The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

[sdifox]

i'd really like to see one of these things

there may be tons of unpopulated areas on a board for test or just never removed for production. i could see a custom bga or lcc package size or SO8 ( you could hide a lot on that ) something placed on a common serial bus where it could talk and get power. i wonder why the writer said 'signal conditioning couplers' - a passive rf device

More sinister is to take a chip that is supposed to be there, make it with a smaller trace process and add your own logic to it.

 

[compcons]

I got to this part and stopped reading.

"the chips allowed the attackers to create a stealth doorway into any network that included the altered machines"

Regardless of what is done to hide the contents of traffic, it still goes someplace. These are servers we are talking about. I'm gonna go out on a limb (not really) and say the likes of Amazon and Apple SOC/NOC folks are going to notice encrypted communications with unknown or untrusted IP addresses.

If these were edge routers or some other network devices, I may suspend disbelief and play along. Regardless of what is done to a server (the devices in question) the network control and monitoring still wins. Unless these chips somehow grew legs and move to the edge, they don't get to communicate with anything.

That said, some Chinese haxorz may have infiltrated a manufacturing site and done some stuff to servers, but I don't see the need for concern.

 

[Ichinisan]

I got to this part and stopped reading.

"the chips allowed the attackers to create a stealth doorway into any network that included the altered machines"

Regardless of what is done to hide the contents of traffic, it still goes someplace. These are servers we are talking about. I'm gonna go out on a limb (not really) and say the likes of Amazon and Apple SOC/NOC folks are going to notice encrypted communications with unknown or untrusted IP addresses.

If these were edge routers or some other network devices, I may suspend disbelief and play along. Regardless of what is done to a server (the devices in question) the network control and monitoring still wins. Unless these chips somehow grew legs and move to the edge, they don't get to communicate with anything.

That said, some Chinese haxorz may have infiltrated a manufacturing site and done some stuff to servers, but I don't see the need for concern.

These servers stream to end users. It might be possible to covertly bundle some extra data with the requested data that is transmitted to an end-user. One of those end users might be more than just a regular customer of Amazon (or iCloud, or whichever platform). Maybe compromised machines could recognize when talking to another compromised internal system. They could form a chain that reaches to a machine that is supposed to communicate to hundreds of end-users on the outside, then relay sensitive internal information.

 

[Josephus312]

A bullshit story without any evidence where there should be an abundance of evidence.

But yeah, let's argue about it as if it was true anyway?

 

[Josephus312]

More sinister is to take a chip that is supposed to be there, make it with a smaller trace process and add your own logic to it.

And that wouldn't do jack shit without a software component unless you are suggesting they incorporated a ROM module without anyone noticing? Even then it wouldn't do jack shit without a driver unless that was incorporated and unaffected by installed software. It would have to be a direct link to the network card as well as every other system or it would be completely useless.

I'm going to say it would be impossible to do it while a simple software component would be very, very easy to implement and no more detectable.

 

[Victorian Gray]

A bullshit story without any evidence where there should be an abundance of evidence.

But yeah, let's argue about it as if it was true anyway?

Hey, folks are saying the Chinese are the devil unlike those nice Russian fellas.

 

[tweaker2]

Hey, folks are saying the Chinese are the devil unlike those nice Russian fellas.

I just keep wondering why all those folks are Republicans who voted for Trump?

 

[SlowSpyder]

He is all talk. What is he going to personally do about it?

Tariffs on a majority of their exports to us so far. Soon we may start sourcing from other countries. Paying a bit more to protect the intellectual property of American companies isn't a terrible trade off. This do-nothing, oh well attitude you have seems like an odd way to go about the problem. Again, glad we have someone with some spine in office and not some pushover.

 

[Jhhnn]

Tariffs on a majority of their exports to us so far. Soon we may start sourcing from other countries. Paying a bit more to protect the intellectual property of American companies isn't a terrible trade off. This do-nothing, oh well attitude you have seems like an odd way to go about the problem. Again, glad we have someone with some spine in office and not some pushover.

Yeh, Trump really showed some spine in Helsinki, didn't he? Not to mention falling in love with Kim Jong Un...

 

[SlowSpyder]

Yeh, Trump really showed some spine in Helsinki, didn't he? Not to mention falling in love with Kim Jong Un...

He's done more to make peace and have some kind of normalized relationship with NK than several admins before him. I think having a non-nuclear NK is preferable to them having intercontinental missiles and nuclear weapons.

