Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Security United States

New Evidence of Hacked Supermicro Hardware Found in US Telecom: Bloomberg (bloomberg.com) 191

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., Bloomberg reported Tuesday. From the report: The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China's intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015. Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum's nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said.
This discussion has been archived. No new comments can be posted.

New Evidence of Hacked Supermicro Hardware Found in US Telecom: Bloomberg

Comments Filter:
  • by The Original CDR ( 5453236 ) on Tuesday October 09, 2018 @12:34PM (#57451658)
    Has any other news media outfit independently verified the Bloomberg claims?
    • by Sarten-X ( 1102295 ) on Tuesday October 09, 2018 @12:41PM (#57451700) Homepage

      Nope, nor have enough details been released that somebody could even start. There's speculation, but Bloomberg hasn't published anything that would let someone verify it on their own.

      • by rudy_wayne ( 414635 ) on Tuesday October 09, 2018 @01:12PM (#57451870)

        The authors of this most recent story were also the author of the original Supermicro story. They also wrote other pieces over the last couple of years were they have made lots of spectacular claims, with little or no evidence, and, there has never been any follow-up on the stories.

        • by infolation ( 840436 ) on Tuesday October 09, 2018 @01:32PM (#57451988)
          First the authors shorted supermicro stock ahead of the original claims, then they used the profits from that short to pull an even bigger leveraged short of supermicro stock ahead of the second batch of claims.

          I have no evidence of this but... if you were writing those stories, why wouldn't you?

          2018/10/04 US:SMCI $21.47 --> $8.55
          2018/10/09 US:SMCI $15.55 --> $10.80
          • by SirSlud ( 67381 )

            I have no evidence of this but... if you were writing those stories, why wouldn't you?

            I suspect one wouldn't because it would be a massive financial risk by one who doesn't have massive amounts of money to lose (aka some journalists)

            • by jythie ( 914043 )
              Yeah, in general the people who have the resources to make a real profit from such a move probably do not work in journalism in the first place.
    • by SB5407 ( 4372273 )
      No, but there is prior evidence of tampering of Supermicro property: https://www.macrumors.com/2017... [macrumors.com]
  • Where? (Score:5, Interesting)

    by 110010001000 ( 697113 ) on Tuesday October 09, 2018 @12:40PM (#57451694) Homepage Journal
    Where is the evidence? They keep saying they have it. Why don't they show it?
    • Re:Where? (Score:5, Interesting)

      by Aighearach ( 97333 ) on Tuesday October 09, 2018 @01:46PM (#57452058)

      Investigative reporting doesn't work that way in most cases. There are a lot of unknowns. Right now, they enhance their own research by not giving out too many details, and letting the companies involved say stupid things that might be refutable by that evidence.

      Evidence is good. Don't decide if it is actually true or not until you get it. But that doesn't imply that when you first hear about the issue, the evidence will be published, or that it is tactically wise to lead with the evidence instead of the accusation.

      If we get to the end of the story and Bloomberg says "that's all we have," that's when you can weigh the evidence they presented. If they haven't presented the evidence yet, then before you start to worry about that, you should simply check if the process has reached the end, of if the evidence is still waiting to be released. If it is still waiting to be released, there is nothing suspicious at all about the fact that you have not been given a personal viewing.

      • > Right now, they enhance their own research by not giving out too many details,

        Sure, but how hard would it be for them to put out a piece of proof like saying "we found this chip (pictured at right) on several motherboards of the following model that appear in Supermicro chassis x, y, z and bb." And then anyone who owns one of those can just *go look for themselves* to see if the chip is there too.

        Put up or shut up...

      • Don't decide if it is actually true or not until you get it.

        The only thing is that what Bloomberg is stating in the first story and to a much lesser degree in this current one are things that are tantamount to massive tectonic accusations. In fact, I'm really under selling it here. These claims are bigger than the second coming. So yeah, you're damn tooting I'm hyper skeptical of this story.

        If we get to the end of the story and Bloomberg says "that's all we have,"

        No, I think you aren't understanding the gravity of these claims. If we get to the end and Bloomberg has nothing, they need to be sued into a molten crater of nothing. That

    • Where is the evidence? They keep saying they have it. Why don't they show it?

      Is somebody stopping you from buying one of their products: https://www.supermicro.com/pro... [supermicro.com] ...and looking for these backdoors yourself?

