Chinese military spy chips reportedly found in server motherboards used by Apple, Amazon, etc

GasBandit

GasBandit

Staff member
PatrThom

PatrThom

It's not impossible, but of course without actual evidence it's harder to make the assertion.
There are some who are wondering if this hasn't been conflated with cases of Supermicro boards coming with malware-infested firmware installed, rather than actual embedded spy hardware.
I've been waiting for someone to start the "How can we trust boards manufactured by our enemies?" train rolling, maybe this will be it.
...assuming this isn't just propaganda to get everyone all riled up over Chinese manufacturing, that is.

You know who's really going to suffer for this? Supermicro.

--Patrick
 
Gared

Gared

This isn't another smokescreen to cover up the announcement that there's yet another un-announced capability in Intel's Management Engine Enabled chips which can allow outside access to your CPU, is it? Because I haven't seen anything in mainstream media yet about "manufacturing mode," but it's starting to leak out that Apple shipped at least some of their laptops with MM enabled, and concerns that there's no way to disable it once the device makes it to the end-user.
 
PatrThom

PatrThom

Gared said:
This isn't another smokescreen to cover up the announcement that there's yet another un-announced capability in Intel's Management Engine Enabled chips which can allow outside access to your CPU, is it?
Click to expand...
No, the assertion is that actual spy ICs were substituted/added/embedded on boards during the actual manufacturing process, not after they left the factory (which suggests state-level involvement).
Gared said:
it's starting to leak out that Apple shipped at least some of their laptops with MM enabled, and concerns that there's no way to disable it once the device makes it to the end-user.
Click to expand...
Huh, didn't even know about this. Looks like it was one of the things patched in 10.13.5, though (released June 2018).

--Patrick
 
Gared

Gared

PatrThom said:
No, the assertion is that actual spy ICs were substituted/added/embedded on boards during the actual manufacturing process, not after they left the factory (which suggests state-level involvement).

--Patrick
Click to expand...
I know, I read Bloomberg fear piece - I was more talking about how whenever either Meltdown or Spectre was announced, immediately someone else struck back with "but what about these 6 vulnerabilities in AMD chips?"
 
PatrThom

PatrThom

Bloomberg: Unnamed US Telecom company also victim of hacked Supermicro motherboards
Bloomberg didn't name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren't the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenter
Click to expand...
(Quote source)

Bloomberg: “We can’t name which one it is and we’re the only ones talking about this but trust us, it’s real.”

...did someone at Bloomberg short Supermicro stock hard, or what?

—Patrick
 
Last edited:
PatrThom

PatrThom

Gared

Gared

PatrThom said:
Some of the Internet's heaviest hitters have gone on record:

Amazon, Apple call for retraction of Bloomberg motherboard hacking story
Patrick Kennedy (of ServeTheHome.com) EXHAUSTIVELY demonstrates how implausible their claims are
Mike Masnick (of TechDirt.com) adds his two cents to Patrick's "detailed and thorough debunking" of the story

At this point, it's more likely the headline should read "Servers at Bloomberg.com infiltrated, hackers planted several fake stories," sheesh.

--Patrick
Click to expand...
And this is why I remain highly sceptical whenever claims like this come out. Every time it's debunked, and (almost) every time it (seems to?) come(s) down to someone wanting to manipulate someone else' stock price.
 
PatrThom

PatrThom

Supermicro’s CEO, CCO, and CPO release letter (and video!) detailing the results of their 2-month long, 3rd-party validated audit. Spoiler alert! They found no evidence of tampered product, no evidence that anyone had tried to tamper with the product, and no reports from any customers comfirming the existence of any tampered product installed in the wild. Their stock value is still down 23% from what it was the day before the story broke, but that’s still better than the 41% it lost the day the article was released.

Now I guess the question is whether the SEC goes after Bloomberg for manipulation, Supermicro sues Bloomberg for damages due to defamation/libel, or...both?

—Patrick
 
PatrThom

PatrThom

Six months later, Bloomberg still isn't backing down on their claim(s), but neither has the tech industry in their denial.
One thing's pretty clear, though...everyone who can afford to has begun the process of moving their manufacturing plants out of China because building your stuff in China is now considered a security hazard.
...which, given our current relationship with China, makes me wonder if this might really have been the angle all along: sow this kind of FUD and cause everyone to pull out of China as a result.

--Patrick
 
PatrThom

PatrThom

PatrThom said:
One thing's pretty clear, though...everyone who can afford to has begun the process of moving their manufacturing plants out of China because building your stuff in China is now considered a security hazard.
Click to expand...
Update #1: Bloomberg still isn't backing down. Security researchers have done experiments just to see if such a thing is possible (spoiler alert: It's definitely possible), but there still have been no instances of compromised motherboards found in the wild.

Update #2 - Not about the chips, but about building in China being considered a security hazard: Beginning Jan 1, 2020, all WFOEs will lose that exception and will be treated exactly the same as domestic (Chinese) companies. This means China is about to get super nosy:
China’s Ministry of Security [will be able] to fully access the massive amounts of raw data transmitted across [all] Chinese networks and housed on servers in China. [...] It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet. [...] No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. [...] [all] email and data transfer will be required to use Chinese operated communication systems that are fully open to the China’s Cybersecurity Bureau. All data servers that make any use of Chinese based communications networks will also be required to be open to the Cybersecurity Bureau’s surveillance and monitoring system.
Click to expand...
(excerpted from "China’s New Cybersecurity Program: NO Place to Hide," a China law blog by law firm Harris|Bricken)

I considered posting this in the Net Neutrality thread, but felt it belonged here, instead. Who needs to plant spy chips on motherboards when every means of communication is required to have a government backdoor? I mean, they're even installing government officials within private companies, fer cryin' out loud.

So whenever Barr starts making noise about how "all encryption needs backdoors," think of how that's probably going to work out for China.

--Patrick
 
You must log in or register to reply here.
Top