Dell Ships Infected Motherboards

← Back to Stories (view on slashdot.org)

Dell Ships Infected Motherboards

Posted by CmdrTaco on Wednesday July 21, 2010 @02:23AM from the scanners-do-nothing dept.

An anonymous reader writes "Computer maker Dell is warning that some of its server motherboards have been delivered to customers carrying an unwanted extra: computer malware. It could be confirmation that the 'hardware trojans' long posited by some security experts are indeed a real threat."

25 of 326 comments (clear)

Min score:

Reason:

Sort:

Wow, Dell... by gorzek · 2010-07-21 02:25 · Score: 4, Funny

That's some great QA you've got going on over there.

--
Check out my world simulator thingy.
1. Re:Wow, Dell... by hedwards · 2010-07-21 02:26 · Score: 4, Funny
  
  Dude, I'm getting a GENERIC VIAGRA!
2. Re:Wow, Dell... by gorzek · 2010-07-21 02:36 · Score: 5, Interesting
  
  Just because you have a third party manufacture your hardware doesn't mean you shouldn't do your own QA. After all, it's your reputation on the line, not that of the nameless sweatshop contractor.
  So, yeah, this is thoroughly Dell's fault for not caring about their brand or reputation.
  
  --
  Check out my world simulator thingy.
3. Re:Wow, Dell... by Richard_at_work · 2010-07-21 02:43 · Score: 4, Insightful
  
  Unfortunately you cannot QA 100% of everything you ship without significantly affecting costs - as the article states, Dell is saying that this affects a small number of motherboards sent out in a particular manner, so its quite possible that this slipped through a random item QA testing net out into the open without there being any real QA procedure issue.
Dude, you're getting... by Farmer+Tim · 2010-07-21 02:26 · Score: 4, Funny

pwned.

--
Blank until /. makes another boneheaded UI decision.
It's not a hardware trojan by lseltzer · 2010-07-21 02:30 · Score: 5, Insightful

It's firmware, meaning software in a ROM. It's only slightly unconventional.
And they say it's only on motherboards sent out as replacements. Interesting, you would think this would make it fairly easy to identify the source.
1. Re:It's not a hardware trojan by Lumpy · 2010-07-21 03:22 · Score: 5, Interesting
  
  Incorrect. It's firmware, meaning it's software in a FLASH or EEPROM on rare occasions. That means it can be re-written by applications that know how to talk to it. Writing to a FLASH is not hard or a secret, in fact I wrote a self destruct years ago to screw with a kid that kept trying to break into our dial up server. It was called "Router Passwords.exe" and it simply tried to write FF FF FF to the beginning of the Bios flash chip for several different common motherboards.
  it worked, the kid never tried to connect again after he downloaded that bomb.
  If it was a ROM, my trick would not work as you can not update or write to ROM's.
  
  --
  Do not look at laser with remaining good eye.
2. Re:It's not a hardware trojan by Rogerborg · 2010-07-21 03:49 · Score: 4, Funny
  
  There's no schooling like the old schooling. Say, could you hear him screaming down his acoustic coupler?
  
  --
  If you were blocking sigs, you wouldn't have to read this.
Bad Article by Co0Ps · 2010-07-21 02:30 · Score: 5, Informative

From TFA:

This malware code has been detected on the embedded server management firmware.
Firmware != Hardware It would have been impressive if it was a real hardware virus though e.g. some malicious chip that opens a backdoor on the network cards and allows remote code execution.
1. Re:Bad Article by fuzzyfuzzyfungus · 2010-07-21 02:41 · Score: 4, Insightful
  
  Arguably the IPMI is one step easier than just the motheboard firmware. Those suckers are basically little embedded computers, typically running linux or vxworks, with their own processor and everything. They happen to be physically coupled to the motherboards of larger devices; but, architecturally, they are basically the same as any of the "little bitty plastic box" style embedded network appliances.
  