  • by supercell ( 1148577 ) on Tuesday October 09, 2018 @12:43PM (#57451710)
    I had SMCI stock in 2017 and sold it after reports that Apple dropped them when they found serious security issues with their servers.
    Now Apple and others claim they have no idea what Bloomberg is talking about. Clearly something was installed on Supermicro servers to cause Apple and others to stop using them.

    Report from early 2017
    https://www.marketwatch.com/st... [marketwatch.com]

    • by mujadaddy ( 1238164 ) on Tuesday October 09, 2018 @12:48PM (#57451746)
      Correct: Bloomberg's reporting is lagging real events, but Apple & Amazon haven't come up with a better explanation of why they switched hardware at that time.
      • And yet, they do offer an explanation they claim is not only better, but true! That it was only a software issue. They said that in response to the first Bloomberg story. So now Bloomberg is doubling-down on that part.

        • Re: (Score:2, Interesting)

          by mujadaddy ( 1238164 )

          ...it was only a software issue...

          Sorry, jack: there's not any claim by Amazon or Apple that there even WAS an issue. Try again.

    • by Anonymous Coward

      The problem is that Apple (Google, etc.) is stuck between contenders who are State actors, two of which (the US and China) can make life very difficult for any company who decides to call them out. So they play a game of mitigating risk whenever itâ(TM)s found without actually calling out the State actor for nefarious activity. Instead, they cut ties with the corporate entity that is left holding the bag. In this case, itâ(TM)s SuperMicro who let their Chinese operations become overrun by the Chin

    • Here's how I see this so far: If it's all true, then Apple and anyone else would be nuts to just blab about it all to the media right away, because if it is true then it means not only a gigantic percentage of the Internet in general is compromised, it also means that critical infrastructure is compromised, as well as government and the military, and not just here in the U.S., but in every 1st-world country, and anywhere else in the world, too. There'd be a panic, and rightly so, because it would mean someo
    • by afidel ( 530433 )

      It was a hacked driver file on their public FTP server which was downloaded to a single Apple lab machine. All the details are out there. That wasn't the reason that Apple dropped them, it was purely price. When you order your servers by the container ship it's cheaper and more efficient to go to the ODM and have them build to your specifications thus cutting out the middle man and features that your use case doesn't require (like LOM cards, when you have a redundant array of inexpensive datacenters you don

    • by Anubis IV ( 1279820 ) on Tuesday October 09, 2018 @06:03PM (#57453360)

      I had SMCI stock in 2017 and sold it after reports that Apple dropped them when they found serious security issues with their servers.

      Going by that, the timeline would be that these companies discovered malicious hardware in 2015, kept thousands of those servers in service for two or more years, and only then decommissioned them. Does that make any sense at all?

      Instead, if you read their initial responses to what Bloomberg published [bloomberg.com], they actually say more than that "they have no idea what Bloomberg is talking about". For instance, Apple provides an alternative explanation for Bloomberg's confusion:

      [...] Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.

      Apple dropped SuperMicro shortly after that incident, making it a much more likely cause for the falling out. Likewise, Amazon cites firmware issues with SuperMicro boards in their response, though you'll note that they were still using SuperMicro boards in 2018:

      Additionally, in June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware. As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.

      All of which is to say, nothing about Bloomberg's story makes any sense. The timeline makes no sense, none of the alleged victims has anything to gain by lying, one of their only named sources has come out saying he doubts the story [risky.biz], literally every company or agency allegedly involved has said it's untrue, and Apple has even gone so far as to formally inform Congress that inasmuch as the story pertains to them it's untrue, while additionally affirming via press releases that they are not under a gag order or anything else of the sort.

      Someone's credibility is going to take a nosedive after the dust settles from this, and I expect that it will be Bloomberg's.

  • by Anonymous Coward

    Can they a least release the damn documents.
    If they don't want to compromise the company just obfuscate the names with a fucking marker.
    o better yet where this devices are for god sake.

  • by guruevi ( 827432 ) on Tuesday October 09, 2018 @12:52PM (#57451764)

    Also from that era that they say. I haven't seen anything anomalous. The fact is that some of their IPMI stuff is vulnerable and they're not updating the firmware (eg. old versions of Dropbear SSH), so if you leave it on the Internet, it may get compromised.

    On the other hand, I also don't leave that stuff on a routable VLAN. If it tries to connect to anything (and I haven't seen it reach out), I'd notice and it wouldn't work anyway. Sure the IPMI has some hooks into the rest of the hardware so it is potentially capable of doing 'weird stuff' to my Linux or Windows kernels (although it'd have to be pretty smart to intercept keyboard authentication, wait for someone to be away from the keyboard, automatically replay credentials, then load a workable kernel module to do that) and have the OS compromised do the dirty work, but then again, I haven't seen anything there either and we've used various integrity and antivirus systems from TripWire, Sophos and Cylance that probably would've noticed.

