News Apple, Amazon, Supermicro deny Chinese hardware hack report

It'll be a relatively easy one to verify at least: grab one of the supposed suspect signal conditioners, delid it, and see if the IC is a signal conditioner or not.
With Apple, Amazon and Supermicro issuing very specific denials rather than no-comments, the claims are on rather dicey grounds (the chances of corporate PR yelling at every internal department "did you know about this" and still issuing a denial in knowledge of any even vaguely similar incident is slim to none). The claimed infiltration mechanism also seems off: why go to the effort to insert an additional chip onto the board (where you now need to infiltrate the design team, verification team, documentation team, keep fiddling with boards for every revision, etc) when if you have that capability it would make more sense to add the same backdooring function to an existing chip already intended to go onto boards? The same route has found non-malicious counterfeit components make their way into devices undetected many times over (from discrete transistors in military electronics to the ubiquitous counterfeit RT232R chips in many if not most serial programmers) after all.

::EDIT:: The other part that doesn't pass the smell test is the timeframe and the specificity of the affected companies. Supermicro builds these boards for a MASSIVE number of clients, and there's a good chance that any given webpage you visit has been touched by at least one server running on a Supermicro board. If this has been under investigation for 3 years with no public advisory, pretty much everyone has been knowingly thrown under the bus. We haven't seen any TAs from US-CERT, or from anyone else (no way this would not at the very least have been distributed to Five Eyes partners), not even any nudge-and-a-wink "replace these boards we can't say why" backchannel chatter to larger hosts. There's nothing to gain from leaving someone else's hardware backdoor channel open, even if you wanted to exploit the same backdoor you'd be vulnerable to the party that emplaced it and any gathered data would be suspect at best.

 

There's a lot about this story that concerns me, but the huge drop in Super Micro stock can't help but make me wonder if this is a bit of a stock manipulation stitch up so someone can buy them up cheap(ish)...

...hey, stock manipulation was tried against AMD in the not too distant past.

But I'll wait for further info before freaking out. I had six SuperMicro server boards, but they're all currently mothballed.

 

questions from a fairly uninformed techie....
1. with a chip in question being that small and inconspicuous, isn't it possible that QA simply missed it? all they need is getting into the design team and documentation probably relies on QA anyway. and revisions means u can probably skip some regression testing and it'll actually be less of a concern for the hacker. my point is, i dont think it's that much harder to pull off than convincing the design and development team to add a few more lines of code that will get caught with QA automation and probably the human verification team. am i making sense or am i way off?
2. with the potential victims are the 30+ large corporations (see Bloomberg article), it won't be easy for the general public to pull one off and check (this is not, say, on iPhones, it's on specific server builds) so im guessing if internal audit pulls one out and DID find something quirky, for the sake of public image (and stock values...) it's probably better to say "uuuhh no, we're totally unaffected, our product is totally secure!" ?
3. I disagree with nothing to gain from leaving the backdoor open if you're one of the investigator and you actually use the hardware in question. pointing it out it's bad will make you look bad too. not just to public but to other large hosts. i can totally imagine Apple knowing this for 3 years and say "****, we gotta redesign and clean it up, but NEVER tell the Feds about it"

I dunno, the article honestly scares me abit, and even though I'm not usually paranoid with privacy and security (i sold my soul to Google already), this seems genuine enough that i'm starting to think other scenarios in all our devices... sure it's now China spying the big companies. But what's next? More and more stuff is already IoT devices and it's too easy to manipulate and steal our data.

yes i've told Google to spy on all my data for convenience's sake, but i'm not comfortable with illegal, hidden backdoors on my thermostat, my wireless camera, my iPad, etc....

/putsdowntinfoilhat

 

Also, if this indeed is the subject of a large, secret federal investigation, wouldn't the companies affected be legally compelled to keep quiet about whatever they know until after it is complete?

 

Even if it would have been missed once or twice it simply isn't plausible that the supposed spread of the hardware was possible without anyone picking up on it.

Nah, they could just issue a product recall due to an unspecified QA issue.

 

Take one government department in fear of loosing funding, add a handful of technology illiterate journalists, allow to simmer for three years while they gather some credible sounding sources, serve cold without any accompaniments.

When are people going to learn that there's a right and wrong way to go about potential security issues.

 

The other thing is; This is still implausible at best. Sure: You can theoretically subvert any OS running on a given server and take control of it at the BCM Level, so you can tell the NIC to Jump and it won't even say how high. So you tell it "Hey connect to this IP!"

Then the Firewall stops you Dead in your tracks, logging the attempt in the process.

Game over, source server is highlighted, investigation starts.

Unless you're telling me that tiny chip that is apparently only barely a step above a calculator can also somehow subvert any vendors' firewall on the way in and out to pass through utterly undetected?

If it looks like a duck and quacks like a duck...

 

And now we have the NCSC ringing in:

Either everybody up to including national-level cybersecurity bodies is willing to lie about an ongoing advanced threat from a foreign actor (and have actively left a THREE YEAR exploit window open), or Bloomberg has gotten not only the wrong end of the stick, but another item entirely that could be described as "brown" and "stick-y".