bloomberg on supermicro: sky is falling
re: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-us... from a side convo with a well known sec researcher:
saw that a couple of years back when apple tossed them out. so who do we know that is for sure not poisoned. and therein lies the rub. Yup
truth is, i am surprised they had to add a chip, and one of the larger dies was not already trojaned. have visions of the chinese implant on box A fighting with the american implant on box B with occasional jabs from the israelis from box C. what i would love to see/know is how apple tries to vet the macs made in shenzhen. randy
Would be remiss in our duties if we didn't also link AWS' blog, in response to the Bloomberg article. In short, AWS refutes many of Bloomberg's reporting in the article. https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloombe... Ken On Thu, Oct 4, 2018 at 11:03 AM Randy Bush <randy@psg.com> wrote:
re: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-us...
from a side convo with a well known sec researcher:
saw that a couple of years back when apple tossed them out. so who do we know that is for sure not poisoned. and therein lies the rub. Yup
truth is, i am surprised they had to add a chip, and one of the larger dies was not already trojaned.
have visions of the chinese implant on box A fighting with the american implant on box B with occasional jabs from the israelis from box C.
what i would love to see/know is how apple tries to vet the macs made in shenzhen.
randy
Supermicro's response at https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg... On Thu, Oct 4, 2018 at 12:03 PM Randy Bush <randy@psg.com> wrote:
re: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-us...
from a side convo with a well known sec researcher:
saw that a couple of years back when apple tossed them out. so who do we know that is for sure not poisoned. and therein lies the rub. Yup
truth is, i am surprised they had to add a chip, and one of the larger dies was not already trojaned.
have visions of the chinese implant on box A fighting with the american implant on box B with occasional jabs from the israelis from box C.
what i would love to see/know is how apple tries to vet the macs made in shenzhen.
randy
-- - Andrew "lathama" Latham -
To me this looks like a Chinese version of the NSA FIREWALK product. Which is a network implant built into a RJ45 jack intended to be soldered onto a motherboard. The FIREWALK info came out with the Snowden leaks in 2013 and the tech was years old at that time. https://en.wikipedia.org/wiki/NSA_ANT_catalog I am not able to say a lot more, but when I worked for a major defence contractor in 2006-2007 in Afghanistan, building WAN links in and out of the country by satellite, hardware implants were found in equipment. Not our equipment, but it was close enough to our operations that we were briefed on it and made aware. On Thu, Oct 4, 2018 at 10:02 AM Randy Bush <randy@psg.com> wrote:
re: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-us...
from a side convo with a well known sec researcher:
saw that a couple of years back when apple tossed them out. so who do we know that is for sure not poisoned. and therein lies the rub. Yup
truth is, i am surprised they had to add a chip, and one of the larger dies was not already trojaned.
have visions of the chinese implant on box A fighting with the american implant on box B with occasional jabs from the israelis from box C.
what i would love to see/know is how apple tries to vet the macs made in shenzhen.
randy
Quite different really. FIREWALK is really an intercept device to get data out of a firewalled or air gapped network. The exploit Bloomberg describes would modify or alter data going across a server’s bus. The big difference is the Bloomberg device needs command and control and a place to dump the tapped data to over the server’s network connection. That device is not going to be able to do so out of any classified military network I have ever worked on. Or anyone with a halfway decent firewall (which I would assume Apple and Amazon would have for the internal servers). I think this article is unlikely to be true for the following reasons : 1. Separate chip is much more detectable physically than an altered chipset that is already on the board. 2. Requires motherboard redesign to get access to power and buses needed (again easily detectable during any design mods “hey does anyone know what these are for?”) 3. Does not have onboard communications so it will be sending data traffic on the network interfaces (will definitely trigger even the most rudimentary IDP systems). It relies on these backbone Internet companies and Intelligence agencies to have absolutely abysmal security on their networks to be at all useful. 4. Parts would have to be brought into the plant, stored somewhere, and all the internal systems would need a trail of where the part came from, how ordered it, where it is warehoused, loaded into pick/place, etc. Much better to compromised an existing chips supply chain. Does anyone think that someone somewhere is trying to kill Supermicro? They sure have had a lots of bad news lately. Steven Naslund Chicago IL
To me this looks like a Chinese version of the NSA FIREWALK product. Which is a network implant built into a RJ45 jack intended to be soldered onto a motherboard. The FIREWALK info came out with the Snowden leaks in 2013 and the tech was >years old at that time.
https://en.wikipedia.org/wiki/NSA_ANT_catalog
I am not able to say a lot more, but when I worked for a major defence contractor in 2006-2007 in Afghanistan, building WAN links in and out of the country by satellite, hardware implants were found in equipment. Not our equipment, but it was close >enough to our operations that we were briefed on it and made aware.
On 04/10/2018 22:28, Naslund, Steve wrote:
Quite different really. FIREWALK is really an intercept device to get data out of a firewalled or air gapped network. The exploit Bloomberg describes would modify or alter data going across a server’s bus. The big difference is the Bloomberg device needs command and control and a place to dump the tapped data to over the server’s network connection. That device is not going to be able to do so out of any classified military network I have ever worked on. Or anyone with a halfway decent firewall (which I would assume Apple and Amazon would have for the internal servers). I think this article is unlikely to be true for the following reasons :
1. Separate chip is much more detectable physically than an altered chipset that is already on the board.
2. Requires motherboard redesign to get access to power and buses needed (again easily detectable during any design mods “hey does anyone know what these are for?”)
3. Does not have onboard communications so it will be sending data traffic on the network interfaces (will definitely trigger even the most rudimentary IDP systems). It relies on these backbone Internet companies and Intelligence agencies to have absolutely abysmal security on their networks to be at all useful.
4. Parts would have to be brought into the plant, stored somewhere, and all the internal systems would need a trail of where the part came from, how ordered it, where it is warehoused, loaded into pick/place, etc. Much better to compromised an existing chips supply chain.
Whatever the truth here, I'm sure that the article as it is written isn't telling us everything. There's more to this than meets the eye including, quite possibly, the full facts about how data would be exfiltrated and/or, perhaps, exactly what was done to the customers' hardware.
Does anyone think that someone somewhere is trying to kill Supermicro? They sure have had a lots of bad news lately.
Who knows. Perhaps we are intended to come away with certain impressions. -- Mark Rousell
participants (6)
-
Andrew Latham
-
Eric Kuhnke
-
Ken Matlock
-
Mark Rousell
-
Naslund, Steve
-
Randy Bush