nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Anonymous Coward

Re: Grikath

"wouldn't we be paranoid enough to check that what is in the chips matches what we expect to be in chips?"

That's not mayonnaise...

- because it's Friedey, of course.

3
1
Silver badge
Devil

3 & 4, um. I'm thinking "count them on your fingers".

3) the ability to figure out what the hell things are down to a scale of ~50nm. Xray scanners are not particularly common, and most of those aren't going to resolve down to the level where you can recognise components inside a chip, let alone allow you to identify them and spot things that have been added to the original design.

Well, about that 27" CRT that's still in storage for reasons unknown (except to the BOFH ... ).

2
1
Silver badge

Re: Grikath

You're not going to get much processing out of anything at ~50nm in size. In this case there is a claim that a chip has been inserted and while it's small, it's going to be nowhere near ~50nm.

I am dubious mostly because of the speed and heat issues - in order to intercept and modify what is effectively cross bus information on the fly the intercepting chip needs to be rather fast otherwise the communication between components will be unreliable and a fast processing chip tends to generate heat. Put a generator of heat inbetween the substrates of a board and you're asking for (thermal) trouble.

Not impossible, of course, but rather unlikely. It's much more likely that a chip is inserted just on the board itself because this is going to be somewhat easier to achieve. Or alternatively to just modify the software that is on these devices in the first place - no physical trace at all then.

3
1

Why bother ?

How about the fact that most commonly used server management software and hardware formerly known as Emulex Pilot now owned by Chinese Aspeed ?

7
3
Silver badge
Big Brother

Chinese agents slip spy chips into Super Micro servers

Wouldn't it be simpler to activate the Intel ME backdoor, the backdoor that the end user can't disable except for the NSA? The backdoor that Intel forgot to lock-down with a password. Remember Trusted Computing doesn't mean you can trust your computer what it really means is the spooks can be trusted to have a backdoor into it.

38
1
Silver badge

Words mean different things to different people

In the security services, "trusted" means "someone who can betray you".

31
1
Silver badge

Re: Chinese agents slip spy chips into Super Micro servers

The ME backdoor requires you already have access to the local LAN to exploit it. This spy chip attack is can be leveraged from halfway around the world, it would only fail if the network the server is on is completely isolated from the internet.

Plus the ME backdoor goes away once it is found and patched. The spy chip attack lives for the life of the hardware, with no way to disable it short of putting the motherboard in an industrial shredder.

8
8

Re: Chinese agents slip spy chips into Super Micro servers

The Intel ME bugs may not have been known or there could have been the fear of the bugs being fixed. Moreover, any attacks would take known paths so they could be blocked.

1
1
Silver badge

Re: Chinese agents slip spy chips into Super Micro servers

The report says that the component was designed to hack the BMC, which can already do everything that the IntelME can do and more. So yes, using a vulnerability in ME might well be easier than surreptitiously inserting a component, but it's not like most BMC's are any more secure, and would probably be a much easier target.

(They also don't mention what kind of CPU these boards had. They might have used AMD or even ARM CPUs, although given how many Intel based servers there are out there, it's unlikely)

Another possibility if you had some access to the boards during manufacturing would be to just swap the BIOS (or BMC, or a number of other chips) with one that contained some kind of malicious capability.

Basically, there's easier ways to do what is being claimed, and attacking IntelME is just one of them.

8
2

Re: Chinese agents slip spy chips into Super Micro servers

There are easier ways to have a backdoor, but this way is pretty good for having a backdoor that's hard to spot. If you simply replaced the chip containing the BIOS, made a backdoored flash chip, etc. then all you'd need to do to find them is to test that chip, as they do just to make sure they're working. If, for example, you took a flash chip and asked for its contents, it would be instantly obvious whether the contents were right or not. By having a separate chip to handle that, you would have to test all components of the board together, and that only helps if you know what to be looking for. For the people doing this, it would actually be easier just to see if you can find the chip in the board. So I don't know whether this chip was ever created or installed, but the details make sense if it was.

1
1
Gold badge

Re: Chinese agents slip spy chips into Super Micro servers

"The ME backdoor requires you already have access to the local LAN to exploit it."

