Obviously the big piece of news this week was the reported hardware hack of Supermicro servers, as published by Bloomberg Businessweek.
The piece is an impressive bit of reporting, but rather lengthy as well. I thought we’d pull out some of the more interesting bits here.
Describing Servers to a Mass Audience is Kind of Hilarious
…the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small.
I realize as someone who works in IT, this description of a server is not for me. But this bit of sophistry seems straight out of an early 90s article trying to describe the Internet.
This Investigation Isn’t New
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.
It’s kind of shocking to hear that this practice has been known since 2015, and this is the first we’re hearing of it. Perhaps even more surprising, the government had knowledge back in 2014 that the this type of scheme was being planned. Given that context, it makes the US government’s hostility to allowing Huawei to operate anywhere close a lot more reasonable. The fact that the investigation is still open may make some of the reactions to the report a little more interesting.
Everyone’s Giving HARD Denials
Apple
Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Amazon
It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
In a world of “no comment at this time” statements for these kind of hacks, these reactions are unequivocal and honestly kind of surprising. Obviously these publically traded companies have a financial interest in not being seen as insecure. But they also have a duty to shareholders to disclose it if true, and to not misrepresent anything currently under investigation. To deny any hardware vulnerabilities and any FBI investigation makes me think this goes beyond a gag order. This becomes more interesting though in that Bloomberg is a extremely cautious publication, and wouldn’t go to press with something this explosive unless they were certain of the report’s validity.
The Piece is Well Written
Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.
Zing.
Technical Details Are Light
The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow.
Talking about this story in the Gestalt IT offices, one of the things that stood out was how light the report was on technical details of how these chips were creating backdoors. Obviously Bloomberg isn’t putting together a technical treatise, but the phrasing is vague enough that it leave things open to interpretation. The report indicates that the chips were affecting the OS as it went from temporary memory to the CPU. But I’ve seen a healthy degrees of skepticism that the small chips detailed would be capable of something like that. This isn’t to say Bloomberg didn’t vet the security completely, or that it makes the report suspect. Rather, it’s a product of being aimed at a business, rather than a technical, audience.
Subcontractors Seem To Be the Source
[T]hey traced the malicious chips to four subcontracting factories that had been building Supermicro motherboards for at least two years.
When I first heard about this story, my first though was how deep this espionage had to go if they were working within Supermicro directly. As the report details, what actually seems to have occurred is Chinese spies focused on subcontractor factories for Supermicro in mainland China. Bribes and regulatory threats spurred plant managers to add the chips. But this still required some incredible technical proficiency to plan and design the chips in the first place.
The Aftermath
In some ways, this reminds me of the Snowden leaks from a few years ago. The report in itself is shocking in its scale. But more troubling are the implications down the road. Amazon and Apple aren’t even admitting that they’ve been impacted by this. As more companies with compromised servers trickle out, how will they respond in turn? Did this audacious hack actually leak critical information, or has it not been exploited yet? The report speculates that no personal information was compromised from customers, but will that change?
This is definitely shaping up to be the widest reaching IT news story of 2018.
