
A new hardware implant shows how easy it may be to hide malicious chips - lelf
https://www.wired.com/story/plant-spy-chips-hardware-supermicro-cheap-proof-of-concept/
======
new299
This seems not terribly interesting to me. The article motivates itself the
allegations of devices embedded in supermicro products saying “But even as the
facts of that story remain unconfirmed...”. But it’s not that the facts as
unconfirmed, as far as I can tell there was literally no supporting evidence
and the story didn’t really make much sense.

Then it’s discuss how a microcontroller attached to the serial port of Cisco
networking equipment can be used to reconfigure the equipment to allow access.

Given that the purpose of the serial port is reconfiguring the device, this is
unsurprising.

They used a small commodity microcontroller. It’s not sitting on a footprint.
It’s just bodies onto the PCB. It’s quite obvious from inspecting the board...

So... what’s the point of this article? If you have physical access to the
hardware you can make a small but obvious change to the PCB? I’m not even sure
where the $200 comes from. The part costs <50 cents. It’s so big many people
could solder it by eye (I have in the past, and was soldering a similar pitch
part last night using an iPhone as a magnifier).

So... this level of modification has been possible for at least 20 years. It’s
pretty obvious, and is about a days work...

What I would have been a little more interested in seeing is a part placed on
an existing footprint. I’ve actually done this myself. Maybe I should have
billed it as security research...

[http://41j.com/blog/2016/09/mirrorswitch/](http://41j.com/blog/2016/09/mirrorswitch/)

Beyond that, I’d be interested in knowing how easy it is to get hold of dies
are repackage them additional microcontrollers. This would mean there’s no
physical visible difference on the PCB. But even this could be detected as
automated XRay inspection is not uncommon.

Ultimately... if you are a state level actor. You have better and less easily
detectable options than this.

~~~
xvector
Honestly, the Supermicro story makes me uneasy. Yes, both accused corporations
rebuffed the story. Yes, there was no real evidence or any follow-up to
justify the story.

But god damn, the paranoid person inside me can't let it go. It sounds like
such an easy thing to do for such an amazing payoff. And of course both
accused have a massive incentive to not disclose a vulnerability such as this
one. Hell, the higher-ups might not even know about it if the company has gone
through efforts to maintain plausible deniability in scenarios like this.

~~~
new299
I think the fact that fake components regularly make their way into the supply
chain should be more of a concern than the supermicro story.

So, supply chain security is poor, and getting backdoored parts into the
supply chain is a realistic possibility. Bunnie has a good recent talk on
this.

[https://www.bunniestudios.com/blog/?p=5519](https://www.bunniestudios.com/blog/?p=5519)

The question in my mind, is is it worth the risk of detection. Particularly
when other methods are less traceable, more easily deniable.

~~~
nyolfen
bunnie himself says near the end of the presentation that he believes that
_something_ happened with supermicro but that the details were deliberately
obfuscated by the usgov sources for the story

~~~
new299
Well what bunnie says in that talk is that something may well have happened
but it doesn’t pass Occam’s razor as presented in the Bloomberg article.

Specifically he says that adding an IC to the board doesn’t make sense. And
that embedding something in an existing package/device is possible.

This is very different to what is described in the article being discussed
here, and much more complex.

The Bloomberg article seems largely inaccurate in any case. I don’t think it’s
worth using as a motivation for any security work.

~~~
Enginerrrd
Yeah Occam's razor says your efforts would be much better spent on flashing
custom firmware than a retrofit. That or a deliberate backdoor built into the
chip from the ground up.

Or something like this:
[https://m.youtube.com/watch?v=_eSAF_qT_FY](https://m.youtube.com/watch?v=_eSAF_qT_FY)

But a nearly magic rice-grain part with a microcontroller and networking?? You
could make a fortune in IOT with something that capable.

------
Simulacra
The Supermiro story was quite fascinating and I absolutely believe in its
feasibility. We know that China attempts to hack into American security and
government systems, so it raises a very valid fear that a company like Huawei
could, and likely would, do something like this.

That whole story was just to easily - and too quickly - dismissed by the major
companies...