    • by ole_timer ( 4293573 ) on Tuesday October 09, 2018 @01:25PM (#57451942)
      you have no ip worth stealing...why would they go after you?
      • ...in their first article on the subject: [theregister.co.uk]

        A third thing to consider is this: if true, a lot of effort went into this surveillance operation. It's not the sort of thing that would be added to any Super Micro server shipping to any old company – it would be highly targeted to minimize its discovery. If you've bought Super Micro kit, it's very unlikely it has a spy chip in it, we reckon, if the report is correct. Other than Apple and Amazon, the other 30 or so organizations that used allegedly compromise

    • Uhm, if somebody put a hardware backdoor in one of the chips on the board, and as far as you know hasn't activated it, why would you expect to see anything "anomalous?"

      That you consider that to be information with value really discredits your analysis as a whole.

      And you're simply wrong that it needs to "reach out" in a detectable way to be a problem. In fact that's the difference between a hardware backdoor and a software one! The software one has to go through whatever networking you have set up. The hardw

  • by Anonymous Coward

    The US government is going to bury this at all costs, either because it doesn't want egg on its face, or because it is complicit in this hacking. Perhaps these devices were installed at the behest of the NSA and the Chinese simply redesigned them to also send info to the Chinese government.

    Not implausible, if you ask me.

    • Re: (Score:2, Insightful)

      >The US government is going to bury this at all costs

      The US government would love a culture of suspicion of foreign built hardware to develop.

      That's one plausible source of the story.

      • >The US government is going to bury this at all costs

        The US government would love a culture of suspicion of foreign built hardware to develop.

        That's one plausible source of the story.

        Too bad for the Trump admin then that there is already a culture of severe suspicion of domestically made US hardware after the NSA bugging revelations. Now that it seems everybody is spiking computer hardware with spy chips I suppose we can always follow the example of the Russians and their intelligence services, they keep all their most sensitive data on paper and replicate it only with typewriters.

    • Perhaps these devices were installed at the behest of the NSA and the Chinese simply redesigned them to also send info to the Chinese government.

      Because when I want to implement my super-secret and highly illegal surveillance program, I turn to a hostile government to implement it. :eyeroll:

    • by AHuxley ( 892839 )
      The US government would not get caught on the "internet" and allow its collect it all to be discovered.
      Sending the information back over the internet is not without risks. Use a person to collect data.
      Transmit the data out over a short distance not using the "internet"

      Smart and skilled people notice extra data moving to strange places along their networks out to the internet.
  • by caffeinejolt ( 584827 ) on Tuesday October 09, 2018 @01:02PM (#57451814)
    The article states:

    The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim -- so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said.

    According to the original article - the alleged Chinese culprit chip exploited via the BMC. Aspeed is the company that makes 99% of the BMC controllers in Supermicro boards. If China really did go through the trouble to develop a chip to exploit via Aspeed controllers.... why limit themselves to Supermicro? I know at least Tyan and Lenovo also use Aspeed. From China's intelligence perspective, they would want a solution that could work across multiple board vendors.

    According to latest:

    Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.

    Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.

    • phone homes with encrypted data - but covert channels are notoriously hard to find.
    • >Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.

      It doesn't add up.

      Why would you put your trojan chip in the ethernet connector? It's away from the signals you want to get to - serial and/or usb wires to get at UEFI. Trying to cram and ethernet stack, phy and the drivers into a tiny package to get at a m

      • It's also inconsistent with the first story.

        Because it's a different set of hardware supply hacks.

        • It's also inconsistent with the first story.

          Because it's a different set of hardware supply hacks.

          Yes. And a less technically logical one. Could you fit a 10G transceiver, phy, mac and stack inside the connector? Why would you? Consider equivalence to plugging your trojan into the back panel - you could pick the ethernet, or the USB. The USB gives you keyboard access and a low effort way to subvert the machine before it's provisioned.

          • Granting all the following: the public doesn't have any information on this; this second story is much less 'frightening' than the first.
      • Why would you put your trojan chip in the ethernet connector? It's away from the signals you want to get to - serial and/or usb wires to get at UEFI

        Option 1: There's no requirement that there be no connection from this chip to another part of the computer. If you're planting rogue hardware in one thing there's little reason to believe you can't plant rogue hardware elsewhere.

