Slash Boxes

SoylentNews is people

posted by Fnord666 on Wednesday October 10 2018, @11:45AM   Printer-friendly
from the he-said-she-said dept.

Major US telecom was infiltrated by backdoored Supermicro hardware, Bloomberg says

Five days after Bloomberg stunned the world with still-unconfirmed allegations that Chinese spies embedded data-sniffing chips in hardware used by Apple, Amazon, and dozens of other companies, the news organization is doubling down. Bloomberg is now reporting that a different factory-seeded manipulation from the previously described one was discovered in August inside the network of a major US telecommunications company.

Bloomberg didn't name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren't the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenters, Motherboard reported.

Tuesday's report cites documents, analysis, and other evidence provided by Yossi Appleboum, who is co-CEO of a hardware security firm called Sepio Systems. Bloomberg said that, while Sepio was scanning servers belonging to the unnamed telecom, the firm detected unusual communications from a server designed by Supermicro. Supermicro, according to last week's Bloomberg report, is the hardware manufacturer whose motherboards were modified in the factory to include a tiny microchip that caused attached servers to come under the control of a previously unreported division of China's People's Liberation Army. Supermicro told Bloomberg it had no knowledge of the implant, marking the second time the hardware maker has denied knowing anything about the reported manipulations.

[...] The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article. While it names a single source, some security experts quickly challenged the credibility of the report. "Sure this story has one named source but it technically makes even less sense than the first one," Cris Thomas, a security expert who tweets under the handle SpaceRogue, wrote. "Come on @Bloomberg get somebody who knows what they're talking about to write these stories. Calling BS on this one as well."

Previously: Chinese Spy Chips Allegedly Inserted Into Amazon, Apple, etc. Datacenters by Super Micro
Bloomberg Stands by Chinese Chip Story as Apple, Amazon Ratchet up Denials

Related: Firmware Vulnerabilities in Supermicro Systems
Supermicro Announces Suspension of Trading of Common Stock on Nasdaq and its Intention to Appeal

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by dltaylor on Wednesday October 10 2018, @01:19PM (6 children)

    by dltaylor (4693) on Wednesday October 10 2018, @01:19PM (#746935)

    Plenty of skill available to install back doors in the ME code, so it could be that.

    Honestly, though, how many companies perform a thorough receiving inspection, verifying the BIOS against a third-party inventory (get an image from Intel of their bits and check them against the BIOS, for example), checking that the components on the motherboards are exactly and only what should be there (although it wouldn't be hard to fab an I/O chip to have extra "features"), and running a port scan, at least, of boards in a test environment, for example (hardly an exhaustive list)?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by RS3 on Wednesday October 10 2018, @01:54PM (5 children)

    by RS3 (6367) on Wednesday October 10 2018, @01:54PM (#746947)

    I like your thinking and I'd like to think inspections are being done, but I'm skeptical. Laziness is a big factor, often justified by cost reductions. Another factor is "production variations".

    To verify a BIOS image you'd have to remove the chip and read it in a chip reader. You might be able to do it in-circuit but I doubt it. Booting an MB risks a clever BIOS trojan hiding itself. If you were sure you could read hardware-level bits you could do it but I'd rather remove the chip.

    • (Score: 3, Interesting) by DannyB on Wednesday October 10 2018, @05:39PM (4 children)

      by DannyB (5839) Subscriber Badge on Wednesday October 10 2018, @05:39PM (#747053) Journal

      Just an idea.

      What if BIOS / UEFI were in a socketed ROM chip, or something similar. The idea being that the only way to replace it is to have physical access to the computer. Not remote access. (Yes, I get it that in a data center this might not be the best idea. But for many other PCs it might be.)

      There could be a way to verify the contents of these ROM chips (or game cartridges or whatever they are). Heck, you might be able to buy a unit on Amazon that provides multiple checksums in different algorithms. That way if one hash / checksum algorithm is weak, you still can't fake all of them by manipulation of the contents.

      You could obtain your ROM independently. The verification device independently. The computer independently.

      If you don't like a firmware upgrade, just plug the old one back in.

      Trump is a poor man's idea of a rich man, a weak man's idea of a strong man, and a stupid man's idea of a smart man.
      • (Score: -1, Offtopic) by Anonymous Coward on Wednesday October 10 2018, @05:51PM

        by Anonymous Coward on Wednesday October 10 2018, @05:51PM (#747059)


        A socketed BIOS won't help if the motherboard has a parasitic implant.

      • (Score: 5, Informative) by RS3 on Wednesday October 10 2018, @07:22PM (1 child)

        by RS3 (6367) on Wednesday October 10 2018, @07:22PM (#747091)

        In fact when I hurriedly wrote my previous comment I was looking at an 8-year old ASUS MB which has, in good ASUS form, BIOS chip in an 8-pin DIP socket. That would be a big positive deciding factor for me (socketed BIOS).

        Also gets you out of the "bricked" MB due to failed BIOS update.

        Also allows you to program BIOS using a programmer. I get very frustrated with BIOS updates being a Windows-only .exe when I have a Linux-only server.

        • (Score: 2) by DannyB on Wednesday October 10 2018, @09:45PM

          by DannyB (5839) Subscriber Badge on Wednesday October 10 2018, @09:45PM (#747159) Journal

          Pssssssst! Shhhhhhh! Don't tell anyone but that socketed ROM might even be able to hold an OS of sorts.

          Trump is a poor man's idea of a rich man, a weak man's idea of a strong man, and a stupid man's idea of a smart man.
      • (Score: 0) by Anonymous Coward on Thursday October 11 2018, @04:43PM

        by Anonymous Coward on Thursday October 11 2018, @04:43PM (#747495)

        This was the entire problem with the switch to 8 pin SPI. The write protect jumper never actually write protected the hardware. And due to the design they are all soft protected only *AFTER* the system has initialized, the write protect jumper is shorted AND the write protect enable command is then sent to the bios chip... and only until power to the chip is reset or glitched at which point it is writeable again.

        This is a huge flaw/'feature' in all currently produced flash chips (someone tell me if there were 2megabit or megabyte parts where this wasn't true) that renders them soft writeable in almost all situations, which is part of the excuse for 'softblocking' memory ranges using the southbridge/FCH.

        Solve this and you would go a long way towards solving other security issues on modern computer mainboards, the other major one being user controlled signing keys or 'out of system' firmware verification and control units, like IPMI or ME, but user controlled.