back to article Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles down

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication. On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by …

  1. Neil Barnes Silver badge
    WTF?

    How can I put this?

    Pictures... or it didn't happen.

    1. Doctor Syntax Silver badge

      Re: How can I put this?

      Pictures at the very least. Let's see someone other than the protagonists being able to examine an actual board.

    2. StargateSg7

      Re: How can I put this?

      NOW the for the REST of you...I would be VERY VERY AFRAID..ALL of the U.S., Russian and Chinese intelligence services HAVE PUT extra mask layers in common controller chips and network chips during the lithographic/manufacturing process which CAN re-process incoming signals and use data-oriented steganography to hide extra data in normal UDP and TCP/IP V4 and V6 packets in their headers or in KNOWN data content types such as JPEG, BMP, TIFF, GIF, TEXT, XLS, WORD, XML/HTML etc which are searched and re-assembled outside of YOUR networks.

      Once a microchip lithographic process is compromised via an extra layer or three, only about 2 or 3 people in the chip manufacturing company would be actually in-the-know (and who are probably bribed, threatened OR are actual foreign agents!).

      The ONLY WAY to know is to SHAVE LAYER BY LAYER common NIC (Network Interface Chips), SSD and Hard Disk Controller Chips, GPU's, CPU's, Memory IC's, Northbridge/Southbridge, ARM and Baseband Modem chips and other common chips to see if an EXTR LAYER or an EXTRA transistor BLOCK has been added to the final chip design for desktop's servers, smartphones, Xbox/PS, and IoT appliances, Televisions, Computer Monitor and more.

      It's so bad in terms of modern spyworks, that EVEN a normal chip design can be compromised by merely adding in temperature-sensitive transistor blocks within a materials and CMOS doping specification that is intercepted and substituted by a spy agency during transit from a design firm to the chip factory which will eventually short out to NEW intentionally designed/hidden CPU pathway when certain instructions are executed to overheat a chip in specific places, which then deteriorate and then eventually short out to NEW circuit paths which can then execute NEW system-compromising instructions !!!

      YES! IT CAN BE DONE and HAS.....BEEN DONE !!!!

      1. Anonymous Coward
        Anonymous Coward

        Re: How can I put this?

        @StargateSg7

        Thanks for brightening up my day with laughter.

        You should do stand-up with hilarious material like that!

      2. Spazturtle Silver badge

        Re: How can I put this?

        "The ONLY WAY to know is to SHAVE LAYER BY LAYER common NIC (Network Interface Chips), SSD and Hard Disk Controller Chips, GPU's, CPU's, Memory IC's, Northbridge/Southbridge, ARM and Baseband Modem chips and other common chips to see if an EXTR LAYER or an EXTRA transistor BLOCK has been added to the final chip design for desktop's servers, smartphones, Xbox/PS, and IoT appliances, Televisions, Computer Monitor and more."

        This is routinely done, chip companies want to make sure the foundry has made the chip exactly as designed.

        1. Anonymous Coward
          Anonymous Coward

          Re: How can I put this?

          "This is routinely done, chip companies want to make sure the foundry has made the chip exactly as designed."

          No it isn't. And no they don't.

          That kind of expensive analysis would only be carried out if there was an unsolvable chip failure or a yield issue.

          1. imanidiot Silver badge

            Re: How can I put this?

            @AC, as someone who works in the industry, it is sort of done. Not shaving layer by layer but examining wafers after each layer is processed. It's not routine per sé but it IS done regularly for lots of chips. Especially in the run-up fase. Once it's been verified all reticles do what they should and overlay, LER and CD are in spec this process is phased out and it's only repeated every few tens of thousands of wafers. At the startup of a process it's a good way to verify everything works as it should.

            Once a process has been spun up in this way it's VERY hard to make reticle changes without anyone noticing, because changing a reticle has significant impact in it's characteristics and can lead to requiring changes in exposure mode, beamshape, focussing, etc, etc. All of which would again be verified by checking the layers after exposure and/or processing (A lot of this is even done automatically by inline inspection systems, which would also have to be taught on the new, changed design or it would flag an error on every single chip, and someone WOULD then look at the pictures and see something was awry)

            Semicon fabbing is NOT trivial and involves a LOT of people and a lot of equipment, all of which would have to somehow not notice someone has altered a chip design without their knowledge.

            1. Anonymous Coward
              Anonymous Coward

              Re: How can I put this?

              >Not shaving layer by layer but examining wafers after each layer is processed.