How much access would you need, though? The ability to send a particular network packet might be sufficient to let you exploit the ME in a machine next door to you and once you have better-than-root privileges on one machine it probably isn't hard to work your way around the whole LAN and out to the internet. So ... you start by sending dodgy emails to non-technical staff.

1
1
Silver badge

Re: Chinese agents slip spy chips into Super Micro servers

Why embed into the motherboard substrate? That's really expensive and subject to failure.

If I were doing this and had that piece of silicon, I'd embed it into the packaging of a chip that's supposed to be there.

Cheaper and more reliable as the chip packaging is designed to do this. At least as hard to detect, possibly more so as multi-die packaging is very common.

Of course, the simplest way to do this kind of thing is to swap out the content of a flash chip.

If this attack is real, I am pretty sure that there was no custom silicon involved whatsoever, it will be a firmware image attack as that's cheaper and harder to detect as there are no visible indicators at all.

8
1
Silver badge

Re: Chinese agents slip spy chips into Super Micro servers

(They also don't mention what kind of CPU these boards had. They might have used AMD or even ARM CPUs, although given how many Intel based servers there are out there, it's unlikely)

SuperMicro (as the suspected manufacturer) has just a small number of AMD boards in their (extensive) product range, and exactly zero ARM boards.

3
1
Silver badge
Facepalm

Re: Chinese agents slip spy chips into Super Micro servers

Why embed into the motherboard substrate? That's really expensive

And this would be an issue for the Chinese entities purportedly involved, exactly how?

1
1

Superb reporting and analysis, Register!

great technical and legal analysis. The parsing of Apple's and Amazons press statements is an education, too!

47
4
Gold badge
Black Helicopters

Re: Superb reporting and analysis, Register!

Ah, but that is just what El Reg want you to think?

In reality it is them that control the Chinese government, from their space station Vulture 1. Why do you think all the reporting of their rocket plane went quiet, with that flimsy excuse about the FAA not giving them a license?

Also they have embedded cameras and microphones in all the Playmobil figures around the world. Thus every world leader with children is a potential security risk.

Keep your tinfoil hats handy! Arm and prepare for the Vulturepocalypse! They are coming to get us a...

...

...

...

...

16
3
Gold badge

Re: Superb reporting and analysis, Register!

I'm sorry. You can ignore that previous post. The Register are of course the most trustworthy of sources. As well as being brilliant, sexy and very generous with buying their readers beer at their lectures.

Trust The Register. The Register is your friend. The Register wants you to be happy.

25
1
Pirate

Re: Superb reporting and analysis, Register!

I think I've just heard a robo-vulture's evil laugh being emitted from the stratosphere.

6
1
Silver badge

Still Reason to Worry

Oughtright lies from the companies involved would be unprecedented, whereas the Bloomberg reporters believing someone who was mistaken that SuperMicro was the unnamed target is highly plausible. But that would mean it did happen, just to someone else we don't know about.

9
3

Re: Still Reason to Worry

Methinks the only time it makes sense to embed a chip would be if the server were destined for a classified facility which would wipe and reload (from trusted binaries) every single byte of code on the motherboard.

The hardware strategy would then allow the board to be re-hijacked after it was thought to have been wiped and reloaded.

We may be hearing true story #1 about what happened, and true story #2 about where something else like simple substitution of code for a management processor occurred, but the two stories are mashed up to signal to the perpetrators that the attack is known without disclosing to anyone else where the attack actually occurred.

Now if the perpetrator could only control the motherboard model supplied in a bulk order to SuperMicro, and only some of those boards went to my hypothetical classified site, then many other such boards could have gone to many other customers, either sitting silent or making mischief, which could be the source of a true but irrelevant statement on the number of end customers who got hardware compromised boards.

Just thinking and speculating, no inside knowledge (and no clearance any time in my life) here.

3
1
Anonymous Coward

Well done El Reg Article

Except I'm too old to see the pencil tip chip that is supposingly circled in front for us to see.

15
1
Silver badge

Let's not go overboard with this.

