Slashdot Mirror
Bloomberg's Spy Chip Story Reveals the Murky World of National Security Reporting (techcrunch.com)
TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.
Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."
"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."
Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not. Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."
"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."
I like the analysis going on over here:https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
As a hardware designer, it's an interesting idea to think of attack vectors through "NO STUFF" parts of the BOM. Most PCBs have "NO STUFF" parts of some sort - either for legacy or prototyping reasons.
The idea of some nefarious third party reverse engineering a "NO STUFF" and forming an attack vector with that is well, news to me. I can easily understand a thing like this slipping through a QC check
It would certainly be a difficult attack to construct. But many of todays "software" attacks are quite complicated. Certainly not outside the scope of a state-entity IMHO.
Interesting times in any event, and something to think about.
It's fairly trivial to exfiltrate data *slowly* from a server.
For example, TCP sequence numbers are supposed to be random, as are emphereal ports. Nobody is expecting those to follow certain rules. Nobody stick your data in the third bit of any of those random numbers and nobody will ever know. You can exfiltrate one bit per connection. On a busy server, that's like having a dial up ssh connection with root access to the machine.
You may have heard about the network-based Spectre variant that was recently released. Like all Spectre variants, it's based on detecting tiny changes in the average time something takes - the average response time to a network request, in that case.
With server grade gigabit and ten gigabit Ethernet cards having TCP offload on board, an attacker with BMC access can manipulate the existing TCP traffic in ways that the machine's own kernel can't even see.
You don't want to download gigabytes of data this way (unless you can hide it in thousands of gigabytes of legitimate traffic), but you only need 2048 bits to exfiltrate the private key that gives you everything.
How exactly do you hide the wires? I get that the chip is supposed to be super small, but it it must be wired in somehow. A chip to intercept a gigabit ethernet and you're 8 wires in, 8 wires out, and power and ground, so we're looking at 18 unexplained traces on the circuit board. If its sniff to the processor, we're looking at hundreds, (128 bit data path/64 bit address etc.). Perhaps it's USB chip, but then how does it get network access.
How exactly do you hide the heat? This thing is supposedly running like a processor examining data, how the f*** does it dissipate the heat. Espcially when its 'between' layers on a circuit board as claimed in the original story.
How would it be explained? If this is a US designed motherboard that's been sent off to China for manufacture, how would you explain these extra connections and extra chip to the designers? How would it pass QA? "Oh we added a signal conditioner" wouldn't pass the smell test for them. If it was a Chinese designed motherboard, why is it being imported by an In-Q-tel (CIA) funded company?
If it was a Chinese designed motherboard, wouldn't the spy stuff be stuck into existing chips? e.g. some code in the Southbridge.
How was knowledge of this kept secret? The story claims lots of big server companies knew about it, and yet it only leaks now and by Bloomberg? Really?
Why isn't there a million photographs of supermicro motherboards with suspicious chips flagged, ten minutes after the article came out 2 days ago. I imagine if you owned a supermicro motherboard and read that, the first thing you'd do it photograph any suspicious chips and say "is this the spy chip?" on the internet.
Why would it be a separate chip and not a module on a SOC chip? Or in microcode.
The idea of the Chinese spying on servers sounds VERY plausible/likely, just not the way this article says they did.
I can Occam Razor an alternative explanation. China is in a trade war with USA, USA wants to demonize China to justify the trade war. Makes false claim using CIA funded company to a non-tech outlet that doesn't know the questions to ask.
I reserve judgement till I see the actual chips myself. If it was iFixit doing xRay scans and analysis of the chip my view would change....