Chinese spy chips are found in hardware used by Apple, Amazon, Bloomberg says; Apple, AWS say no way
The chips, which Bloomberg said have been the subject of a top secret U.S. government investigation starting in 2015, were used for gathering intellectual property and trade secrets from American companies and may have been introduced by a Chinese server company called Super Micro that assembled machines used in the centers.
[...] China has long been suspected — but rarely directly implicated — in en masse spy campaigns based on hardware made there. The majority of electronic components used in U.S. technology are manufactured in China. Companies including component manufacturers Huawei and ZTE, as well as surveillance camera maker Hikvision, have all fallen under intense suspicion and scrutiny from the U.S. government in the past year.
I'd think that the big guys would be designing their own boards. Maybe we should only buy PCBs from South Korea.
Also at Bloomberg and The Guardian.
Related Stories
Following up on our story from Thursday — Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro — there is a report from Ars Technica Bloomberg stands by Chinese chip story as Apple, Amazon ratchet up denials:
On Thursday morning, Bloomberg published a bombshell story claiming that the Chinese government had used tiny microchips to infiltrate the data centers of Apple and Amazon. Apple and Amazon, for their part, responded with unusually specific and categorical denials. It's clear that someone is making a big mistake, but 24 hours later, it's still not clear whether it's Bloomberg or the technology companies.
On Thursday afternoon, Apple laid out its case against the story in a lengthy post on its website. The post specifically disputed a number of Bloomberg's claims. For example, Bloomberg says that after discovering a mysterious chip in one of its servers, Apple "reported the incident to the FBI," leading to an investigation. Apple flatly denies that this occurred.
"No one from Apple ever reached out to the FBI about anything like this," Apple writes. "We have never heard from the FBI about an investigation of this kind."
Amazon's response has been equally emphatic and detailed. "There are so many inaccuracies in this article as it relates to Amazon that they're hard to count," Amazon wrote on Thursday. "We never found modified hardware or malicious chips in servers in any of our data centers."
Yet Bloomberg reporter Jordan Robertson, one of the article's co-authors, has stood by his story. In a Thursday afternoon appearance on Bloomberg TV, Robertson said that he talked to 17 anonymous sources—both in US intelligence agencies and at affected companies—who confirmed the story.
So what's going on? It's clear that someone isn't telling the truth, but it's hard to tell what the real story is.
A comment to that story on Ars noted:
The (alleged) chip is associated with the BMC (baseboard management controller). It has indirect access to everything that the BMC can touch, which is pretty much everything in the system.
See, also, coverage on Hackaday where a comment identifies the particular board in question as being a MicroBlade MBI-6128R-T2. A link to a tweet reveals a picture of the board in question and a followup picture showing where the extra device would be located.
Major US telecom was infiltrated by backdoored Supermicro hardware, Bloomberg says
Five days after Bloomberg stunned the world with still-unconfirmed allegations that Chinese spies embedded data-sniffing chips in hardware used by Apple, Amazon, and dozens of other companies, the news organization is doubling down. Bloomberg is now reporting that a different factory-seeded manipulation from the previously described one was discovered in August inside the network of a major US telecommunications company.
Bloomberg didn't name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren't the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenters, Motherboard reported.
Tuesday's report cites documents, analysis, and other evidence provided by Yossi Appleboum, who is co-CEO of a hardware security firm called Sepio Systems. Bloomberg said that, while Sepio was scanning servers belonging to the unnamed telecom, the firm detected unusual communications from a server designed by Supermicro. Supermicro, according to last week's Bloomberg report, is the hardware manufacturer whose motherboards were modified in the factory to include a tiny microchip that caused attached servers to come under the control of a previously unreported division of China's People's Liberation Army. Supermicro told Bloomberg it had no knowledge of the implant, marking the second time the hardware maker has denied knowing anything about the reported manipulations.
