Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Evidence of Hacked Supermicro Hardware Found in US Telecom: Bloomberg (bloomberg.com)

Posted by msmash on from the doubling-down dept.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., Bloomberg reported Tuesday. From the report: The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China's intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015. Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum's nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said.

9 of 191 comments (clear)

  1. Bloomberg! Bloomberg! Bloomberg! by The+Original+CDR · · Score: 5, Interesting

    Has any other news media outfit independently verified the Bloomberg claims?

    1. Re:Bloomberg! Bloomberg! Bloomberg! by rudy_wayne · · Score: 5, Interesting

      The authors of this most recent story were also the author of the original Supermicro story. They also wrote other pieces over the last couple of years were they have made lots of spectacular claims, with little or no evidence, and, there has never been any follow-up on the stories.

    2. Re:Bloomberg! Bloomberg! Bloomberg! by Sarten-X · · Score: 5, Insightful

      The public deserves the truth.

      Security is complicated. On the one hand, perfect security is impossible. Your servers can be hacked, your data can be stolen, and your users can be phished.

      However, there is another perspective that I think is equally important, if not moreso: It's not hopeless. The attackers are not omnipotent. They have 9-5 schedules, bureaucracies, budgets, and deadlines. If your system is protected well enough that your attackers' budget runs out, it will stay safe. From that perspective, security is just a matter of economics. Your security is bought by spending a little money and effort to drastically increase the effort the attackers need to spend.

      An attacker embedding a custom chip in server hardware, then processing thousands of phone-home results is expensive for them, and unlikely to get a result. However, replacing your whole data center to use non-Supermicro servers is also expensive. Frankly, the whole thing probably isn't worth anybody's time.

      Breaking into an internet-facing server with a default password is easy. There are lots of routers and firewalls out there with default credentials or hidden backdoor accounts. Exploiting one of those is ridiculously cheap for an attacker, and gets them far better results.

      The notion of "the attacker is almighty" doesn't help improve overall security, because it silences discussion about how to actually improve security posture. Instead, we should set aside hardware concerns for now, and ask "What's the easiest way we can be attacked, and how can we fix it?", then make the fix, and repeat until your own budget runs out.

      My skepticism is not about doubting China's ability. I'm sure China (or any nation or well-funded individual) could get hardware inserted into servers. What I'm skeptical of is whether China (or any nation or well-funded individual) would even bother with the expense and risk when they could send a phishing campaign instead.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    3. Re: Bloomberg! Bloomberg! Bloomberg! by MachineShedFred · · Score: 5, Interesting

      If there were supposedly thousands of these things sold to various customers all over the place, how is it that nobody kept one for forensic analysis?

      How is there not one live example if all these networks and servers were compromised?

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    4. Re:Bloomberg! Bloomberg! Bloomberg! by Aighearach · · Score: 5, Insightful

      Does anybody think the Chinese government deserves the benefit of the doubt?

      Does Bloomberg?

      Yes. Bloomberg is a center-right media outlet, and almost all of their profitable business is related to selling financial information to professionals. They make an industry-leading software product called Bloomberg Terminal that they use to disseminate this information.

      I wouldn't trust them on political reporting, because they tend to give the perspective of a center-right business executive. But on general news that doesn't relate to their industry, they are nothing if not mainstream. They don't go for bombastic tabloid nonsense, it would tarnish their brand. Getting page views isn't the purpose of their public news service; enhancing their brand is the purpose.

      Therefore, I would give Bloomberg the benefit of the doubt that they believe this information to be true, and to be of great import to purchasing and IT managers, in addition to investors and financial services providers. This is big enough that the insurance community is probably taking a lot of interest, too. They would never intentionally publish a false report that purported to be of great interest to the industries where they make their bread-and-butter; it would be all downside for them.

      https://www.bloomberg.com/comp...
      Don't worry about the PR there, just look at the bottom of the page under "Products" and "Industry Products" and you can understand why they are a trusted source on this; they'd lose a lot by being wrong. And they have a lot to lose.

  2. Where? by 110010001000 · · Score: 5, Interesting

    Where is the evidence? They keep saying they have it. Why don't they show it?

  3. Plenty of evendince of this is real by supercell · · Score: 5, Informative
    I had SMCI stock in 2017 and sold it after reports that Apple dropped them when they found serious security issues with their servers.
    Now Apple and others claim they have no idea what Bloomberg is talking about. Clearly something was installed on Supermicro servers to cause Apple and others to stop using them.

    Report from early 2017
    https://www.marketwatch.com/st...

  4. Might not be just Supermicro by caffeinejolt · · Score: 5, Interesting
    The article states:

    The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim -- so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said.

    According to the original article - the alleged Chinese culprit chip exploited via the BMC. Aspeed is the company that makes 99% of the BMC controllers in Supermicro boards. If China really did go through the trouble to develop a chip to exploit via Aspeed controllers.... why limit themselves to Supermicro? I know at least Tyan and Lenovo also use Aspeed. From China's intelligence perspective, they would want a solution that could work across multiple board vendors.

    According to latest:

    Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.

    Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.

  5. Completely incredible... by rthille · · Score: 5, Informative

    "Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones."

    Take a look at a google image search for "motherboard" and see if you can find an RJ-45 socket that doesn't have a metal shield around it for RF blocking.

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/