 

[DigDog]

Bloomberg hasnt really done any cutting edge reporting in quite a while ..

Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article
https://aws.amazon.com/blogs/securi...on-bloomberg-businessweeks-erroneous-article/

Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we ‎launched in China, they owned these data centers from the start, and the hardware we “sold” to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.

Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.

Security will always be our top priority. AWS is trusted by many of the world’s most risk-sensitive organizations precisely because we have demonstrated this unwavering commitment to putting their security above all else. We are constantly vigilant about potential threats to our customers, and we take swift and decisive action to address them whenever they are identified.

– Steve Schmidt, Chief Information Security Officer

 

[senseamp]

What's Bloomberg's liability if the story is false? SuperMicro was running at roughly $700M in quarterly sales in 2017. I can imagine their sales have tanked to close to zero or at least by several hundreds of millions per quarter.

 

[Svnla]

US Government says no - https://techcrunch.com/2018/10/07/homeland-security-denies-bloomberg-spy-chip-report/

 

[brycejones]

Putting on my tinfoil hat.....

As anyone going to admit it publicly if this really happened?

 

[IJTSSG]

I don't have a link to it handy but google 'George Stathakopoulus letter to congress' and read his response to this. He's the VP - InfoSec for Apple. Many of us have had to make similar statements to our CEO's and BoD's over the last few days. Pain in the ass.

 

[WelshBloke]

Putting on my tinfoil hat.....

As anyone going to admit it publicly if this really happened?

When everyone involved says something didn't happen and there's no evidence to say it did what does occams razor say?

There's plenty to get pissed at China about but let's keep it to real things.
This just looks like more FUD in the trade war.

 

[Viper GTS]

We use a lot of Elemental gear as well as Super Micro branded stuff so this has been getting discussed at work.

My perspective from the beginning has been:

1) Show me the chip
2) Show me a motherboard with the chip in/on it
3) Show me an x-ray of the chip in place if it's inside it
4) Show me an SEM image of the chip and analyze what it's doing
5) Show me network trace data
6) Show me network trace analysis - What's the traffic, where's it going, is it getting anything in return, etc.

Beyond all of this I find it extraordinarily unlikely that a company like Amazon or Apple would ever let traffic from something like this make it out of their facility, much less let it go unnoticed for an extended period of time.

They have essentially no evidence for something that should be fairly easy to get evidence of. Smells like bullshit to me until I hear real technical analysis.

Viper GTS

 

[hal2kilo]

He's done more to make peace and have some kind of normalized relationship with NK than several admins before him. I think having a non-nuclear NK is preferable to them having intercontinental missiles and nuclear weapons.

How's that going to happen? No evidence of it yet. What's our inspection protocol. So many details that have not been explained.

 

[dawp]

looks like some ethernet ports were altered and installed

https://www.bloomberg.com/news/arti...ro-hardware-found-in-u-s-telecom?srnd=premium

https://www.theverge.com/2018/10/9/17955848/supermicro-telecom-server-hack-apple-amazon

this second link just refers to the first

 

[senseamp]

I'll file this under maybe.

 

[cliftonite]

I wonder if I could get some cheap SuperMicro equipment for homelab.

 

[realibrad]

looks like some ethernet ports were altered and installed

https://www.bloomberg.com/news/arti...ro-hardware-found-in-u-s-telecom?srnd=premium

https://www.theverge.com/2018/10/9/17955848/supermicro-telecom-server-hack-apple-amazon

this second link just refers to the first

This is interesting.

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In emails, Appleboum and his team refer to the implant as their “old friend” — because, he said, they previously saw several variations in investigations of hardware made by other companies that do manufacturing in China.

In response to the Businessweek report, the Norwegian National Security Authority said last week that it had been "aware of an issue" connected to Supermicro products since June. It said it couldn’t confirm the details of Bloomberg's reporting but has recently been in dialogue with partners over the issue.

 

[repoman0]

I wonder if I could get some cheap SuperMicro equipment for homelab.

I'm selling my CSE-826B Xeon V3 server (glorified NAS / router, moving to dedicated NAS and router ) ... very poor timing to decide I've had enough of the power consumption

 

[WelshBloke]

Apple are pretty vehement about this not happening.

https://arstechnica.com/information...n-bloomberg-to-retract-its-chinese-spy-story/