1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Apple, Amazon, Supermicro deny Chinese hardware hack report

Discussion in 'Article Discussion' started by bit-tech, 5 Oct 2018.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    1,442
    Likes Received:
    25
    Read more
     
  2. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,610
    Likes Received:
    142
    It'll be a relatively easy one to verify at least: grab one of the supposed suspect signal conditioners, delid it, and see if the IC is a signal conditioner or not.
    With Apple, Amazon and Supermicro issuing very specific denials rather than no-comments, the claims are on rather dicey grounds (the chances of corporate PR yelling at every internal department "did you know about this" and still issuing a denial in knowledge of any even vaguely similar incident is slim to none). The claimed infiltration mechanism also seems off: why go to the effort to insert an additional chip onto the board (where you now need to infiltrate the design team, verification team, documentation team, keep fiddling with boards for every revision, etc) when if you have that capability it would make more sense to add the same backdooring function to an existing chip already intended to go onto boards? The same route has found non-malicious counterfeit components make their way into devices undetected many times over (from discrete transistors in military electronics to the ubiquitous counterfeit RT232R chips in many if not most serial programmers) after all.

    ::EDIT:: The other part that doesn't pass the smell test is the timeframe and the specificity of the affected companies. Supermicro builds these boards for a MASSIVE number of clients, and there's a good chance that any given webpage you visit has been touched by at least one server running on a Supermicro board. If this has been under investigation for 3 years with no public advisory, pretty much everyone has been knowingly thrown under the bus. We haven't seen any TAs from US-CERT, or from anyone else (no way this would not at the very least have been distributed to Five Eyes partners), not even any nudge-and-a-wink "replace these boards we can't say why" backchannel chatter to larger hosts. There's nothing to gain from leaving someone else's hardware backdoor channel open, even if you wanted to exploit the same backdoor you'd be vulnerable to the party that emplaced it and any gathered data would be suspect at best.
     
    Last edited: 5 Oct 2018
  3. Paradigm Shifter

    Paradigm Shifter de nihilo nihil fit

    Joined:
    10 May 2006
    Posts:
    1,993
    Likes Received:
    30
    There's a lot about this story that concerns me, but the huge drop in Super Micro stock can't help but make me wonder if this is a bit of a stock manipulation stitch up so someone can buy them up cheap(ish)...

    ...hey, stock manipulation was tried against AMD in the not too distant past.

    But I'll wait for further info before freaking out. I had six SuperMicro server boards, but they're all currently mothballed.
     
  4. Redbeaver

    Redbeaver The Other Red Meat

    Joined:
    15 Feb 2006
    Posts:
    2,055
    Likes Received:
    34
    questions from a fairly uninformed techie....
    1. with a chip in question being that small and inconspicuous, isn't it possible that QA simply missed it? all they need is getting into the design team and documentation probably relies on QA anyway. and revisions means u can probably skip some regression testing and it'll actually be less of a concern for the hacker. my point is, i dont think it's that much harder to pull off than convincing the design and development team to add a few more lines of code that will get caught with QA automation and probably the human verification team. am i making sense or am i way off?
    2. with the potential victims are the 30+ large corporations (see Bloomberg article), it won't be easy for the general public to pull one off and check (this is not, say, on iPhones, it's on specific server builds) so im guessing if internal audit pulls one out and DID find something quirky, for the sake of public image (and stock values...) it's probably better to say "uuuhh no, we're totally unaffected, our product is totally secure!" ?
    3. I disagree with nothing to gain from leaving the backdoor open if you're one of the investigator and you actually use the hardware in question. pointing it out it's bad will make you look bad too. not just to public but to other large hosts. i can totally imagine Apple knowing this for 3 years and say "****, we gotta redesign and clean it up, but NEVER tell the Feds about it"

    I dunno, the article honestly scares me abit, and even though I'm not usually paranoid with privacy and security (i sold my soul to Google already), this seems genuine enough that i'm starting to think other scenarios in all our devices... sure it's now China spying the big companies. But what's next? More and more stuff is already IoT devices and it's too easy to manipulate and steal our data.

    yes i've told Google to spy on all my data for convenience's sake, but i'm not comfortable with illegal, hidden backdoors on my thermostat, my wireless camera, my iPad, etc....

    /putsdowntinfoilhat
     
  5. Omnislip

    Omnislip Member

    Joined:
    31 May 2011
    Posts:
    201
    Likes Received:
    10
    Also, if this indeed is the subject of a large, secret federal investigation, wouldn't the companies affected be legally compelled to keep quiet about whatever they know until after it is complete?
     
  6. Anfield

    Anfield Well-Known Member

    Joined:
    15 Jan 2010
    Posts:
    3,951
    Likes Received:
    206
    Even if it would have been missed once or twice it simply isn't plausible that the supposed spread of the hardware was possible without anyone picking up on it.

    Nah, they could just issue a product recall due to an unspecified QA issue.
     
  7. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,554
    Likes Received:
    203
    Take one government department in fear of loosing funding, add a handful of technology illiterate journalists, allow to simmer for three years while they gather some credible sounding sources, serve cold without any accompaniments.

    When are people going to learn that there's a right and wrong way to go about potential security issues.
     
  8. .//TuNdRa

    .//TuNdRa Resident Bulldozer Guru

    Joined:
    12 Feb 2011
    Posts:
    4,042
    Likes Received:
    109
    The other thing is; This is still implausible at best. Sure: You can theoretically subvert any OS running on a given server and take control of it at the BCM Level, so you can tell the NIC to Jump and it won't even say how high. So you tell it "Hey connect to this IP!"

    Then the Firewall stops you Dead in your tracks, logging the attempt in the process.

    Game over, source server is highlighted, investigation starts.

    Unless you're telling me that tiny chip that is apparently only barely a step above a calculator can also somehow subvert any vendors' firewall on the way in and out to pass through utterly undetected?

    If it looks like a duck and quacks like a duck...
     
  9. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,610
    Likes Received:
    142
    And now we have the NCSC ringing in:
    Either everybody up to including national-level cybersecurity bodies is willing to lie about an ongoing advanced threat from a foreign actor (and have actively left a THREE YEAR exploit window open), or Bloomberg has gotten not only the wrong end of the stick, but another item entirely that could be described as "brown" and "stick-y".
     
Tags: Add Tags

Share This Page