Chinese hardware hacking - Supermicro

Huge story from Bloomberg. The Chinese government compromised the Supermicro supply chain, embedding tiny chips into the remote management console allowing data exfiltration and control. They say in one case the chip was tiny enough to fit between the fiberglass layers of the motherboard itself!

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

9 Likes

Cool nice find

US gov does that shit all the time too but they mod in transit.

https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond
“On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”

3 Likes

Nice find.

And oh shit. Imagine if this could be done for the interposer on CPUs…

6 Likes

I could take it more serious if the article wasn’t bloated with sensational bs.

Awaiting 3rd party tests and validation…

3 Likes

The sensation is “we found a thing that should not be there”.

3rd party tests are likely all confidential.

Interesting read.

So Supermicro is on the OTC Market. They bounced back a little bit.

Some of the claims that Apple is dening replacing 7000 servers etc are amazing. Im sure is all under NDA etc.

Apple and Amazon may have been dealing with this for years.

As for Apple, one of the three senior insiders says that in the summer of 2015, a few weeks after it identified the malicious chips, the company started removing all Supermicro servers from its data centers, a process Apple referred to internally as “going to zero.” Every Supermicro server, all 7,000 or so, was replaced in a matter of weeks, the senior insider says. (Apple denies that any servers were removed.) In 2016, Apple informed Supermicro that it was severing their relationship entirely—a decision a spokesman for Apple ascribed in response to Businessweek’s questions to an unrelated and relatively minor security incident.

Still, the fact that the country appeared to be conducting those operations inside Amazon’s cloud presented the company with a Gordian knot. Its security team determined that it would be difficult to quietly remove the equipment and that, even if they could devise a way, doing so would alert the attackers that the chips had been found, according to a person familiar with the company’s probe. Instead, the team developed a method of monitoring the chips. In the ensuing months, they detected brief check-in communications between the attackers and the sabotaged servers but didn’t see any attempts to remove data. That likely meant either that the attackers were saving the chips for a later operation or that they’d infiltrated other parts of the network before the monitoring began. Neither possibility was reassuring.

When in 2016 the Chinese government was about to pass a new cybersecurity law—seen by many outside the country as a pretext to give authorities wider access to sensitive data—Amazon decided to act, the person familiar with the company’s probe says. In August it transferred operational control of its Beijing data center to its local partner, Beijing Sinnet, a move the companies said was needed to comply with the incoming law. The following November, Amazon sold the entire infrastructure to Beijing Sinnet for about $300 million. The person familiar with Amazon’s probe casts the sale as a choice to “hack off the diseased limb.”

2 Likes

The US government doesn’t attack foreign companies to steal their IP or give American companies an advantage. They go after terrorists and criminals, not legitimate companies.

right

3 Likes

Great, where’s the followup where she got the computer and found where it was compromised? All we see from that link is that a package was delivered to Virginia instead of Seattle. Did she even get the computer?

There are tons of protections for US citizens from US intelligence agencies. The NSA’s mandate doesn’t allow it to target Americans at all and the FBI would need a warrant for something like that. Basically, it’s sensationalist bullshit.

Now if that TOR dev was in Germany, and she eventually got her computer, and they proved that the computer was compromised in some way, that would be interesting. But that isn’t what happened.

1 Like

I won’t argue that some of the “fear the NSA/CIA like the plague” stuff is overhyped, because some of it is; but if the NSA really wants to target USA citizens, they just use a Five Eyes partner.

Hahahahahahahahahshahahahahahahahaha

6 Likes

That works fine for SIGINT because the same intelligence is intercepted by other agencies with an intelligence sharing agreement, who aren’t constrained by the same regulations. It’s largely passive.

In the case of supply chain compromise, that would mean getting the UK to actively direct MI6 agents to bribe/threaten employees of a company in an allied nation. That is just ridiculously unlikely.

@RevampedTech: You don’t know what you’re talking about. The NSA does not overtly target American citizens, and the FBI needs a warrant. Now the NSA may get that intelligence elsewhere as oldellian mentioned, and the FISA court has never denied a warrant, so there’s a lot of wiggle room with SIGINT. But not with compromising a supply chain or intercepting and modifying packages in transit.

cough Petrobras cough

1 Like

Thanks to components such as Intel’s AMT/ME, this type of attack is easy for a state actor to pull off. Since we’re not allowed to know what the ME is doing, we have no way to know when it is misbehaving. Thankfully, someone with a sharp eye caught these bugged servers periodically phoning home.

3 Likes

It’s owned by the Brazilian government, not a private enterprise.

I think you’re a bit optimistic with how adherent the NSA is willing to be to that fine line; for context, this was an intercept made on a package from Houston, Texas to Mexico:

Admittedly, this was probably a foreign researcher, but I would be curious where NSA draws the line. Are international packages to USA citizens fair game? Are domestic packages to foreign nationals?

For context, I assume you’re talking about this:


Anyway, we’re getting a bit off-topic here, since neither is even a hardware compromise.

2 Likes

No, put plainly the target of their investigation can’t be a US citizen. The NSA has no mandate inside the US at all. The FBI does, but it needs a warrant due to the 4th amendment. There have been tons of abuses and pushing the line on that stuff, primarily exposed by Edward Snowden, but that all applies to SIGINT, not actively compromising hardware or a supply chain.

At least, as far as we know.

We have been getting a bit off-topic, but it’s important to draw the line. Whataboutism doesn’t apply here. China, the nation-state, is stealing intellectual property. It is performing industrial espionage to help Chinese companies, all of which have ties to the state. They restrict foreign businesses from entering the Chinese market unless they give up control of their technology, services, and financials. They are truly bad actors and really can’t be compared to anyone else.

They need to stop doing that stuff. Maybe the tariffs will do that. I don’t have a lot of faith given the admin that’s applying them, but if they get China to open their market and stop stealing IP that would be a great thing. The trans-pacific partnership would have been just as effective and less risky, but that’s gone now.

1 Like

TPP had a lot of insane legalese and bizarre corporate immunity IIRC, that’s why most people I talked to opposed it.

Anyway, I don’t really see any safe way to manufacture chips or motherboards in the PRC-controlled mainland, this sort of stuff can and will happen. What I would be interested in, is whether agencies like DARPA would consider board/chip manufacture in ROC-controlled Tawain or Singapore to be safe enough.

Obviously, especially if you are the USA government, manufacture domestically, by domestically-owned companies is probably preferred, but companies like GlobalFoundries might manufacture domestically while being financially owned by an Abu Dhabi sovereign wealth fund. Is that better or worse than a German company manufacturing in Germany?

As an example, with IBM shifting chip manufacturing to Samsung, will future USA supercomputers have their chips manufactured in Korea?

China really isn’t in power in Taiwan and Singapore, unlike Hong Kong. So sure. Note Taiwan was not tariffed, either.

i’m pretty curios whats coming out of this.

If more are dropping Supermicro servers ans such.

Or what those litlle spy chips actually are, how they work etc, and how to identfy them.
Would like to know if my SM. boards have them and if i can remove them.

From the animation they did, it looked like it was coupled to the spi Rom for the bios and rom. But thats just a nice animation and not real reference.