Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Evidence of Hacked Supermicro Hardware Found in US Telecom: Bloomberg (bloomberg.com)

Posted by msmash on from the doubling-down dept.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., Bloomberg reported Tuesday. From the report: The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China's intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015. Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum's nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said.

10 of 191 comments (clear)

  1. Bloomberg! Bloomberg! Bloomberg! by The+Original+CDR · · Score: 5, Interesting

    Has any other news media outfit independently verified the Bloomberg claims?

    1. Re: Bloomberg! Bloomberg! Bloomberg! by Anonymous Coward · · Score: 4, Interesting

      but I also wouldn't put it past Bloomberg to publish rumors for page hits.

      The Supermicro story is turning out to be a hoax.

      The only person actually named in the original Bloomberg story about the Supermicro servers was a "hardware expert" named Joe Fitzpatrick. As it turns out, he' s not all that much of an expert, and he has now done an interview where he says that he doubts the accuracy of the story:

      https://risky.biz/RB517_featur...

      He was communicating with one of the authors of the Bloomberg story for a couple of months before the story was published. Then, the story came out and things that he had described as being hypothetically possible were in the story, but presented as facts that they had gotten from various anonymous sources

      For example, the Bloomberg guy said to him "One of my sources said the chip might be a signal coupler. What does that look like?" So Joe Fitzpatrick sent him a link to a picture from a catalog. And, lo and behold, when the story was published it contained that exact picture, presented as "proof" of the chip that was implanted on the Supermicro motherboards.

    2. Re:Bloomberg! Bloomberg! Bloomberg! by rudy_wayne · · Score: 5, Interesting

      The authors of this most recent story were also the author of the original Supermicro story. They also wrote other pieces over the last couple of years were they have made lots of spectacular claims, with little or no evidence, and, there has never been any follow-up on the stories.

    3. Re: Bloomberg! Bloomberg! Bloomberg! by MachineShedFred · · Score: 5, Interesting

      If there were supposedly thousands of these things sold to various customers all over the place, how is it that nobody kept one for forensic analysis?

      How is there not one live example if all these networks and servers were compromised?

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    4. Re:Bloomberg! Bloomberg! Bloomberg! by infolation · · Score: 4, Interesting

      First the authors shorted supermicro stock ahead of the original claims, then they used the profits from that short to pull an even bigger leveraged short of supermicro stock ahead of the second batch of claims.

      I have no evidence of this but... if you were writing those stories, why wouldn't you?

      2018/10/04 US:SMCI $21.47 --> $8.55
      2018/10/09 US:SMCI $15.55 --> $10.80

    5. Re:Bloomberg! Bloomberg! Bloomberg! by barc0001 · · Score: 4, Interesting

      > how they could siphon off gigabytes of data and ship it to China, presumably over network connections and through firewalls,
      That's the interesting thing to me as well. If your network and firewalls are properly designed, it shouldn't matter if your servers have a rogue little chip wanting to call home - your network should shitcan any attempt regardless.

  2. Where? by 110010001000 · · Score: 5, Interesting

    Where is the evidence? They keep saying they have it. Why don't they show it?

    1. Re:Where? by Aighearach · · Score: 4, Interesting

      Investigative reporting doesn't work that way in most cases. There are a lot of unknowns. Right now, they enhance their own research by not giving out too many details, and letting the companies involved say stupid things that might be refutable by that evidence.

      Evidence is good. Don't decide if it is actually true or not until you get it. But that doesn't imply that when you first hear about the issue, the evidence will be published, or that it is tactically wise to lead with the evidence instead of the accusation.

      If we get to the end of the story and Bloomberg says "that's all we have," that's when you can weigh the evidence they presented. If they haven't presented the evidence yet, then before you start to worry about that, you should simply check if the process has reached the end, of if the evidence is still waiting to be released. If it is still waiting to be released, there is nothing suspicious at all about the fact that you have not been given a personal viewing.

  3. Re:Plenty of evendince of this is real by mujadaddy · · Score: 4, Interesting

    Correct: Bloomberg's reporting is lagging real events, but Apple & Amazon haven't come up with a better explanation of why they switched hardware at that time.

    --
    Populus vult decipi, ergo decipiatur...
    "Force shits upon Reason's back." - Poor Richard's Almanac
  4. Might not be just Supermicro by caffeinejolt · · Score: 5, Interesting
    The article states:

    The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim -- so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said.

    According to the original article - the alleged Chinese culprit chip exploited via the BMC. Aspeed is the company that makes 99% of the BMC controllers in Supermicro boards. If China really did go through the trouble to develop a chip to exploit via Aspeed controllers.... why limit themselves to Supermicro? I know at least Tyan and Lenovo also use Aspeed. From China's intelligence perspective, they would want a solution that could work across multiple board vendors.

    According to latest:

    Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.

    Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.