Unfortunately the conduit for this information appears to be not very technical, we're told vague things about the part that would be worthy of a modern day spy thriller but don't make an awful lot of sense to someone who actually understands these designs. As its been in the boards for a decade or so we have to assume that with its form factor its not going to be anything much more sophisticated than a medium sized EEROM. It could patch code on the fly but that's more theoretical than realistic because there's no guarantee that the code its patching will be stable for an extended period of time.

I'm prepared to dismiss this as disinformation put around by our own intelligence services (who would probably love a capability like this but they really have one already in the form of the Management Engine. I'm also used to seeing Bloomberg being used as a conduit for this sort of information -- we normally think of them as a financial site but for a long time now if you wanted a story about Russia or China planted in the media they seem to be one of the 'go to' publications.

What is particularly worrying about this is that the overall picture I'm getting these days of our technical capability is that we seem to be losing it. I'm seeing more marketing and less technology, stories about wonder weapons, mystery capabilities of real and imagined enemies, all dark paranoia and no real technology. This dovetails rather nicely with my perceptions of industry -- obviously the picture's not all bad but in general there seems to be a dumbing down as skilled people age out and are not replaced (or replaced by people with a very different set of skills). This may end up being the story behind the story; its already old news in the UK but the US....

34
1
Silver badge

Re: Let's not go overboard with this.

As its been in the boards for a decade or so

Sure, if 3 years (2018-2015) fits into the "or so" part of "a decade".

9
4
Holmes

Re: Let's not go overboard with this.

Let's arm-chair-design a recreation of this exploit, and see how close we get to the real thing, after all the facts come out, shall we:

1. Since the BIOS/UEFI is still loaded from an SPI FLASH chip, which is in a very standard form-factor (read: wastefully large blob of plastic around a tiny FLASH chip), it's easy to make an identical package that houses 2 memory areas.

Switch the memory areas after 100 hours of power-on, or after 20 BIOS-loads. Now you have control over the BIOS boot sequence AFTER the board has been tested and installed in location.

2. Next, let's make an USB flash drive, but package it like a USB over-voltage-protector diode package. One of those small ICs that you see hugging the USB bus near the connector, in any properly designed circuit board, protecting the other ICs from your static-electricity-laden fingers.

It'll be the largest over-voltage protector you've ever seen, but it'll still pass inspection.

TVS diodes come in many packages. A government-standard suppressor package may be larger.

Again, activate after 20 power cycles, if (and only if) there is no other device attached to the USB bus.

3. Leverage one of the well-documented standard ways to do a Superfish on the Windows installation.

4. Profit.

Edit:

Scratch that. Just do a proper Superfish after switching the SPI chip memory areas. No need for the USB drive after all. Left as-is for posterity.

21
3
Silver badge

Re: Let's not go overboard with this.

Let's arm-chair-design a recreation of this exploit, and see how close we get to the real thing, after all the facts come out, shall we:

I read the original Bloomberg article. The way the article was written, it sounded like the "signal conditioner" chip could connect to the network, by itself! Only later on did it go into "detail" about it modifying the code for the BMC.

What all of this points out is something very important in system design: the CPU should not boot code that it can't verify through a chain of trust. There are a number of commercially available solutions for this, and they have been on the market for years. The concepts have been out there for far longer. Manufacturers have no reason to not pursue secure operation.

The real problem with all of this is the motherboard design has to be modified! If a shared serial bus was modified, then that means that that there will be a signals conflict on the bus to modify instructions. The problem with this is that the commands are like, "Hey, #24, talk to me!" Then #24 talks, and does it blindly. To actually do what the article claims, the chip has to be in series between the CPU and the memory. That would take a change in the traces, etc. So the motherboard would have to be redesigned to incorporate the chip.

Whatever is going on, we aren't getting the full story yet.

10
1
Meh

Re: Let's not go overboard with this.

we aren't getting the full story yet

Uhh... yes, we are. Getting the full story, that is. The full story is: "China switched out a memory chip. Did a delayed BIOS driver-switch attack." (Vector is actually named Microsoft Windows Platform Binary Table, not Superfish, which is a separate piece of malware. My apologies for mixing them up.)

