Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles down The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication. On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by …
NOW the for the REST of you...I would be VERY VERY AFRAID..ALL of the U.S., Russian and Chinese intelligence services HAVE PUT extra mask layers in common controller chips and network chips during the lithographic/manufacturing process which CAN re-process incoming signals and use data-oriented steganography to hide extra data in normal UDP and TCP/IP V4 and V6 packets in their headers or in KNOWN data content types such as JPEG, BMP, TIFF, GIF, TEXT, XLS, WORD, XML/HTML etc which are searched and re-assembled outside of YOUR networks.
Once a microchip lithographic process is compromised via an extra layer or three, only about 2 or 3 people in the chip manufacturing company would be actually in-the-know (and who are probably bribed, threatened OR are actual foreign agents!).
The ONLY WAY to know is to SHAVE LAYER BY LAYER common NIC (Network Interface Chips), SSD and Hard Disk Controller Chips, GPU's, CPU's, Memory IC's, Northbridge/Southbridge, ARM and Baseband Modem chips and other common chips to see if an EXTR LAYER or an EXTRA transistor BLOCK has been added to the final chip design for desktop's servers, smartphones, Xbox/PS, and IoT appliances, Televisions, Computer Monitor and more.
It's so bad in terms of modern spyworks, that EVEN a normal chip design can be compromised by merely adding in temperature-sensitive transistor blocks within a materials and CMOS doping specification that is intercepted and substituted by a spy agency during transit from a design firm to the chip factory which will eventually short out to NEW intentionally designed/hidden CPU pathway when certain instructions are executed to overheat a chip in specific places, which then deteriorate and then eventually short out to NEW circuit paths which can then execute NEW system-compromising instructions !!!
YES! IT CAN BE DONE and HAS.....BEEN DONE !!!!
"The ONLY WAY to know is to SHAVE LAYER BY LAYER common NIC (Network Interface Chips), SSD and Hard Disk Controller Chips, GPU's, CPU's, Memory IC's, Northbridge/Southbridge, ARM and Baseband Modem chips and other common chips to see if an EXTR LAYER or an EXTRA transistor BLOCK has been added to the final chip design for desktop's servers, smartphones, Xbox/PS, and IoT appliances, Televisions, Computer Monitor and more."
This is routinely done, chip companies want to make sure the foundry has made the chip exactly as designed.
@AC, as someone who works in the industry, it is sort of done. Not shaving layer by layer but examining wafers after each layer is processed. It's not routine per sé but it IS done regularly for lots of chips. Especially in the run-up fase. Once it's been verified all reticles do what they should and overlay, LER and CD are in spec this process is phased out and it's only repeated every few tens of thousands of wafers. At the startup of a process it's a good way to verify everything works as it should.
Once a process has been spun up in this way it's VERY hard to make reticle changes without anyone noticing, because changing a reticle has significant impact in it's characteristics and can lead to requiring changes in exposure mode, beamshape, focussing, etc, etc. All of which would again be verified by checking the layers after exposure and/or processing (A lot of this is even done automatically by inline inspection systems, which would also have to be taught on the new, changed design or it would flag an error on every single chip, and someone WOULD then look at the pictures and see something was awry)
Semicon fabbing is NOT trivial and involves a LOT of people and a lot of equipment, all of which would have to somehow not notice someone has altered a chip design without their knowledge.
@AC, NO, not just by the fab. The analysis is very often done either by or in very close cooperation with the fab customers (chip companies) engineers. And plenty of semicon manufacturers run their own fabs. Even in the case of a foundry running the fab for fab-less clients, the distinction between where the "Chip Company" ends and the fab/foundry begins in this regard is a bit of a grey area in practice. Checking layer geometry to "make sure the foundry has made the chip exactly as designed." IS a rather standard test afaik.
@vesion 1.0: "I suspect one reason for all the denials that this is possible is that another agency has been doing this for a long time."
It's telling that the supposed source from the security company 'Sepio' used to work for Israeli intelligence, because a mate of mine who designs networks for the UK govt, MoD etc, once told me they weren't allowed to source any network components from Israel, because of fears about back doors.
I do like a good rumour. A certain major FW vendor of Israeli origin allegedly fell afoul of the US military a couple of decades back. Allegedly as I don't have a primary source.
https://blog.vectra.ai/blog/exploiting-the-firewall-beach-head-history-backdoors-critical-infrastructure
Where do I get some of what you are smoking?
