Slashdot Mirror
China Infiltrated Apple, Amazon and Other US Companies Using Spy Chips on Servers, According To Bloomberg; Apple, and Amazon, Among Others Refute the Report (bloomberg.com)
Data center equipment run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process, Bloomberg BusinessWeek reported Thursday, citing 17 people at Apple, Amazon, and U.S. government security officials, among others. The compromised chips in question came from a server company called Supermicro that assembled machines used in the centers, the report added. The scrutiny of these chips, which were used for gathering intellectual property and trade secrets from American companies, have also been the subject of an ongoing top secret U.S. government investigation, which started in 2015, the news outlet reported. Amazon, which runs AWS, Apple, and Supermicro have disputed summaries of Bloomberg BusinessWeek's reporting.
The report states that Amazon became aware of a Supermicro's tiny microchip nested on the server motherboards of Elemental Technologies, a Portland, Oregon based company, as part of a due diligence ahead of acquiring the company in 2015. Amazon acquired Elemental as it prepared to use its technologies for what is now known as Prime Video, its video streaming service. The report adds that Amazon informed the FBI of its findings. From the report: One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. [...] [Update: Some counterpoint: According to an earlier report by The Information, security concerns were indeed a reason why Apple and Supermicro parted ways.] A U.S. official says the government's probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack. Some background on Supermicro, courtesy of Bloomberg: Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards -- its core product -- are nearly all manufactured by contractors in China. The company's pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. Further reading: Amazon Offloaded Its Chinese Server Business Because it Was Compromised, Report Says.
The report states that Amazon became aware of a Supermicro's tiny microchip nested on the server motherboards of Elemental Technologies, a Portland, Oregon based company, as part of a due diligence ahead of acquiring the company in 2015. Amazon acquired Elemental as it prepared to use its technologies for what is now known as Prime Video, its video streaming service. The report adds that Amazon informed the FBI of its findings. From the report: One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. [...] [Update: Some counterpoint: According to an earlier report by The Information, security concerns were indeed a reason why Apple and Supermicro parted ways.] A U.S. official says the government's probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack. Some background on Supermicro, courtesy of Bloomberg: Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards -- its core product -- are nearly all manufactured by contractors in China. The company's pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. Further reading: Amazon Offloaded Its Chinese Server Business Because it Was Compromised, Report Says.
Apple and other companies have responded. It would seem Bloomberg has done little to provide any evidence over the past year, while these companies have investigated and found nothing of substance to the claims. Apple's response in particular is strongly worded and makes it clear that they find these claims to be baseless. https://www.bloomberg.com/news...
China.
Great news, it was both. Many, many different incidents to choose from. Many different products.
If you read the article instead of looking at the pictures, you'd know.
But I'll be kind to the handicapped today.
The device interacted with the BMC, which has lowest-level access to everything. The device would use the BMC to inject code into memory, allowing remote exploits, and phone home.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
If you read the article it says the chip was tied to the BMC, aka the IPMI implementation.
So in short, if the machine is on the internet, it's susceptible to having a backdoor through it's own IPMI subsystem. Most legitimate data centers already knew about weaknesses in IPMI and put all the IPMI ports behind a VPN. I can't say the same for those who put bare servers on the internet.
I'd like to know when this started though, because if it's as true as it sounds (nothing in the article really suggests anything far fetched) then ALL data centers need to be scrubbed. That means large gains for Dell and HP, but at the same time, THEY also make their boards in China as well, so we may in fact find the same kind of tampering on their server boards.
So take the story with a bit of salt, because if this is really as bad as it sounds, then affected networks should see the spurious traffic on their firewalls (you are running a firewall to your corporate network right?)
This is only a small part of the issues I have about the report. What is the chip monitoring or able to monitor? How is it programmed?
It's not impossible to envisage something that, say, could monitor Ethernet for a string and use that to program itself, but something that can both see an incoming Ethernet packet and see what the CPU is doing is harder to conceptualize.
I know this is Slashdot but... did you read the article? Supposedly this chip was put on the BMC lines that allow it to modify basically anything going to the CPU. They could have even tweaked the firmware on the board through the BMC. The chip does nothing but detect the loading of the OS and insert instructions that it downloads off of a known host. There was no data exfiltrated as far as anyone can tell. It was just lying dormant or used as a vector to penetrate other areas of the network. They were able to identify the 30 companies affected by monitoring traffic and/or hacking the C&C server used. But it was not detected because, as far as they can tell, the compromised systems themselves were never used to exfiltrate data.
Not to electronics sold inside the US. And, since that's where I buy my electronics, that's what I care about.
Also, you know, I'd rather the US have my data than the Chinese. I'd prefer neither, but between the two, definitely the US.
Your ad here. Ask me how!
Can't even do that - the first thing you do when the iPhone turns on is agree to a clickwrap license where you give up your right to sue and agree to binding arbitration with an arbiter of Apple's choosing. This same agreement also lets Apple remotely brick your phone with no recourse.
The Chinese _executed_ quite a few people responsible for that. Say what you will,heads literally rolled. I know you're just here to stir shit up, so you don't care, however.
The Chinese manufacturer had replace glycerine with propylene glycol to save money. Lots of children died.
I'm no toxicologist but I think you must mean "Diethylene glycol" not "Propylene Glycol"... if you look up the later on wikipedia in the human safety section [1] it states:
The acute oral toxicity of propylene glycol (E1520) is very low, and large quantities are required to cause perceptible health damage in humans
Where as Diethylene glycol (which is in the paper you reference at the very start of the toxological analysis section) and the wikipedia article [2] suggests it has high toxicity (albeit only empirically due to involvement in mass poisonings.):
Despite the discovery of DEG’s toxicity in 1937 and its involvement in mass poisonings around the world, the information available regarding human toxicity is limited. Some authors suggest the minimum toxic dose is estimated at 0.14 mg/kg of body weight and the lethal dose is between 1.0 and 1.63 g/kg of body weight...
[1] https://en.wikipedia.org/wiki/... [2] https://en.wikipedia.org/wiki/... Anyway it's nasty stuff... however it should be noted that most of these types of events on the Asian continent are more due to lack of strict regulation on food and medicine than malice. Fake medicine is a real problem over there due to the distribution channels, people but stuff in shops with no way to know how authentic it is... and we all know how good the Chinese are at making rip-offs, unfortunately when you swap out expensive components of a medicine without really knowing what you are doing the difference is death rather than a short lived knock-off.