On 2018-10-04 23:37, Naslund, Steve wrote:
I was wondering about where this chip tapped into all of the data and timing lines it would need to have access to. It would seem that being really small creates even more problems making those connections. I am a little doubtful about the article. It would seem to me better to create a corrupted copy of something like a front side bus chipset, memory controller or some other component that handles data lines than create a new component that would then require a motherboard redesign to integrate correctly. It would seem that as soon as the motherboard design was changed someone would wonder "hey, where are all those data lines going?" It would also require less people in on the plan to corrupt or replace a device already in the design. All you need is a way to intercept the original chip supply and insert your rogue devices.
On the opposite side of the argument, does anyone think it is strange that all of the companies mentioned in the article along with the PRC managed to get a simultaneous response back to Bloomberg. Seems pretty pre-calculated to me. Or did some agency somewhere tell everyone they better shut up about the whole thing?
Steven Naslund Chicago IL
Just theory - tapping on same lines as SPI flash (let's assume it is not QSPI), so we are "in parallel", as "snooper" chip. First - it can easily snoop by listening MISO/MOSI/CS/CLK. When required data pattern and block detected during snooping, it can remember offset(s) of required data. When, later, BMC send over MOSI request for this "offset", we override BMC and force CS high (inactive), so main flash chip will not answer, and answer instead of him our, different data from "snooper". Voila... instead of root:password we get root:nihao