BTW, it's even worse. I hear that they have now compromised the tinfoil-making industry. They added secret circuits to every roll of household-grade tinfoil so that when you make a hat out of it, it actually amplifies your brain waves so that they can more easily read them. Plus, they added TLS encryption.
Stargatesg7, What you posit is silly beyond belief. Any chip fab engineer would immediately detect extra litho layers in a device long before final production, and such a contaminated chip would have thermal and electrical characteristics immediately calling attention to the subterfuge. No shaving required. Only someone with no micro semi knowledge would say this.
Unless these attacks were very well targeted (which doesn't seem likely),
There's a lot of kit, not just by SuperMicro, that's built/customised for particular customers. Such a customisation will not normally end up elsewhere. And given that those boards will be manufactured in dedicated production runs, it's relatively easy to target only those.
China has repeatedly demonstrated significant skill in industrial espionage. I don't doubt they have the means to pull this off, and it's the kind of novel hack that could go undetected for years and yield an incredible amount of information.
I am curious if the resistance to the notion of China pulling off this caper is due to academic skepticism (rare enough these days, and refreshing when exercised), or is instead a reflexive reaction, based upon little more than opposition to the American president's well publicized, ham-fisted opprobrium toward the Chinese government.
"I am curious if the resistance to the notion of China pulling off this caper is due to academic skepticism"
I don't really see resistance to the notion that China is doing this, specifically. I see resistance to the notion that it's being done at all (and that resistance is founded on solid technical and logical analysis, not politics). Until that's established, the "who" question is a bit premature.
"China has repeatedly demonstrated significant skill in industrial espionage. I don't doubt they have the means to pull this off, "
They've demonstrated zero technical skill in creating electronic devices capable of high speed data manipulation without a power source and without connection.
Obviously any technologically advanced country can produce a tiny IC and place it on a circuit board. But just sitting there not connected to anything accomplishes nothing.
The USA has even greater expertise and more practical experience, but they couldn't make a piece of unconnected silicon sitting on a non-conductive area of a PC board hack a system.
"they couldn't make a piece of unconnected silicon sitting on a non-conductive area of a PC board hack a system."
that's not what's being alleged here. the allegation is that the circuit board was modified in such a way to support having some kind of 'spy chip' in the data stream. That means adding power, ground, signal lines, whatever else it might need, exposing pads where the chip gets mounted, and then having some means of installing it there so that is' not very visible, yet totally functional.
if it were me designing it, it would be done with a heat gun and tweezers, under a microscope, following the main assembly process. In China they pay slave-wages, so an extra manual step like that wouldn't really add very much extra cost at all, easily compensated for by bribes, etc.. You'd mount the thing, maybe like a bga device or QFN [with solder pre-applied], setting it onto a mating surface with vias in the right spots, hit it with a heat gun until the solder melts, and it would tend to center itself if you do it right. Done. maybe 1 minute to mount the board in a rig, mount the chip onto the board with tweezers under a microscope, hit it with a heat gun for 5 seconds or so, done. 60 per hour per person.
95% of the time it will be a Network Interface Chip (NIC) or a Drive Controller which is re-soldered and changed over. AND it's sole task will be to intercept targeted text strings (i.e. text with certain keywords) or packets having specified source or destination IP addresses and then compress/encrypt that data into LEGITIMATE data streams such as image files, OS data files, web-based temp files, etc. which tend to be served to outside locations within network data packets which can be intercepted at the local or regional telecom level.
Unfortunately, the more insidious intercepts are re-flashed GPU and NIC BIOS'es that have interactive user text-input, screenshot output and mouse-HID-event re-directs to privileged memory locations and/or previously compromised kernel mode drivers which will re-package/compress/encrypt that intercepted data into legitimate traffic for outside intercept. It's basically impossible to change a BIOS that can PREVENT user-flashes and/or show FAKE update credentials to an operating system (i.e. the "Fake" bios prevents a legitimate update and mere changes its version numbers and presents a fake digital signature to low-level services) which will never know incoming data is being intercepted.
I would have to douse the whole chipset in liquid helium so I can examine under specialty lab conditions using chip layer-by-layer examination the values of local data and cpu registers and other flash memory locations for evidence of "fake" BIOS code.
Indeed you are correct, China is probably THIRD on the list of nations able to intercept CPU/GPU/NIC lithographs and insert new circuits! I am more inclined to believe that it is actually the USA that put the extra circuit layers or circuit blocks into common designs and or specially-modified versions of common chips into SuperMicro motherboards.
