Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles down

Why are ICs always in large packages, how is this dot powered?

It is easy to create an IC smaller than the point of a pencil.

1. Problem #1 is that you need to connect it to power and ground and data buses -- which is why ICs are put into large packages, and why there are circuit board traces leading to them.

2. The dot had neither a windmill nor a solar panel nor a connection to a powerbus, so how is it supposedly powered? Itsy bitsy tiny little nuclear reactor?

And how does it connect to data paths? Psychokinetics?

Simple physics proves that the story has huge errors in its vague technical descriptions and photos.

And with the technical details like power and data connections left out, Bloomberg's story has less than zero credibility.

+++ That said, I do not doubt for a minute that the USA, UK, China, and probably Russia ALL engage in this sort of hardware hacking on a regular basis against key non-governmental targets. +++

(Doubtlessly this sort of spying occurs between governments, but with government targets it is expected. Hopefully no educated person is so arrogant, imperialistic and immoral* that they think their government should be exempted from other governments doing to it what it does to others.

* Accepting others doing to you what you do to others is part of the Lord's Prayer -- the "trespassing part". People living in countries that are truly and sincerely Christian do not claim exceptionalism.

To claim exceptionalism while claiming to be Christian is to lie to yourself and your god.)

A Matter of Trust

You either believe the Bigfoot testimony or you don't.

Proof apparently is under non-disclosure.

Market Moving Bonus - Incentives and how they Fail.

Bloomberg has a Market Moving Bonus incentive.

Mic Drop.

A small die-bonded chip on a motherboard is feasible. When attached to the BMC, either on the SMBus or SPI-connected program flash, it could modify just enough to accept very simple remote commands. It would be fragile and take lots of network traffic, but it could work.

Saying that such an attack is technically feasible is far different than saying that it occurred, or occurred that way. It's a complicated approach that would involve subverting the board fabrication company at multiple points. It would be far simpler to just modify the BMC firmware directly.

I think that someone was spinning a yarn, and the reporters fell for it.

we need real hard proof, not opinions

ok, the spy-chip is plausible, but does it exist?

I no longer want to see a good photo + details about what the chip actually does, no there is too much pushing from all sides, that only hard evidence can convince a techie.

Show us the motherboards! 30 companies and the US government has these spy-chips, so show at least 3 motherboards and make them available for an independent party to verify the claims about the spy-chip.

Glomar Explorer; Gulf of Tonkin; UFOs and SR71 & F117 test flights; ...

"Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign."

Yes, obviously it is easier for Five Eyes intelligence agencies to thoroughly hack and backdoor stuff totally designed and built within either Five Eyes nations or vassal states. And that is important because you can't infiltrate something by gluing a tiny piece of silicon on it.

Here in Canada we've constantly got the USA trying to tell us to exclude Huawaii from government and private company contracts.

But shouldn't Bloomberg have asked someone at MIT, Stanford, Intel or AMD whether this could function? That a piece of silicon glued to the surface of a circuit board and not connected to conductors could do anything useful?

Bloomberg might well have been duped by the US government, US government's (like probably all national governments) has a long history* of dubbing their press, but an outfit like Bloomberg should have caught it.

* And in the case of the USA, a long officially admitted history. Other countries, especially those on the "other side" don't usually admit things 30 years later.

Denials

So far AT&T, Verizon, Sprint and TMobile have denied being the "major telecommunications company" in question. Who does that leave, Centurylink?

NSM is on record

Perhaps the journalists could contact NSM who is on record of having stated they knew Supermicro was compromised?

Site: https://nsm.stat.no/english/

It could just as easily have been a grain of rice from someone's lunch that glued itself to a board.

Remember when quite a few senior govt types in the US were concerned that the different colour centre in Canadian 2 dollar coins were microphones being used to spy on their secret meetings? http://rabble.ca/babble/national-news/your-pocket-change-spying-you

China, Russia, Iran and North Korea are bad. It's not that hard to figure out. I should also add that the dual pentium boards from Supermicro (P3TDEi) were such a sack of shit I sometimes wish China had hacked them. Then at least I would have had an excuse for the failure rate.

Tom Clancy covered this in Threat Vector

https://en.m.wikipedia.org/wiki/Threat_Vector

It’s a while since I read it but the book describes how careful some buyers are in procuring kit, shipping to false addresses in the hope that kit won’t be adulterated etc.

I do agree there are easier ways of infiltrating systems by doctoring firmware instead of commissioning chips to be embeddd in a place that can be xrayed.

If it’s possible to determine the presence of the doctored systems by network traffic analysis then Bloomberg should tell us what to look for so we can check our systems and see if we have any.

I suspect it’s yet another case of check/blame the network as so few people understand how networks work. Put another better next gen firewall in perhaps? That’ll stop those Chinese hackers!!! <—- Sarcasm as without knowing what to look for we don’t know what to block.

Of course there's hidden spyware in electronics

It's well known that some electronic kit has hidden spyware included. As Snowden revealed, it is put there by the NSA.

I believe bloomberg myself

Though I am obviously biased I suppose as I have had a small fear about this exact kind of thing since Lenovo bought IBM's Thinkpad line.

Fortunately I don't have anything of value that the Chinese would want. After being a die hard Thinkpad fan for many years when Lenovo bought them I swore off of them for 11 years - I used Toshiba in between. I am on Thinkpad again after I guess I accepted whatever could happen to Lenovo Thinkpad is just as likely to happen to Toshiba (that and Toshiba didn't have the hardware I was looking for at the time).

I've read conflicting comments on whether or not this kind of thing is possible, and to me based on history of other sorts of surveillance activities from other countries I absolutely have to be on the side of the fact that is probable this happened given the resources of a country like China. I'm just as likely to believe something similar could happen in the U.S. as well with NSA/CIA whomever. I also totally believe that the intelligence community is pissed off at the report for revealing that they knew what China was doing. They'd rather keep that secret so they can continue monitoring and quietly contain it.

I'm just hoping some day to see another Snowden-style leak of internal documents that say yes this did in fact happen, and those paranoid folks were right all along. Sort of reminds me of the early days of the reveals about the taps that the NSA had at AT&T facilities. As a AT&T data center customer at the time I joked with their staff about it, but really didn't surprise me, I continued as their customer until I moved to another job.

Some folks say why didn't more places encounter this well the answer seems obvious they targeted the attacks to lessen the likelihood of it being detected, like any good APT.

Certainly sucks for Supermicro right now though I'd suspect the vast vast majority(99.99%) of their customers have nothing to worry about(as they are not juicy targets). I run (1) supermicro server myself in a colocation in the bay area. I was thinking about getting a new one as that one is 7 years old. This report does nothing to sway my opinion either way.

However I wouldn't be caught dead running supermicro in mission critical production (again, this report has absolutely nothing to do with that either, just based off of ~18 years off and on of using their hardware). I do realize of course some 3rd party appliances I have may very well have supermicro hardware on the inside, but at least those are managed by the vendor as in I don't have to worry about diagnosing strange hardware faults or asking fortune tellers what changes are in the latest firmware, and don't have to worry about resetting all configurations to defaults when flashing said firmware(and the obvious negative implications from doing so from a remote location -- my critical servers are 2,400 miles away from my home)

To me at the end of the day this is hopefully a good thing in that it would raise awareness. I think it's totally possible for similar things to happen to other manufacturers as well even the big guys like HP and Dell. The trend of racing towards the bottom on pricing really puts pressure on the abilities for companies to be willing to be extra vigilant.

It seems to me that...

...if these compromised machines are so prevalent then Bloomberg's sources should be able to at least display one of them or show a photo taken at the time of discovery to substantiate the claims of added chips. There should also be some data logs to show unauthorized outbound data traffic.