA? | David Kanter | 2018/10/06 09:01 AM |
| Why call CIA? | Doug S | 2018/10/06 09:33 AM |
| Why call CIA? | David Kanter | 2018/10/06 03:43 PM |
| Here's what I think happened | Maynard Handley | 2018/10/05 04:23 PM |
| Here's what I think happened | dmcq | 2018/10/06 04:52 AM |
| Supply chains and trust | David Hess | 2018/10/06 04:34 PM |
| Supply chains and trust | Groo | 2018/10/06 07:01 AM |
| Supply chains and trust | etudiant | 2018/10/07 04:36 AM |