  Given the fact that embedded appliances frequently have security made of pure shit, and servers are rather high value targets, the only real surprise is that they aren't targeted more often. Especially, if you are super lucky, the IPMI card will be connected to the oh-so-special-and-physically-separate-for-security "management network", which is where all the juicy; but often vulnerable, management interfaces live. Nice place to have an attack platform silently embedded...
What did you expect? by Chas · 2010-07-21 02:34 · Score: 5, Insightful

Basically the entire computer's assembled in a sweatshop by barely literate people who are being paid jack-shit to assemble a "rich-boy toy" for some perceived fat cat in the US who sleeps on piles of money.
How the hell would they know if someone decided to pull a dick move like this?
And for what they're being *COUGH*paid*COUGH*, why the hell would they even care?

--

Chas - The one, the only.
THANK GOD!!!
1. Re:What did you expect? by Elbowgeek · 2010-07-21 02:42 · Score: 5, Insightful
  
  You do raise a good point. *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell. Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.
  
  --
  Who is this delectable creature with an insatiable love of the dead?
2. Re:What did you expect? by Taco+Cowboy · 2010-07-21 02:46 · Score: 4, Insightful
  
  Thus Dell is forced to outsource their firmware development and manufacture to China with too little oversight, leaving greater opportunity for exploitation by those with malicious intent.
  Does it follow that if the servers are manufactured in the U. S. of A. there will be no people "with malicious intent" and thus the servers would surely be guaranteed safe?
  
  --
  Muchas Gracias, Señor Edward Snowden !
3. Re:What did you expect? by Bill_the_Engineer · 2010-07-21 03:09 · Score: 4, Insightful
  
  *We* the consumer have demanded the cheap prices of the hardware we buy, thus squeezing the profit margins of companies like Dell.
  Half truth. Dell did not add any value to their products and decided to compete on price. In order to lower their prices and retain their profit margins they outsourced their assembly to countries with lower labor costs. Dell was not forced to lower their price, they choose to compete on price alone.
  *We* the consumer did not demand cheap prices, instead we purchased whatever gave us the better value. Which for some means the cheapest machine that runs stock Windows 7 for home, but for others features and/or better components may be deciding factor (eq. Apple, Alienware, Voodoo PC, Sony, etc.)
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
4. Re:What did you expect? by mwvdlee · 2010-07-21 03:26 · Score: 4, Insightful
  
  Here's a clue for those clueless people - demanding the lowest price in a global economy ensures that those products will be manufactured where the cost of labor and material is lowest, and that ain't America or Western Europe
  So if those people would be willing to pay more, the products would be manufactured in more expensive countries instead of the companies continuing cheap labor manufacturing and simply making a bigger profit?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
5. Re:What did you expect? by Tom · 2010-07-21 03:36 · Score: 4, Interesting
  
  No we haven't, and no they weren't forced.
  Dell decided to produce cheaper, in order to compete on price. They could have decided to compete on, say, quality, service, security, or any other area. They didn't.
  The "we the customer" meme should be shot on sight. It's from the 50s when we had something resembling free markets. Quick, how many major computer hardware manufacturers are there? So what are your choices, really? What are the choices of the general public, who know very little about computers or what goes into them?
  There's no such thing as customer decision. If at all, there is customer choice, among the products that are offered. The people who decide what kinds of products are available to be chosen from aren't the customers, it's some dudes in the marketing and product management departments.
  Don't make it too easy for them to avoid the blame. Nobody forced them to outsource to China. They decided to do it, because it would improve their bottom line. There are some - not many, but they exist - companies who made a different choice. Just because everyone else does it does not mean you have to do it - it just gives a manager with little interest beyond his yearly bonus a very easy excuse.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
6. Re:What did you expect? by localman57 · 2010-07-21 03:39 · Score: 4, Funny
  
  If you consider being able to recognize a McDonalds sign as a sign for McDonalds as your criterion for literacy, then yes, I'd say we've achieved 99% literacy.
7. Re:What did you expect? by Waffle+Iron · 2010-07-21 04:02 · Score: 5, Insightful
  