Modern Chip design systems that are mostly from Mentor Graphics (look at up) or those from various French and German companies were originally US products and from what my "sources" have said in the past, there are means to NOT FLAG intentional modifications upon tape-out so that the IR/UV/EBM layer technician doesn't actually notice the changes. There's only about 5 to 10 people in a typical FAB who actually interact with each mask AND of those only two who actually are tasked with true Quality Assurance at the mask level. Those employees could easily be bribed and/or coerced into cooperating. The testing regimes will pan out because the modified chip designs WILL pan out to design specifications in terms of specified performance and computational results.
The high resolution QA cameras which examine each chip upon each doping procedure and mask layering etch use common image recognition algorithms and specialty communications and drivers from the QA vendor which ARE fairly easy to be changed/compromised from a spy-works point of view.
Even a basic visual inspection from human QA personnel will miss the extra blocks because their comparison masks will differ from what was originally designed at the original chip design bureau.
AND not every chip will be compromised. It will be specific manufacturing runs containing specific part numbers which will be changed, tracked and forwarded to specific companies via outside influence. Probably on the order of a few hundred or few thousand chips will changed and redirected to specific manufacturers for inclusion into their products.
In fact, at the NSA (Ft. Meade) there is a small room about the size of a typical bedroom that has three technicians that specifically de-solder chips from intercepted motherboards and put the modified chips in and resend them out to specified destinations. Typically the motherboards are done in advance and if that MOBO is ordered by a specific department in a specific foreign entity, the "fixed" motherboard has it's FEDEX, UPS, DHL, POSTAL delivery intercepted and changed over to the new one.
It used to be done on the fly where mobos were actually intercepted, fixed up, and re-inserted into the supply chain on a 1-day or 2-day basis but now it's typical for whole classes of common server and workstation components from Dell, Lenovo, HP, IBM, Sun/Oracle, SuperMicro, TYAN, etc to be bought up, have their chips changed over and only inserted into the supply chain when needed or when a target client orders one. That order is intercepted to make sure the right "changed" board or chip is in stock. The courier company and client never know of the switch which is typically done just before shipping from the local customs warehouse or just before final delivery. Very rarely is it intercepted during actual transit except for postal-service shipped goods!
"In fact, at the NSA (Ft. Meade) there is a small room about the size of a typical bedroom that has three technicians that specifically de-solder chips from intercepted motherboards and put the modified chips in and resend them out to specified destinations. "
That's a very specific piece of information which you specify as a fact. Care to share how you came by it?
"I am curious if the resistance to the notion of China pulling off this caper is due to academic skepticism "
I don't think it's resistance to the notion, it's just that it's difficult to square a story based on unnamed sources against such unequivocal denials. There's something distinctly odd going on. here.
“The Ethernet idea is especially bizarre. Send out Ethernet frames in the blind hope that they are somehow routed to the Internet. What?”
Exactly that.
Every place I’ve worked at by design nothing gets direct access to the internet, you need to go through a proxy. Quad zero is null routed and only the proxies can resolve internet dns. Also by design some segments and systems never get access to the proxy, for example the management (loopbacks) and ILO networks are not permitted to access the proxies, some have explicit fw rules prohibiting those subsets access. So even if someone put dodgy chips on the systems or even blatantly tried to ex filtrate data off the management components the networks they connect to have no direct or indirect internet access.
Same story for the other segments, in fact only segments specifically permitted internet access get internet access, with their 1 IPS’s and appropriate next gen firewalls with tight policies.
Gpg13 is a good place to start to understand how to detect something like this.
https://www.computerweekly.com/tutorial/How-to-approach-Good-Practice-Guide-13-GPG13-for-CoCo-compliance
Non routed packets...... OK, STUXNET was created with the expectation of no access to the internet, and worked a treat. The use of Very High Density Very high Latency packets(USB etc) got around this, and can again. And before you point out the highly secure environments in US military, I'm sure IRAN has the same security features, didn't do them any good.
>The Ethernet idea is especially bizarre. Send out Ethernet frames in the blind hope that they are somehow routed to the Internet. What?
What really is bizarre here are all the postings taking a premise never stated. So where in the article did you see that they sent "Ethernet frames in the blind hope that they are somehow routed to the Internet"?
"So where in the article did you see that they sent "Ethernet frames in the blind hope that they are somehow routed to the Internet""
The whole article is about China stealing information. Sending Ethernet frames only to the local network won't quite achieve that, will it? At some point, they'll have to get out, which means they'll get routed. Even if they didn't say IP, it's more likely to be used nowadays than IPX, SNA, VINES, ...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