~~~
avian
Nobody claimed that it's impossible to have hardware implants in principle.
You can find papers that predate the Bloomberg story and discuss much more
advanced approaches than what was presented there.

The problem with that story was that it claimed that such an attack _was_ in
progress, while citing no sources and presenting no credible evidence. Using
stock photos of unrelated components and basing part of the article on an
interview where the expert explicitly _speculated_ on the _possibilities_ and
not an actual attack didn't inspire confidence in Bloomberg reporting either.

------
cryptofits
As the article mentions, there probably aren't a lot of instances of this,
given that software exploits are often easier to implement. And once
discovered, can be re-used hundreds of not millions of times very easily.

That said if someone is interested in a specific target or small set of
targets, this is a really stealthy way of compromising a system. I would be
shocked if every major international spy agency hasn't at least tried this.

~~~
LIV2
They do it on the reg, already known long before the Bloomberg article

[https://arstechnica.com/tech-policy/2014/05/photos-of-an-
nsa...](https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-
factory-show-cisco-router-getting-implant/)

[https://en.m.wikipedia.org/wiki/NSA_ANT_catalog](https://en.m.wikipedia.org/wiki/NSA_ANT_catalog)

USB/Ethernet sockets with implants etc

------
jokoon
Snowden talked about this.

The US hold a big share of the electronic's intellectual property. Most of the
tools used to design silicon chips are proprietary, and it would be trivial
for the NSA to implant hardware backdoors without anybody knowing it, and it
would be very difficult for the public to audit this hardware.

I think this is exactly why Huawei routers were not trustworthy.

Detecting malware is child's play, now if they want to not be detected, they
need to target the hardware. Even if you know your hardware has a backdoor, it
becomes too expensive or impossible to patch it.

Always wondered why wifi chips always used binary firmwares? Me too.

~~~
mroche
Huawei routers and equipment are not trustworthy because they are literally
insecure at a firmware level. If you want an interesting read check out the
Finite State’s “Supply Chain Assessment” of Huawei’s IoT and networking
devices[0] released back in June. The latest episode of Enterprise | Security
Weekly, “Please Don’t Go - ESW #156”[1]has Matt Wyckhouse (co-founder and CEO)
to discuss the findings and IoT security. You’ll want to go to 1:08:08 to get
to it should you opt for the full episode rather then the linked segment.

[0] [https://finitestate.io/wp-content/uploads/2019/06/Finite-
Sta...](https://finitestate.io/wp-content/uploads/2019/06/Finite-State-
SCA1-Final.pdf)

[1] [https://securityweekly.com/shows/supply-chain-security-in-
th...](https://securityweekly.com/shows/supply-chain-security-in-the-iot-era-
matt-wyckhouse-esw-156/)

------
kebman
An intelligence agency put an ad in for a "break-in specialist." The ad
promised a very diverse line of work, for a tidy guy who knows how to "cover
his tracks." If agencies are putting "ads in the paper" to hire such guys, I
don't think it's unreasonable to claim that they also have guys who can
covertly plant a chip.

------
dinodub
NSA could easily tell these corporations that they have to deny existence &
feasibility of such technology. Anyone who takes their word for it is a sheep.

------
Simulacra
Don’t forget: this has been done before.
[https://www.cryptomuseum.com/covert/bugs/selectric/](https://www.cryptomuseum.com/covert/bugs/selectric/)

~~~
generalpass
Also, CIA installed cameras in Xerox machines:

[http://electricalstrategies.com/about/in-the-news/spies-
in-t...](http://electricalstrategies.com/about/in-the-news/spies-in-the-xerox-
machine/)

------
onetimemanytime
But anyone needing to do that doesn't care if its $200 or $20 million. It's
way more complicated than just soldering the chip in.

------
generalpass
Wow, if I am to understand this article correctly, bad actors gaining access
to my hardware can do bad stuff.

~~~
yarg
Yeah, and the nation that produces the world's cheapest electronics (and where
all corporations are intertwined with government) is run by bad actors.

~~~
generalpass
So why be so concerned with soldering stuff to the board? Wouldn't they just
alter the die?

------
clSTophEjUdRanu
As an aside, this mentions that Snowden leaked that the NSA has been carrying
out supply chain attacks? What, is this guy just leaking everything now?