You can get full control of the server just by making it load an infected driver before OS boot, via e.g. UEFI option-ROM.

1
2
Silver badge
Pint

Deja vu

Wasn't there a very similar story several years ago?

2
1

Re: Deja vu

Yes there was. Something to do with Snowdon and facilities of the NSA and the likes implanting spying chips on demand in HP gear. The HP designs deliberately facilitated the spy chips. Another spy agency, likewise operations.

18
1
Silver badge
Pint

Re: Deja vu

There's also the old 'Reprogram The Embedded ARM Chips' ploy.

Also applies to any programmable logic arrays.

It's precisely hopeless. Best to resort to an Art of War approach, with honeypot data, fake data, and so on.

So who is the downvoter? Seems a bit silly...

4
1
Silver badge
Alert

Re: Chinese Super Micro super spy-chip...

"You know: the country that makes everyone's iPhones phones electronics". FTFY

22
1
Anonymous Coward

Which Nation State

could ever possibly mandate that all PC's ship must with a backdoor in the hardware soldered onto their motherboard ?

11
1
Silver badge

Re: Which Nation State

All of them.

But not all of them can actually deliver on that...

11
1
Silver badge

Re: Which Nation State

The same ones that argue that encryption should come with backdoors ?

17
1
Bronze badge

Denials

I suggest you read the statements again - they are not what you have concluded.

0
3
Anonymous Coward

"Intellectual property theft"

Sigh...

5
2
Anonymous Coward

If it's true then someone must have access to a compromised board, show everyone the firewall logs, what further proof would you need? It's the on-board networking that has me suspicious, you don't need it once the system is compromised as far as I am aware and it would only serve as an extra detectable layer.

6
1
Happy

Fun and games

you left of some juicy details from the Bloomberg article:

"In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government.

Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not."

21
1
Silver badge

Re: Fun and games

Bloomberg is being overly picky about what constitutes a "sermon" and a "congregation".

Certainly many sects observe the practice of laying on hands. And you can't fault their faithful devotion.

8
1
Anonymous Coward

Bloomberg is hanging way out in the breeze

Their reputation is really hinging on this... either it's their Woodward/Bernstein "Watergate" moment, or years from now we'll be going "hahaha! remember when that Bloomberg rag spouted that story about super tiny Chinese spy chips?"

If this isn't true, the egg on their faces will be enormous.

16
1
Gold badge

Re: Bloomberg is hanging way out in the breeze

To be fair to Bloomberg, it's entirely plausible. So as long as they eventually admit they screwed up - and ideally tell us how it happened - they can mostly repair their reputation.

After all, the Sunday Times (and others) survived the Hitler Diaries fiasco. Although people still laugh at them occasionally...

9
1

It is a matter of choice

I see this as a a matter of choice.

Your choices are to be spied on in similar ways by the Americans, the Chinese, or by one of the other big players.

Not being spied on at all is not an option.

26
1
Silver badge

Re: It is a matter of choice

Your choices are to be spied on in similar ways by the Americans, the Chinese, or by one of the other big players.

I'd rather be spied on by the foreigners. They are less likely to just wander into my home and arrest me and throw me into jail on trumped up charges.

52
3

Re: It is a matter of choice

I'd rather be spied on by the foreigners. They are less likely to just wander into my home and arrest me and throw me into jail on trumped up charges.

That would be my preference too.

I however have a far stronger defence: realistically there's absolutely sod-all of interest on my computer. I do research, but unless more effective data integration for your trains is a matter of national security I'm quite safe. Granted cyber attacks on national infrastructure are a thing, but my work would not be a good jumping off point for that.

4
2
Anonymous Coward

Re: It is a matter of choice

"here's absolutely sod-all of interest on my computer"

I guarantee there's enough on your PC to steal your identity, lock stock and barrel.

You might not be quite so complacent if that happened.

3
1

Re: It is a matter of choice

I guarantee there's enough on your PC to steal your identity, lock stock and barrel.

Of course, but whilst I'm not secure against nation state level actors who can e.g. get into the supply chain for my motherboard (who is?) I do take the sort of everyday precautions necessary to exist in this day and age, to the extent that it's possible to be secure whilst relying on the million different 3rd parties that comprise a modern computing environment.