  The next time a WalMart shopper complains about job outsourcing, offer to show them the cause of the problem and hand them a mirror.
  The problem is that the "global free market" is a multi-player version of the Prisoner's Dilemma game. It's been proven that in absence of communication between the players, the rational choice in this game is to always "defect". In this case, it means buying cheap imported crap at Wal Mart. If you don't defect, most others continue to do so, and you just end up being a sucker.
  Complaining about individuals' choices is going to accomplish nothing, because they're all making the most rational individual decisions. The only way to change the situation is to include the external costs of cheap offshore production into the retail price, which alters the individual's most rational choice. The most obvious way to do that is slap a tariff on the goods.
8. Re:What did you expect? by Skuld-Chan · 2010-07-21 04:17 · Score: 4, Interesting
  
  That's a myth - the biggest reason companies outsource manufacturing to 3rd world countries is a greater return on profit. Instead of making 150 dollars per machine you might make 20 or 30.
  Good example of this - up until very recently Dell's corporate desktops (Optiplex line - in fact I'm typing this on a 745 that has a "Assembled in the USA" sticker on it) were made right here in the USA, and didn't cost all that much more than Vostro machines which are made in China. These are rock solid machines (haven't had to replace a single major component on any one of the 200 or so I'm responsible for).
  My brother used to work for an importer of Chinese goods (pens/no name tv's [I see them at fry's all the time]/toys) you wouldn't believe the markup some of these goods have. Pens that sell for a dollar for instance they were buying for as little as 5 cents. 5 cents - think about how far they traveled, and how much effort it takes to make a ballpoint pen than you can make 95 cents profit off of. A lot of these 5 cent pens were toys on the side as well (light up, or have an etch-a-sketch attachment on the end - stuff like that) that sold for 2-3 dollars.
To paraphrase Ghostbusters by MonsterTrimble · 2010-07-21 02:35 · Score: 5, Interesting

I have not studied computer science, firmware trojans nor antivirus. Could someone explain to me:
1) How do firmware trojans work?
2) Are they OS independent?
3) What information can they send and/or damage can they do to a system?

--
I call it 'The Aristocrats'
1. Re:To paraphrase Ghostbusters by bannable · 2010-07-21 02:57 · Score: 4, Insightful
  
  Why is this modded flamebait? It seems like a legitimate question for someone unfamiliar with why this is interesting.
  
  --
  "If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
2. Re:To paraphrase Ghostbusters by snadrus · 2010-07-21 03:01 · Score: 5, Informative
  
  Think embedded keylogger that sends results somewhere online for starters.
  Although it could be as advanced as a router that's been taken over and allow full remote access to the intranet the PC has. That way all the complex theft software is external.
  And ofcourse it could monitor activity & brick the motherboard if someone was trying to detect it.
  
  --
  Science & open-source build trust from peer review. Learn systems you can trust.
Re:why spend millions when you can spend billions? by roman_mir · 2010-07-21 02:40 · Score: 5, Insightful

Ken Thompson would show you how you'd fail in this anyway. You'd THINK you flashed the chips, but there would be some other code somewhere in the chip that would contain a Trojan. Unless you are in the loop 100% of the time and nobody can inject any modifications into any manufacturing processes, you can't be certain that nothing at all was modified.

--
You can't handle the truth.
I like where this is going. by boneclinkz · 2010-07-21 03:00 · Score: 5, Funny

**This call may be monitored for quality assurance purposes.**

Customer: Hi, my computer won't POST.

Steve (Samir): Okay, sir, first we must try a few things. Is the machine currently plugged in?

**3 hours later**

Steve: Sir, the problem appears to be a faulty motherboard. Unfortunately your system is out of warranty. Luckily, while the system was operational, our integrated key-logger was able to pull your shipping address and credit card numbers. We have billed you for a replacement system and it should be there in 3-5 business days. Someone will need to sign for it, perhaps your oldest daughter. Justine is turning into a fine looking young-lady, by the way.
SW/HW Malware by Killer+Instinct · 2010-07-21 03:17 · Score: 5, Funny

Its not bad enough they ship with windows ?

--
#include bier;