[...] The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article. While it names a single source, some security experts quickly challenged the credibility of the report. "Sure this story has one named source but it technically makes even less sense than the first one," Cris Thomas, a security expert who tweets under the handle SpaceRogue, wrote. "Come on @Bloomberg get somebody who knows what they're talking about to write these stories. Calling BS on this one as well."
Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials
Related: Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal
Audit: No Chinese surveillance implants in Supermicro boards found
In a letter to customers issued December 11, Supermicro President and CEO Charles Liang and other top executives announced that an audit conducted by an outside investigating team had found no evidence of any malicious hardware incorporated into motherboards currently or previously manufactured by the company. The letter is the latest rebuttal to Bloomberg reports in October that claimed tiny chips that provided a backdoor for China's intelligence agencies had been integrated into boards provided to major Internet and cloud providers—a report also refuted by the companies the report claimed were targeted.
"After a thorough examination and a range of functional tests, the investigative firm found absolutely no evidence of malicious hardware on our motherboards," the letter signed by Liang, Supermicro Senior Vice President and Chief Compliance Officer David Weigland, and Senior VP and Chief Product Officer Raju Penumatcha stated.
Searching for site:soylentnews.org supermicro on Google brought up a Supermicro ad linking the CEO letter, with the link entitled "Supermicro Independent Testing | No Malicious Hardware". Do you believe them?
Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials
Bloomberg Claims That a Major U.S. Telecom Operated a Server Backdoored by a Hidden Chip
Related: Apple Deleted Server Supplier After Finding Infected Firmware in Servers
Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal
(Score: 5, Insightful) by Runaway1956 on Thursday October 04 2018, @03:18PM (5 children)
I presume that the companies named are about as competent as anyone, when it come to securing their networks. If servers were phoning home to China, no one would notice? No one at all? Maybe not on public-facing machines, but how about those not serving the public? No one ever looked at logs? Strange. I don't think the story is very credible.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 4, Informative) by Spamalope on Thursday October 04 2018, @03:41PM
It's a tiny hardware hack. It wasn't phoning home to anyone. It would have done something to enable the sort of attack used with a buffer overflow, without needing the overflow to write into program storage so you could bypass password protection or the like. i.e. make the server vulnerable to an injection attack at the hardware level.
Any other malware activity would be on the part of a payload dropped afterwards. If they're good, that'll only be exfiltrating small amounts of data, and only with legit data. (or I guess - one time things - misconfigure the VM backup replication target to point to the attackers server for one replication cycle - then restore the original settings if not caught)
But done well, it could look like software zero day exploits being used to the victims. (if you're using Adobe products, are you shocked if there appears to be another vulnerability? again?)
(Score: 4, Insightful) by Anonymous Coward on Thursday October 04 2018, @05:19PM
"If servers were phoning home to China, no one would notice?"
This is a needle in haystack problem that is created partly by the CDN's. They don't have to phone home to China, they only have to phone home to a CDN, which can then proxy the data back to China. The content looks like any other SSL encoded web query, since the CDN is used by a large number of vendors at the same time. Kind of like a reverse VPN provider. But there are a lot of other ways to do it.
This is one of the problems that has been created by the "network management" aka. monopoly techniques used by a lot of the carriers. The more the CDN's aggregate traffic, the more difficult it becomes to separate the wheat from the chaff for indevidual security admins. And having worked for a big carrier, I can tell you from experience that customer exploitation is the rule, and client security is a joke. The only people they do traffic analysis for voluntarily, is advertisers and consumer profiling agencies.
NN is a factor here. The carriers moving towards wallled gardens would actually make this problem worse because it would mean a higher reliance on CDN traffic, vs. direct traffic delivery. So in this case supporting NN also supports national security in a very practical day to day troubleshooting kind of way. That difference is quantified by having thousands of indevidual security admins analyzing traffic vs.four guys with slurpies in a telecom basement in NYC, whose default response is pretty much "fuck off, I'm busy". And the reason they'd get away with it is because they answer to management that supports that attitude, because customer loss prevention doesn't generate revenue.