7
1

Re: It is a matter of choice

I've got an idea.

If "not being spied upon at all" is not an option, let's go the other route - exactly the other route.

EVERYONE is being spied on by EVERYONE.

No; I don't just mean letter agencies. I mean Bob from Accounting. Not your Bob from Accounting; somebody else's Bob from Accounting. And not as part of his accounting duties, just what he does on the weekend for fun, he spies on the NSA.

Give everyone - literally everyone - full and open access to the data of everyone - literally everyone. At least then the process would be well and truly fair.

3
0
Silver badge
Alien

It is interesting in several ways

firstly all these MoBo's were taken out of use or never got into front line service several years ago yet the Apple and Amazon stock price dropped.

Their current results won't be affected by this so why?

Bloomberg has been running a lot of attacks on other tech companies this year. Their principle target has been Tesla.

Now for the conspiracy theory.

APPL and TSLA are two of the most heavily shorted stocks on Wall St.

Shorters bet on stock falls.

So the shorters buy options on the target stock(s)

Their golfing/sailing/frat buddies release a story about something that happened years ago

The target stocks drop

The shorters sell the options before the end of the settlement period.

The shorters make money, sorry, make that LOADSAMONEY.

If only life was that simple eh?

18
4
Silver badge

Re: It is interesting in several ways

You're assuming the stock price drop had anything to do with this news. Google, Netflix and Tesla had a drop double the size of Apple and Amazon's and they weren't named in the story. Who would really care if the Chinese were spying on Netflix, they gonna find out about your weekend binge watching habits? Hard to see how Netflix's drop could have anything to do with this story.

This was just an across the board tech stock drop, just like some days there's an across the board tech stock gain. Now one can argue the reason everything dropped was concern over this hack, but if so it didn't hurt Apple and Amazon worse than other companies. Indeed, Apple fell slightly less than the NASDAQ index as a whole.

If this was an evil stock market short plot, it wasn't very well executed. You'd much rather get one or a few really big stock drops, not a minor 2-3% across the board drop. The SEC polices these things pretty well too - no doubt they will be examining the trading patterns around Supermicro stock (the only one that really took a big plunge) to see if someone sold a bunch of it short recently, or made unusual put option purchases.

13
2
Anonymous Coward

Re: It is interesting in several ways

Which means that the release of the Blumberg story was not the cause of the price drop as discussed in the article. For the reasons given above, I agree. Blumberg's coverage of tech hasn't been friendly, but that's not surprising given the antics of tech "leaders" like Musk. There's a lot of BS backing up in those tech company comms lines, so it would be hard to imagine how anyone outside of Silicon Valley PR could ignore it.

As for the substance of this report: I'm with the many above who think it's part of a deliberate disinformation campaign to bolster the trade war against China while providing cover for a non-Chinese operation to hack cloud services.

The bottom line is you can't believe anyone any more. Those in the know are either incentivized to lie for various reasons, or gagged by like local secrets laws. That could all change if the press and public demanded actual hard evidence when faced with these kinds of claims. But that's unlikely because the press is complicit and the public disorganized. Now if media outlets were to experience sharp, sustained drops in _their_ income due to the public's ceasing to trust them...

5
3
Silver badge

Re: It is interesting in several ways

What hard evidence could they POSSIBLY provide that would change the minds of those who believe this is a US government plot against China? If they made samples of the hardware available for people to look at, how can you tell it was designed by China instead of the US? If they had logs of the chips contacting a Chinese controlled C&C server, how do you know that really happened, or that C&C server wasn't a CIA front? Hell, if they had emails from China's president to their hackers saying "have we stolen Apple's A12 design yet?" signed with his private key, they'd claim the NSA has the technology to break the email encryption/signing that China's president uses.

Once people go down the conspiracy theory rathole, no amount of evidence can possibly change their minds. Everything you show them will become part of the conspiracy. Look at the moon landing deniers, who have crazy explanations for everything from lunar dust samples to the retroreflective mirrors astronauts left behind that are part of the grand conspiracy to fool people into thinking we landed on the moon.

6
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing