Where there's smoke.... there's a burning chip!
The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication. On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by …
<A mystery wrapped in a riddle inside an enigma>
Is this a$$ covering by BB or is this outside confirmation?
"In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been "aware of an issue" connected to Supermicro products since June. It couldn’t confirm the details of Bloomberg's reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue."
One special fried rice, one won ton soup
You want extra chips with that?
Semiconductors, doping, electrons, and holes
While one may argue that adding a small chip to a motherboard is feasible, that it will only need to inject some extra/modified code into the loaded kernel at boot, will need only a small amount of power at that point, will be passive/dormant the rest of the time, and the actual spying will be done by the injected code in main memory, etc., what I could not understand from the start is how the gathered information (that may be very damaging indeed) will be sent stealthily to the mothership. Even less so, how it will be done from a data centre server that isn't even supposed to ever make outbound connections to the rest of the world.
Outbound traffic is routinely monitored, and a server trying to reach a machine outside of the organization will be detected fairly quickly by a serious player such as AMZN or AAPL. AAPL say as much in their letter to Congress.
I didn't see any statements anywhere that said, e.g., that any of the affected servers were involved in serving external requests. Even if they did, it would, IMHO, take too many miracles to arrange for useful and undetectable "steganography" in the responses. Besides, a machine service external requests is not likely to have the information that would justify such a complex hack.
Supply chain malware is nothing new and has been seen in the wild and it is usually its activity - either lateral movement or "phoning home" or both - that gives the game away.
IMHO, this is the most glaring hole in the Bloomberg story.
Re: phoning home
Undwelcome data crossed from one LAN to another, allegedly "airgapped". Data transfer was not quite in real time, but not far off, and without "phoning home" being visible on the equipment (or LAN) which was leaky.
It did that by using a box that was physically or logically moved from the automation LAN to the office LAN, and back again. No "phoning home" visible.
Or am I misremembering.
Re: phoning home
It went via USB sticks which were a necessary evil in the Stuxnet case since the machines needed programming code to run, which Stuxnet covertly altered in the compiling phase.
Re: phoning home
The prime purpose of Stuxnet was not to phone home but to sabotage the industrial plant that it reached.
Re: phoning home
Some assumptions you made:
1. The chip, assuming it exists, is meant to exfiltrate data.
2. The chip, assuming it exists and is meant to exfiltrate data, would be doing so frequently, rather than sleeping most of the time and sending out bursts on some occasion.
Assuming that it did need to exfiltrate data, it could be doable on Amazon's network if it could be programmed to recognize an AWS image with specific characteristics. The data could be sent to that VM by the kernel, and stored there. From there, it could be encapsulated into traffic that is sent out as normal.
This wouldn't explain exfiltration from other systems, as Apple doesn't run others' VMs on their systems. However, it could be possible to send data in standard-looking packets if there wasn't that much. This is not an explanation, but it is feasible.
It doesn't make that much sense that the chip would have another purpose, although I suppose you could come up with one. It could be a remote destruction device that merely watches for a request, then takes the system down. That doesn't seem like a useful thing to do, but that could be the purpose. I'm sure we could think of lots of other things the chip might be doing if it exists, so let's not assume that exfiltration is the only task it might perform.
The main problem...
... is the glaring lack of scientific/technology understanding of the average journalist.
They are, for the most part, just arts graduates after all. How can they be expected to understand how stuff works?
Same applies in other areas. Motoring journalists come to mind too.
Re: The main problem...
I once applied for a science editor position at a weekly journal. Got nowhere, no interview, no nothing. Probably because I was a techie (now retired), not a journalist. I also have the honour of having been turned down by El Reg.
"Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign."
I bet for that one, without any proof to sustain my opinion, as I don't see any one to sustain's Bloomberg one.
During this time, some people made a lot of money with this story and its consequences, it could be interesting to follow that trail.
The chips are probably available on AliExpress with a badly translated PDF datasheet :)
I also believe Bb was played like a fiddle.
For a moment, pretend that the story IS true. How do you think the US Government would play their hand?
I have seen devices that lie hidden and passively monitor. When the agency needs to reel it in, they just break in an operators home to plant a device capable of activating and receiving a burst transmission.
That device is then picked up later with no one the wiser.
The fact that so many western agencies were quick to deny the existence suggests that it might not be of eastern origin after all.tin foil hats at the ready!
Conspiracies aside, pics or it didn’t happen.
Red pill or blue pill? There is no 'neither' option...
People seem to think this is an case of either "we are being spied upon by preposterously crafty chips" or "nothing really happened, move along", apparently forgetting that the latter option is off the table. Either the former case is true, or if it is not, then someone went to a lot of trouble setting up a large scale scam sufficiently elaborate to convince / fool a major news outlet - that in itself is very much major news if so. The option with zero actual credibility is "oh, Bloomberg just had a bad dream..."
Re: Red pill or blue pill? There is no 'neither' option...
> ... then someone went to a lot of trouble setting up a large scale scam sufficiently elaborate to convince / fool a major news outlet ...
It's the opposite, which makes it the real problem. The scam is nowhere near "sufficiently elaborate". So far, there's been nothing but empty (and quite silly) allegations. It's as if I'd report having found Excalibur, unfortunately not being able to show it to you for your own good. *pffft!*
I'll just leave this tidbit
Supermicro shares plunged 41 percent last Thursday... Sounds like a smear campaign
and this... fell as much as 27 percent on Tuesday after the latest story.
Even if the magic chips were real
You'd need magic switches, routers, firewalls etc to enable these magic chips to send the magic data over the network to get it to the evil overlords.
I know the US media seems to want to manufacture a cold war with China and paint them out to be evil overlords but someone needs to actually provide some evidence of how all of this was supposed to work otherwise I'm going to have to call BS on it all.
Now you know why engineers are engineers and journalists are just that.
One cannot put chips wherever one wants willy-nilly.
Where would insert a chip in parallel with Ethernet chip before or after? How does it control the network data flow?
Here is a clue, IT software can be messy and doesn't follow rules all that much and is left to the developer. Network protocols, on the other hand, are unforgiving. You change one bit, it stops working.
Actually, YOU CAN put chips willy nilly on a motherboard IF you de-solder them from their original locations and put a compromised version of them on the target / interception gear. I absolutely KNOW from multiple insider sources that the US (mostly the USA rather than Russia and China!) have had for MANY YEARS (since the Intel 8086/8088/80286 days of the 1980's) CUSTOM versions of common Northbridge/Southbridge chips (in those days it was separate DMA and Peripheral controllers), and now CPU chips, GPU chips, NIC chips, drive controllers (i.e. Promise, Mediatek) and various DSP and PIC's with extra circuit layers and circuit blocks they make at their own facilities (in Maryland mostly) that can in fact intercept, store, and re-direct data to external destinations without affecting system timings or causing extra signal jitter, etc.
Those custom chips are ordered in batches and when a particular computer system or part is intercepted, the new version is soldered in. Again, low bandwidth antennae can be embedded into the chips themselves which can export data using various near-field and medium-field communications links and storage mediums that are embedded into security-sensitive environments via common social engineering means. (i.e. usually by compromising either or both multiple knowing and unwitting personnel employed at any given security-sensitive site)
During President Ronald Reagan's era (1980 to 1988) chip-compromised Gravis soundcards and keyboards were embedded into various Soviet Union ministries that had illegally purchased western computer gear from grey and black market resellers. Acoustic sensors recorded short audio clips and keyboard input which were temporarily stored within hidden internal memory systems and picked up later by unwittingly compromised janitorial staff who had passive networked recording devices embedded into cleaning machines, gear and personal clothing.
External agents picked up the recorded data as employees went home after a shift. At the time, the GRU and KGB headquarters, various agricultural ministries, various cosmodromes and aircraft/spacecraft/ship/submarine production facilities were targeted. While the retrieved keyboard data and acoustic data was on the order of a mere few hundreds of kilobytes (or in some cases a 2 to 5 megabytes), the resulting ACTIONABLE intelligence gathered made the effort VERY worthwhile!
Defence Secretary Caspar Wienberger started this hardware modification program and they also modified common industrial control software that was ensured to be "stolen" by Soviet agents and installed in their own systems, which in 1987 caused one of the largest natural gas line explosions EVER when modified control software made a Soviet gas distribution control system to become overly pressurized!
AND for the kicker...I think I even still have a film-based PHOTO of Caspar looking rather pleased with himself on the DAY AFTER the explosion strutting down the White House hallway to brief Ronnie on what happened! (the CIA/NRO detected an explosive event and "spy photos" were taken very shortly after -- Don't ask how I know that BUT I think I may still have those photos too!)
Let's just say that while I may have been very young at the time AND a foreign-ally citizen, I had lots of "insider technical skill, knowledge and MANY insider contacts" ........
Discredit Bloomberg Pres. Bid ?
Just read (on BBC News) that Michael Bloomberg has elected to become part of Democrats and may bid to become US President.
Could Bb have been seeded with a fake (mal-hw) story as part of campaign to discredit him (and his news org) early-on ?
Plame described most of her colleagues (back then) as being Fox (TV) lovers.
Well for anyone who cares, it is bullshit, the NSA should not be pissing off the average joe.
Supermicro is not involved and the story is made up.
It is true that it came from secret services but as a made up story from a depressed guy.
It was just a phone conversation to show how that guy was doing wrong and it became an international complete mess.
Like soylent green, NSA is made of normal people (even if they think they're 31337) and many of them are stooopid and keep snooping where they should not. It is really amazing what they can do but they lack common sense and fear themselves. The worst thing is that they think they're right when they are just crazy.
SMCI was targeted alone and its stock dropped more than 40% in one day. Has SEC been hibernating with paychecks being automatically and directly deposited?
2 days ago
It’s fake news. Bloomberg’s photos are also fake. The part they show is called a Balun and no, it’s not even a semiconductor. Check here: https://www.digikey.com/product-detail/en/murata-electronics-north-america/LDB182G4520C-110/490-4747-1-ND/1531443 And technically speaking the BMC is allowing only one SPI flash on the bus and if a hacker deactivates the existing one by cutting a PCB trace then this hack chip one will be able to load the BMC Linux but it’s size is too small for that amount of data thus it will have to load the BMC Linux via the shared NIC but then the server board will never boot BMC without internet. That will be found out right away. Besides, the flash IC used is type MX25L25635F that exist in both a 16 and 8 pin version. The Supermicro PCB of type B1DRi allows for both flash IC versions and this hack IC is by Bloomberg’s photoshopped rendering supposed to sit near the Vcc pin of the vacant space for the 8 pin flash option IC with component code UM8. Yes, that is indeed where it could make sense but you would need long wires to connect all pins of this hack chip and it would be rather visible as the layout doesn’t condense all pins to near the Vcc soldering point. Bloomberg has totally failed in making the story technically credible but perhaps the journalists don’t actually understand it deeply. Perhaps they got fooled by some fake news makers? Who gains from this fake news most do you think?
when the US gov was installing malware into the bios of hard drives years ago - interrupting shipments after leaving warehouses - before they got to customers. So, is it possible, yeah, would china do this if they could, hell yeah, would the nsa? likely has for years.
Bloomberg needs to submit more details, but the accusations are doable.
Wow. Complete turnaround in reporting, hey Reg ?
'Just as likely however is that Bloomberg's reporters made mistakes in their reporting and the organization failed to adequately fact check the article.'
The invisible hardware advantage
One reason for doubts is that it should be easier, more deniable or more flexible, or all of those, to introduce spy- or malware into soft- or firmware than to use a physical addition which can be discovered, potentially attributed and analysed.
That said, it is counterintuitively true that a hardware spy may be more effectively hidden than a software one. A software intruder cannot be permanently dormant and, without a hardware element, has to run somewhere on its host's substrate. Look hard enough and long enough and you'll find it, even while it isn't doing mischief. Its code has to execute somewhere.
A hardware intrusion, on the other hand, can run on its own substrate, completely invisible until and unless it gets a wakeup call, or a timer activates, or some other conditions are met. (It may, for example, passively observe traffic for days or weeks before deciding that its host is likely in production and working hard.) You might very well program the thing to sleep for the first n hours or days after power up, for example, sacrificing some data gathering time for undetectability.
It's also been argued that it would be more logical to build the nanobugs into existing chips ... but that is not necessarily so. Arguably, chips are where you'd look first, and their small size makes investigation relatively easy. Whereas, introducing a nanobug into the layers of a board—perhaps right underneath a ground zone or a heatsink, where x-rays will be fuddled—might make perfect sense. A mobo offers a lot more real estate than a chip for your visitor to hide in.
If it were not for the fact that the chubbier electroytic caps tend not to be attached to data lines (for obvious reasons), I would have thought them an excellent hiding place, given their in-plain-view innocent appearance. Maybe investigators should look for electrolytics that are not doing their job, and, on a close inspection, squat in proximity to subterranean data lines? Not so difficult, if you're a board manufacturer, to slip a few extra whisper-thin leads from the bottom of a component into the third or fourth layer of a complex board, surely? Make them fine enough and you might not even notice them when you yanked the component. (Also, as standard non-tantalum electrolytics, you could self-destruct them without suspicion. The only component you'd expect to occasionally blow its own head off.)
I'd also point out that once the technology has been cracked—once you, Black Hat, have successfully built and tested a virtually nanoscale bug—you may well look for all sorts of hosts: why be confined to motherboards, when a tailored version could go inside an RJ45 plug? Why go to the trouble and expense of finagling them into a run of 10,000 servers when you could sneak them into routers, switches, sockets—heck, even into cable runs?
I cannot speak to the veracity and completeness of the story itself: but if it is not true, I'd have to ask— whyever not? Given their appalling track record, the Chinese absolutely would do this if they could. I for one am guessing they can.
PS: Putting nanonbugs in phones has also been suggested. But why not put them into even smaller things, especially those which can become indirectly connected? Why not headphones and watches? Say, anything that can talk Bluetooth. Let Fred Contractor dutifully leave his phone in the Faraday cage at reception, and the earbuds in his pocket can do some light data harvesting while he wanders the building, only to phone home when they are connected for some Buns&Noses relaxation on the commute home through Maryland?
Re: The invisible hardware advantage
You are one of the FEW on here who actually RECOGNIZE just how far an intelligence agency (and criminal organizations!) will go to compromise data processing system and IT infrastructure. Becuase of modern nano-scale engineering almost ANY device, peripheral and plug can be compromised.
USB cables, RJ-45 plugs, Wifi Antennae, keyboard, drives, memory chips, displays...ANYTHING that is big enough to have a circuit hidden in it and have parasitic power drawn from an external source is embeddable and can intercept, store, re-direct and exfiltrate actionable data and intelligence!
and there is LITERALLY NOTHING anyone can do about it!
Anyways...What's Happening? -- Uhhmmm I'm gonna have to ask you to move your desk again and I'm gonna get that red stapler off you....
*checks to see if there's a chip marked 'secret chinese spyware' on the mouse*
nope, all secure here.
Not sure it's Crapita. Try this instead.
"HUAWEI CYBER SECURITY EVALUATION CENTRE OVERSIGHT BOARD
ANNUAL REPORT" (extract below)
Find it in full at
As reported on this very fine organ here:
What could possibly go Bong?
"HUAWEI CYBER SECURITY EVALUATION CENTRE OVERSIGHT BOARD ANNUAL REPORT
Part I: Summary
1. This is the fourth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board. HCSEC is a facility in Banbury, Oxfordshire, belonging to Huawei Technologies (UK) Co Ltd, whose parent company is a Chinese headquartered company which is now one of the world’s largest telecommunications providers.
2. HCSEC has been running for seven years. It opened in November 2010 under a set of arrangements between Huawei and HMG to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. HCSEC provides security evaluation for a range of products used in the UK telecommunications market. Through HCSEC, the UK Government is provided with insight into Huawei’s UK’s strategies and product ranges. The UK’s National Cyber Security Centre (NCSC, and previously GCHQ), as the national technical authority for information assurance and the lead Government operational agency on cyber security, leads for the Government in dealing with HCSEC and with Huawei more generally on technical security matters.
3. The HCSEC Oversight Board, established in 2014, is chaired by Ciaran Martin, the Chief Executive Officer of the NCSC, and an executive member of GCHQ’s Board with responsibility for cyber security. The Oversight Board continues to include a senior executive from Huawei as Deputy Chair, as well as senior representatives from across Government and the UK telecommunications sector. The structure of the Oversight Board has not changed significantly, but membership has changed in the year 2017-18. Mainly, this is due to staff rotations in both HMG and Huawei positions.
4. The Oversight Board has now completed its fourth full year of work. In doing so it has covered a number of areas of HCSEC’s work over the course of the year. The full details of this work are set out in Parts II and III of this report.
".....Amazon’s security team conducted its own investigation into AWS’s Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says. ..."
This quote is Bloomberg quoted record of data from a semi-secretive source I am VERY WELL FAMILIAR WITH and who has access to high end hardware security toolsets.
Like I said earlier modern CPU's anc antennae can be made SO THIN I can even embed them into the in-between layers of a blank PCB !!!! AND I can have them draw power parasitically from almost ANY circuit line I desire at ultra low-voltages and system current draws!
The USA has done thus much longer than China or Russia....BUT....I am inclined to say TODAY that the two most SOPHISTICATED countries for being able to manufacture and place ultra-small embedded circuits into common compute systems for spying purposes is China and Israel.
The USA lost it's edge on the small ceramic capacitor-sized circuits about 5 years ago and is UNLIKELY to catch up to China or Israel without spending a few tens of billions on a catch-up innovation wave. I.e. extra DARPA funding!
On a technical basis, I can even make an ENTIRE LED/OLED display mask into a hidden circuit which has HUGE surface area for acting as a long-range antennae. The actual diodes themselves can be repurposed as switches and/or logic gates working IN-BETWEEN the refresh cycles of the display for form a slow but giant-size parallel processing system.
Maybe it is a longer operation and involves discrediting sources. If a normally trusted source is thought to have become unreliable, then it follows that 'false news' charges might be considered as valid. Open information is dangerous to those that have agendas and its not necessarily just the Chinese. If you shout it long enough and loud enough you will get believers and the believers become a movement. The movement cries it suffering and needs protection from its attackers and regulations are then promulgated to the deterrence of open,free speech after all the Bolsheviks were in the minority.