
Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate - jjcc
https://www.servethehome.com/bloomberg-reports-china-infiltrated-the-supermicro-supply-chain-we-investigate/
======
forapurpose
> If the FBI, or other intelligence officials, had reason to believe
> Supermicro hardware was compromised, then we would expect it would have
> taken less than a few years for this procurement to stop.

From the perspective of someone who merely reads what experts write, that
isn't true at all. If you have information on your enemy's operations and they
are unaware, you have the information advantage and you don't give it up. You
use it to monitor them, trace their activities: For example, where does the
connection go? And where does the information go from there? Plant malware in
whatever is sent back in order to trace who accesses it and maybe give you a
backdoor, or if you can't do that plant false information and see where it
turns up. Also, who is physically planting the PCB? Mine them, their
activities, and social network for more intel.

Also undermine your enemy with false information and by shutting them down not
now, reactively, but at the worst possible time for them - when the crisis
hits in the South China Sea or Taiwan, pull the plug on their intel or start
feeding it false info. And in the meantime, avoid giving them anything too
valuable.

On one hand, undoubtedly I have massive blinds spots in my knowledge and the
details are probably somehow wrong. On the other, I'm somewhat confident that
many times, an intelligence agency would not reveal what they know and would
do the _kinds_ of things I'm discussing.

------
fermienrico
Why spend 2 paragraphs talking about how DRAM chips cannot be intercepted
because of large number of lines only to get to the point later and say "BMC
chips are more probable"?

This is obvious. This article is annoying to read.

~~~
stordoff
It seems weird because the Bloomberg article says they were connected to the
BMC:

> The illicit chips could do all this because they were connected to the
> baseboard management controller, a kind of superchip that administrators use
> to remotely log in to problematic servers

The discussion of DRAM only really seems necessary if that _isn't_ plausible.

------
dboreham
>Saying there is a vulnerability in a BMC is like saying the sun is hot.

This was my thought upon hearing the story when it broke this morning. There
has to either be more to it, or I suppose..less. I did wonder if it was some
sort of false flag op designed to make people in the US fearful about Chinese
Hacking. Based on the people I've spoken to, inside the industry today, it has
succeeded.

~~~
taurath
We’re seeing a lot of anti Chinese and anti Russian news. I have a tendency to
believe them but at the same time there’s of course never going to be reported
in the US what we are doing.

~~~
forapurpose
> there’s of course never going to be reported in the US what we are doing

That doesn't square with all the reports on US domestic and international
spying, much of it in the NY Times, not to mention The Intercept and others.
How do you think we know about it? Not from Chinese and Russian newspapers.

> We’re seeing a lot of anti Chinese and anti Russian news

Hmmm ... maybe we're seeing a lot of Chinese and Russian activity. If you look
at coverage of the current US President, you might notice a lot of 'anti-US'
news also. Under the prior administration, there was a lot of that on Fox News
and in the Wall Street Journal.

------
rphlx
> Bloomberg says it is in line with memory to CPUs to intercept some password
> validation code

I think that's a misreading of their article. They were not claiming that's
what was actually done, they just provided that as an example of what a HW
attacker could do. Later on I remember them saying that the malicious part was
connected to the BMC, not the main CPU. If there's a serious USB vuln in the
BMC, then four wires could be enough to compromise it and gain God Mode over
the early x86 SW environment.

~~~
dboreham
I thought the article was implying the attack involves the BMC's capability to
supply (or change) a boot image. However I'm not sure how that would be able
to defeat boot image signing and storage encryption.

~~~
rphlx
It's possible that some servers hang the BIOS flash off the BMC, or (more
likely) at least have some way for the BMC to write to it - if not by design,
then through a HW vuln further up the stack.

And I believe that once you control the BIOS image you control the boot chain
of trust.

~~~
etcet
You can update the BIOS via SuperMicro's IPMI. It's actually a feature you
have to pay extra for: [https://www.virtuallifestyle.nl/wp-
content/uploads/2016/08/S...](https://www.virtuallifestyle.nl/wp-
content/uploads/2016/08/SMBU.png)

~~~
dboreham
Getting them to take your money in exchange for that utility turns out to be
hard. I seem to recall figuring out a way to work around the lack of it, but
details have been paved out. I think it involved building the OS-based BIOS
flashing tool from source.

------
dboreham
I still don't get why they need to make a custom chip and embed it in the PCB
just to subvert a chip (BMC) that they also supply (or can at least change the
firmware for)??

------
ufmace
Thanks for this investigation. I was trying to think of what an actor in a
position to insert such chips at a manufacturing level would actually want.
You've got some tough limitations - you want a security hole that you can
exploit on highly firewalled, monitored, and locked-down servers running a
variety of software types. But it also needs to be hard to detect and exploit
without knowing some sort of secret. If anyone notices you using the exploit,
you're screwed. If any security researcher or black-hat hacker finds it too,
you're also screwed. It'd have to be pretty good to avoid that, since those
guys are probably fuzzing servers all the time. You'd have to be very careful
how you used it - if anybody traces a known data breach to this, then you're
screwed too.

Presuming you can get control of the BMC and transmit arbitrary network
traffic, you'd have to limit it somehow. At least some of the compromised
servers would be installed in places where any unexpected outgoing network
traffic would be noticed and investigated. Large amounts of detectable traffic
could be generated too if these things are all pinging away at something.
You'd have to trigger it somehow I suppose. But what kind of trigger can you
set up on a server running an unknown OS in unknown configuration that may be
behind lots of firewalls? Are we sending some kind of weird magic packet to
the server? If I was Google or something, I'd have dumb filtering firewalls
set up in front of my servers that drop anything that doesn't look like normal
network traffic, just to keep any random person from fuzzing the server and
triggering some weird unknown bug.

------
teknologist
Disappointed that there was not any actual technical substance to this article
aside from the pictures of the boards. I was excited for a moment, hoping
they'd get further until the details, but it ended up in some opinionated rant
about how the SEC should get involved.

------
pcunite
Just give me the option to totally disable this functionality. I understand
why farms need it, but I should be able to turn it off. That and Intel AMT.

------
tessi3r
Couldn't this all be easily thwarted with a relatively basic firewall and
network analysis of traffic emanating from a data-center?

Also - I found it funny that the "horrific exploit" was just piggybacking on a
mgmt engine vuln...

~~~
dboreham
As a matter of routine, nobody with a clue would ever allow public Internet
connectivity to the BMC NIC. They would also never allow the "bridge" mode
where the BMC NIC gets logically connected to one of the primary NICs (useful
if you want to spin up a box with only one drop cable in the lab). I wondered
if perhaps the attack involved subverting the air gap between the BMC NIC and
a primary NIC. Perhaps a reason to use
[https://en.wikipedia.org/wiki/IEEE_802.1X](https://en.wikipedia.org/wiki/IEEE_802.1X)

~~~
heartbreak
In the other threads it has been mentioned that this hypothetical attack could
run similarly to the US/Xerox op in the Cold War. The Xerox machines recorded
data which was collected by a Xerox technician during regular maintenance. A
board with a trojan chip on it could potentially record data to be collected
during an RMA. No need for network transmission.

~~~
cpr
Heck, you can find millions of pages of highly confidential documentation in
any Xerox copier junkyard--it's all standardly copied to their internal disks,
which are never cleaned on junking.

This caused a small stink a while back but I doubt if anything's changed.

------
Latteland
I like servethehome.com as a good place to learn about people running servers
in their home (thus the name), but that wasn't the greatest article. Look into
their forums for more interesting technical discussion.