IOW, do you really want to be calling Comcast to be figuring out where your traffic goes, or would you rather depend on your own network analysis tools?
(Score: 2, Informative) by Anonymous Coward on Thursday October 04 2018, @06:14PM (1 child)
1) Victims claim it's fake news: https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond [bloomberg.com]
2) Adding an _additional_ tiny chip to do all of what is claimed sounds rather implausible:
a) The chip would need to be connected to stuff. Changing the tracking is not always a small change or possible.
b) In contrast if you instead modified existing stuff (e.g. existing chips for Intel AMT, BIOS, NICs, southbridge, etc), it would already be connected to the tracks and hardware you need, and the bean counters, security auditors and other annoyances will be far less likely to spot your changes. The existing stuff would do the bulk of the work for you.
That said Intel has added USB debugging: https://www.scmagazineuk.com/debugging-mechanism-intel-cpus-allows-seizing-control-via-usb-port/article/1475548 [scmagazineuk.com]
So you could possibly add something to a usb line, but like I said it should be far easier to hide it elsewhere in existing hardware and you'd likely get more "features and capabilities".
(Score: 0) by Anonymous Coward on Friday October 05 2018, @03:53PM
The description suggests to me that they were under an existing package. Essentially a hardware MITM attack, with leads probably just connected directly to the package leads.
Sounds like it might have been under a non-integrated NIC chip, or under the RJ45 jack itself. Cool. Of course they probably got the idea after ripping apart a few of their own machines and discovered a little gift, courtesy of the NSA.
(Score: 2) by sonamchauhan on Sunday October 07 2018, @02:48AM
This chip is connected to the baseband management controller. Among other things, it snoops on all network packets. Send it aa few pre agreed, well crafted bytes, and it could start doing stuff
(Score: 3, Interesting) by Anonymous Coward on Thursday October 04 2018, @03:20PM (2 children)
Apple knew there was an issue with SuperMicro servers back in 2016 and removed SuperMicro servers [soylentnews.org] from their data centers.
I doubt other data center operators ignored Apple's actions, so they all probably knew something was amiss.
(Score: 4, Interesting) by ikanreed on Thursday October 04 2018, @04:08PM (1 child)
Yes, multiple companies purged this hardware while doing nothing to alert the public.
Probably at the behest of our intelligence apparati that have never seen information they thought the public should be aware of.
(Score: 2) by bob_super on Thursday October 04 2018, @05:20PM
At the same time, there was hysteria about Huawei equipment being bugged...
(Score: 3, Informative) by Spamalope on Thursday October 04 2018, @03:33PM
From Bloomberg: The chips at issue were not part of the design. They were there to facilitate other malware.
I'm really laughing that bypassing the management engines security was mentioned. That's secure enough you'd need a special attack?
(Score: 1, Funny) by Anonymous Coward on Thursday October 04 2018, @03:52PM (3 children)
yes, yes but does it run crysis?
(Score: 0) by Anonymous Coward on Thursday October 04 2018, @04:42PM (2 children)
(Score: 1, Funny) by Anonymous Coward on Thursday October 04 2018, @10:39PM (1 child)
.... natalia portmans covered in hot grits, naked and petrified.
(Score: 1) by infodragon on Friday October 05 2018, @01:00PM
Now all we need is a signal11 joke...
Don't settle for shampoo, demand real poo!
(Score: 5, Interesting) by Unixnut on Thursday October 04 2018, @04:43PM (4 children)
While an impressive little addition to the motherboards, and very hard to find. It still lags behind the Wests spy chips, which are nicely embedded in the processor itself, and hidden in plain view under names like "management engine" and somesuch.
Then of course, you got the UEFI bondoogle, an entire OS running under your system, in ring -1, with full hardware access, with its own keysigning chips, and you have no idea what keys were burned in when it was built.
I am honestly surprised the Chinese bothered with their own little spy chips, might have been easier to try to find the existing backdoors already in place. Although I suspect these chips may predate the new "inbuilt" backdoors currently being toted about.
The article states that this was only "discovered" in 2015, and an investigation started, we may not know when they first started implementing the spy chips on the MBs.
Assuming of course, this is all true, and not just invented as a "Casus belli" for more trade war. However, if we know it has been installed in all Supermicro MBs since at least 2015, it should be relatively easy for anyone with access to one to have a look.
(Score: 1, Interesting) by Anonymous Coward on Thursday October 04 2018, @06:28PM (2 children)
Intel AMT has been around for a long time: https://en.wikipedia.org/wiki/Intel_AMT_versions [wikipedia.org]
So it's more likely that this is fakenews/propaganda. As you said it's easier to use existing backdoors. The Chinese would be well aware of the AMT stuff and they might as well use it. You don't even have to tamper directly with it an additional NIC in a NIC won't always be noticed.
Why shove stuff between layers in a motherboard (as the bloomberg article claims) when there are already chips connected to the stuff you need - ethernet interface etc. It's not so easy to audit silicon for "unauthorized modifications/features".
Then they may claim only certain machines were affected... They already say stuff like:
(Score: 2) by Unixnut on Friday October 05 2018, @09:19AM (1 child)
All fair points, however I had a look at your link, the first gen AMT was in motherboards of the same generation as the D975XBX2, which (based on what I found online) was released around 2006/2007.
The first gen AMT may not have been very useful as a backdoor. The wiki states that it only really had control over ethernet, at best it could have copied ethernet frames and forwarded traffic remotely, but a decent IDS would have noticed that.
However, assuming that the AMT system had a backdoor since the very beginning. Supermicro itself was founded in 1993, meaning that there was a 14 year gap before AMT came around. For all we know these chips might have been put in from the very start, and the Chinese spooks saw no reason to remove it even after other backdoors came into play. Always good to have multiple entrypoints into a system.
(Score: 0) by Anonymous Coward on Wednesday October 10 2018, @04:27PM
Supermicro is a US company. Founded by some guy from Taiwan (not the same country as China).
(Score: 2) by Reziac on Friday October 05 2018, @06:33AM
Does anyone here have one of these boards that they could sacrifice for testing?
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Thursday October 04 2018, @04:54PM
I doubt that matters. Since the chip packages are standardized, and the only thing that can be visually distinguished between two chips in the same package, is the printing on the face of it, inserting counterfeits is probably as simple as bribing a truck driver.
At this point I think it is fair to say, we all already knew it was coming. Foreign nations like to spy on Americans, almost as much as our own government does. How lucky we are that they should show us so much attention!
(Score: 2, Interesting) by Anonymous Coward on Thursday October 04 2018, @04:55PM (2 children)
you people are really dumb if you can't discern USA's ruling class war propaganda
(Score: 2) by LoRdTAW on Thursday October 04 2018, @06:34PM
This is actually plausible. Both Amazon and Apple have denied their hardware was effected. Of course they could be lying to save face though we don't (and most likely will never know). Other speculation includes the affected hardware being removed in secret in cooperation with the US government.
One thing is for sure, were going back to the gool ol cold war days. But this time we aren't up against a crumbling nation, we're up against something a lot bigger and much worse. Enjoy!
(Score: 0) by Anonymous Coward on Thursday October 04 2018, @08:50PM
you people are really dumb if you can't discern China's damage control shills
(Score: 3, Insightful) by AssCork on Thursday October 04 2018, @05:14PM (5 children)
Maybe bring some of these manufacturing jobs back 'home' to the UK & US? I mean, that wouldn't completely prevent this type of secret-chip-embedded in hardware problem, but it sounds like that would go a long way toward's helping-out.
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 1, Insightful) by Anonymous Coward on Thursday October 04 2018, @05:20PM
Or maybe use a well known design and verify it by destructively auditing samples, read: ESM analysis versus known matrices or dies? They designed the chips themselves, didn't they?
Oh, but then USA backdoors may come into the light. Let's not do it and answer all questions in this matter with intellectual property babble.
(Score: 2) by bob_super on Thursday October 04 2018, @05:35PM (3 children)
There is such thing as "trusted factories", specifically designed to avoid this kind of surprises for classified and sensitive payloads.
(Score: 0) by Anonymous Coward on Thursday October 04 2018, @09:26PM (2 children)
I know that Huawei cut through a few samples of every component they receive to check for bugs and if you're not on the paranoid scale it's probably also quality control. I won't bother reading through these articles because I assume I'm not going to find more technical details (aka. evidence), if there are details I hope they'll sieve down to SN.
If I were to bug someone I would intercept the delivery and bug it there, it seems insane and highly unlikely to start involving a manufacturer with thousands of employees involved in the product.
(Score: 4, Informative) by bob_super on Thursday October 04 2018, @09:49PM (1 child)
I've seen many assembly lines. Nobody has a clue what the chips they put on the PCBs do.
Put the tray/reel in, check the part is soldered. Run the test you go from ENG, move on to the next board.
You need a guy or five in engineering, optionally an additional guy in Test Engineering.
Purchasing guy gets a part number and a supplier, nobody on the floor knows or cares what the chips do.
(Score: 3, Informative) by Ethanol-fueled on Friday October 05 2018, @01:02AM
Yep, every sane business that deals with boards has training regarding counterfeit parts (almost always ICs) and quarantine procedures. It's a pretty fuckhuge problem in the 'biz, and even you lowly Arduino users get bitten in the ass from counterfeit shit when that clone you buy with the counterfeit FTDI chip gets bricked during the FTDI driver install and now your Arduino (or anything else with an FTDI chip, such as USB to RS-232 or RS-485 adapters) is fucking worthless.
(Score: -1, Flamebait) by Anonymous Coward on Thursday October 04 2018, @06:38PM (2 children)
The Chinks at it again.
Why not do business instead with a friendlier commie govt? Like Vietnam? We're all friends now, right, united in our belief in a Higher Dollar?
We can hand them all our knowledge and build them up.
(Score: 2) by takyon on Thursday October 04 2018, @08:14PM (1 child)
That's racist.
Also, you could build up Vietnam and it would never become the problem that China is given its current borders and population. But on the other hand China will just steal the trade secrets from Vietnam or wherever they are found.
The correct response is to make things in the U.S.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday October 04 2018, @09:40PM
I believe that is the entire purpose of this claim, but again that's just my claim.
(Score: -1, Flamebait) by Anonymous Coward on Thursday October 04 2018, @08:40PM (1 child)
You move all Intel microprocessor manufacture to the illegitimate state of israel where the khazars insert their spyware and back doors into hardware you thought was secure. You keep worrying about software security, when the actual problem is the insane psychopathic communist criminal jew adding spyware.
And this sets the precedent for others to attempt the same criminal activity as the khazar jew. China is no exception and wants to control at least some of the spyware market. No surprises there.
(Score: 0) by Anonymous Coward on Friday October 05 2018, @12:18AM
It's good to imagine that there is indeed a person behind comments on the Internet. It reminds you that they're a person, with thoughts and feelings.
Having said that, I simply cannot imagine a person writing this. An actual, real-life troll, maybe..
(Score: 1, Informative) by Anonymous Coward on Friday October 05 2018, @01:06AM (1 child)
It's American. https://www.supermicro.com/about/index.cfm [supermicro.com]
(Score: 2) by Reziac on Friday October 05 2018, @06:39AM
The company is American. But where are their boards fabricated? Best info I can find offhand implies Taiwan.
And there is no Alkibiades to come back and save us from ourselves.