Oh yes, I expect there will be a lot of information coming out with HOWTO guides to find out if your hardware is compromised. But the article also said that some of the more sophisticated ones were so tiny that they were slipped between layers in the PCB, and you’re realistically never gonna find that.
Hopefully they find some sort of communication commonality which can be picked up by NIDS. That’s probably the best solution.
One of the articles that I read said that some of the spy chips were sandwiched between the layers of the PCB. So, visually spotting those would be nearly impossible.
Theoretically, one could X-ray the board and look for a shadow on the X-ray image, that has no matching surface component. Not sure how well that would work in practice though.
Of course you can find it with sufficient effort, but it’s cheaper and easier to toss the hardware in the garbage.
The real problem is making sure, that whatever you buy to replace the compromised HW, does not get compromised in a similar way. How does one make sure the HW can be trusted?
Build it yourself.
You hire people with the relevant competence and check the hardware. Companies like Amazon, Apple etc has done this for a pretty long time.
Strongly worded denial from Amazon.
Interesting, that is a bit longer than Amazon’s response to Bloomberg, as linked by @mutation666:
Here is an interview with one of the reporters, Jordan Robertson:
An interesting thread on Twitter with Trammell Hudson (developer of Heads), with some speculation as to where the chip could be hiding:
qrs (Trammel Hudson)
Allegedly a supply chain attack on Supermicro’s servers installed small CPUs disguised as passive capacitors on the mainboard that were able to take over the BMC, which could then compromise the main CPU:
(links to Bloomberg article)The BMC is vastly over-privileged and tied into so many parts of the system. Securing it is vital to secure the root of trust, and open source firmware like OpenBMC and u-BMC are good first steps to trusting it.
csirac2
Not capacitors though; article says signal conditioning ICs, of which I’m only vaguely familiar with motor controller variants unlike anything a motherboard would have, but do SPI for legit reasons in that space… could hide on path of SMBus sensor? Cf.
(link about Intel Management engine talking over SMBus while CPU is asleep)
qrs
You’re right that Bloomberg doesn’t identify the component beyond “signal conditioning”. Another place where an attack could reside is in the SPI bus multiplexer since that would allow malicious firmware to be delivered to the x86 from the flash chip.
https://pbs.twimg.com/media/DorHfBaXsAApRWL.jpg:large
Serve The Home has an article up:
I didn’t think of the SATADOM, but as he says in the article, host based encryption would make it unlikely. Everything I’ve seen so far point to a BMC hack. And that is nothing new really.
Bottom line, if this Supermicro attack vector is to the BMC, then the Bloomberg story is no bigger than the Dell EMC PowerEdge iDRACula story or any others. Saying there is a vulnerability in a BMC is like saying the sun is hot.
STH also point out the strange part with the Bloomberg article, why would the FBI etc wait years if they suspected something like this? Why are the US military still using Supermicro hardware? Stuff doesn’t add up.
Everyone involved denying everything, and specifically this part of Apple’s response makes me think that the piece was a hit-piece on Super Micro, more than anything. No clear reason for it, though.
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them.
Ouch.
The Bloomberg article specifically says that the implant is connected to the BMC:
Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.
It is interesting that both Apple and Amazon issued such strong denials. Either Bloomberg made a historically huge mistake or they’re both lying. Apple and Amazon are the two most valuable companies in the world.
As hard pressed to believe these major corps… I do not believe Bloomburg either.
At 5:44 in the video I linked above, the reporter responds to why they are confident in their report saying that in contrast to company comments from Amazon, Apple, and Supermicro:
We have voluminous reporting on the other side from 17 total sources; including inside those companies: Apple, Amazon, and others; and extensively within the US Government that this attack did indeed occur.
He then mentions two reasons why companies would “deny this reporting”:
Good find, I actually didn’t see that earlier. Makes sense, the BMC is the most obvious attack vector after all.
I don’t think the article was edited, probably just me being blind.
Still doesn’t explain all the other BS in the article.
I don’t buy it. If that were true, they wouldn’t lie and explicitly address specific points in the report, they would simply say “no comment”.
Bloomberg has also now published the denials by the victims who are saying not only that the story is false, but specifically calling out and impeaching the credibility of the reporters with whom they’ve dealt:
Think trade . Stock manipulation. Tariffs
Could be that, could be bigger [foil hat]Apple has to eat out of that bowl. Might need to carefully consider whether it, *cough… puts anything else in there… *cough[/foil hat]
If… only… we… had… reliable… news… organizations… Instead of PACs.