        Option 2: PXE boot attack.

        Option 3: Their desired attack vector only uses this additional chip, the chip itself isn't the attack vector. After all, where do you get that BIOS image? Or the firmware on the rest of the motherboard's chips? Or perhaps you need the server to receiv

      • by iCEBaLM ( 34905 )

        Why would you put your trojan chip in the ethernet connector?

        Because that's generally where the aspeed BMC is, which has access to everything. The BMC has a dedicated/shared ethernet port for remote management.

        • I'm talking about the electronics.

          An ethernet port has a MAC, PHY, transceiver and connector. The connector, transceiver and MAC+PHY are usually separate chips because of the different silicon needs for analog signalling and digital processing. The claim is that they stuffed all this into the connector. Maybe, but this is all to get at a config interface that you typically can get to through serial or usb wires that are comparatively trivial to latch onto.

          All they had to do was show us the electronics so we

  • #gifs (Score:2, Funny)

    by Anonymous Coward

    Pics or it didn't happen.

  • This is an interesting story and all, but a targeted attack on a single machine using interception doesn't really make it likely there was compromise of Supermicro's supply chain at the factory level.

    We know NSA intercepts Cisco routers, but that doesn't prove Cisco intentionally backdoors their machines for them in the factory.

    • a targeted attack on a single machine using interception doesn't really make it likely there was compromise of Supermicro's supply chain at the factory level.

      The "single machine", according to the story, had a false ethernet port manufactured into it. What is your more likely explanation?

      Interestingly, though, the named source for this article is an ex-spook for Israel. We are definitely in Hardball territory with this one, kids.

      • Interception and a soldering iron.

        • "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.

          Now, he may be wrong, but your partial version of events is not what the article's partial version of events is.

      • From TFA:

        The goal of hardware implants is to establish a covert staging area within sensitive networks, and that's what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client's security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip.

        "... multipl

    • by ffkom ( 3519199 )

      We know NSA intercepts Cisco routers, but that doesn't prove Cisco intentionally backdoors their machines for them in the factory.

      Given that recently every month or so a new back door was found in Cisco's products, one could say we know for sure they are at least unintentionally backdoor their machines.

    • by bongey ( 974911 )

      Problem in China there is no such thing as privately owned and the government can do what ever it wants at anytime. Crap China kidnapped , I mean 'arrested' the head of Interpol without telling anyone. Interpol had to beg China to finally say he was arrested two weeks ago when he came home. https://www.cnn.com/2018/10/09... [cnn.com]

  • by rthille ( 8526 ) <web-slashdotNO@SPAMrangat.org> on Tuesday October 09, 2018 @02:55PM (#57452530) Homepage Journal

    "Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones."

    Take a look at a google image search for "motherboard" and see if you can find an RJ-45 socket that doesn't have a metal shield around it for RF blocking.

    • by tsqr ( 808554 )

      "Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones."

      Take a look at a google image search for "motherboard" and see if you can find an RJ-45 socket that doesn't have a metal shield around it for RF blocking.

      OMG! They've all been hacked!! Run for your lives!!!

  • Will anyone admit to being compromised by such a thing, if the story turns out to be true.
    The impact on stock prices alone will probably keep companies from disclosing anything if they have any say so in the matter.

    If you live in the US, you can't really be outraged about what China is doing when we have the NSA intercepting Cisco* hardware and tampering with it before shipping it on to the end customer. ( *Cisco is the only one we know about, who knows what else they have their hands in )

    This is something

  • .... you don't say no. if you recall i think it was "Kingsmen", samuel jackson saying, "y'know, the chinese secret service is so secret it doesn't even have a name?" that's because it's operated along isolated cell network lines. *not even the chinese government* can contact those independent cell networks! the only way to "contact" them is for the chinese government - just like everyone else - to make a bit of a fuss, publish a press release and hope like hell that the relevant cell happens to be readin

  • by sxpert ( 139117 ) on Wednesday October 10, 2018 @12:35AM (#57454466)

    implant in ethernet connector point to NSA's ANT catalog,
    either "COTTONMOUTHIII" https://nsa.gov1.info/dni/nsa-... [gov1.info]
    or "FIREWALK" https://nsa.gov1.info/dni/nsa-... [gov1.info]

  • It looks as if someone is attempting to raise anti-china sentiment, with the goal of getting USA manufacturing back in shape... surely it couldn't be the US governement (haha)...

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...