              Agreed. By a fab. For manufacturing/process/yield analysis.

              Not by the "Chip Company" to "make sure the foundry has made the chip exactly as designed."

              1. imanidiot Silver badge

                Re: How can I put this?

                @AC, NO, not just by the fab. The analysis is very often done either by or in very close cooperation with the fab customers (chip companies) engineers. And plenty of semicon manufacturers run their own fabs. Even in the case of a foundry running the fab for fab-less clients, the distinction between where the "Chip Company" ends and the fab/foundry begins in this regard is a bit of a grey area in practice. Checking layer geometry to "make sure the foundry has made the chip exactly as designed." IS a rather standard test afaik.

      3. Anonymous Coward
        Anonymous Coward

        Re: How can I put this?

        You have a lot of shaving to do.

        Please film while shaving.

      4. Version 1.0 Silver badge

        Re: How can I put this?

        @ StargateSg7

        A lot of downvotes - does El Reg have a significant Asian readership these days?

        I suspect one reason for all the denials that this is possible is that another agency has been doing this for a long time.

        1. GruntyMcPugh Silver badge

          Re: How can I put this?

          @vesion 1.0: "I suspect one reason for all the denials that this is possible is that another agency has been doing this for a long time."

          It's telling that the supposed source from the security company 'Sepio' used to work for Israeli intelligence, because a mate of mine who designs networks for the UK govt, MoD etc, once told me they weren't allowed to source any network components from Israel, because of fears about back doors.

          1. Anonymous Coward
            Anonymous Coward

            Re: How can I put this?

            I do like a good rumour. A certain major FW vendor of Israeli origin allegedly fell afoul of the US military a couple of decades back. Allegedly as I don't have a primary source.

            https://blog.vectra.ai/blog/exploiting-the-firewall-beach-head-history-backdoors-critical-infrastructure

        2. Version 1.0 Silver badge

          Re: How can I put this?

          A lot of downvotes - does El Reg have a significant Asian readership these days?

          Thanks, I'll take those downvotes as a "YES" then ...

      5. Frank Bitterlich
        Facepalm

        Re: How can I put this?

        Where do I get some of what you are smoking?

        BTW, it's even worse. I hear that they have now compromised the tinfoil-making industry. They added secret circuits to every roll of household-grade tinfoil so that when you make a hat out of it, it actually amplifies your brain waves so that they can more easily read them. Plus, they added TLS encryption.

      6. John Brown (no body) Silver badge
        Devil

        Re: How can I put this?

        @StargateSg7

        Are you BombasticsBobs evil twin?

        1. wallaby

          Re: How can I put this?

          "@StargateSg7

          Are you BombasticsBobs evil twin?"

          that's.... BombasticBob isn't it ? The evil part is the one who WRITES IN CAPS every few words

      7. MOH

        Re: How can I put this?

        I think someone might have installed spyware in your Shift key?

      8. packetguy

        Re: How can I put this?

        Stargatesg7, What you posit is silly beyond belief. Any chip fab engineer would immediately detect extra litho layers in a device long before final production, and such a contaminated chip would have thermal and electrical characteristics immediately calling attention to the subterfuge. No shaving required. Only someone with no micro semi knowledge would say this.

    3. TheRealRoland
      Happy

      Re: How can I put this?

      You must be new here. Playmobil or it didn't happen.

    4. streaky
      Megaphone

      Re: How can I put this?

      Came here to say exactly this. I want to see photos or.. yeah, it didn't happen. This story has got wildly out of control and all we're getting is hearsay. If I don't start seeing evidence very soon it's time to start declaring this fake news and move on.

    5. Tom 64
      Pint

      Re: How can I put this?

      There is a lot of supermirco kit out there. Unless these attacks were very well targeted (which doesn't seem likely), someone will be able to get hold of some of these spy chips or doctored ethernet controllers and put them under a microscope soon enough.

      1. Stoneshop

        Re: How can I put this?

        Unless these attacks were very well targeted (which doesn't seem likely),

        There's a lot of kit, not just by SuperMicro, that's built/customised for particular customers. Such a customisation will not normally end up elsewhere. And given that those boards will be manufactured in dedicated production runs, it's relatively easy to target only those.

    6. phuzz Silver badge
      Stop

      Re: How can I put this?

      Given that these implants were supposed to be exfiltrating data, PCAPs or it didn't happen.

  2. Anonymous Coward
    Anonymous Coward

    China has repeatedly demonstrated significant skill in industrial espionage. I don't doubt they have the means to pull this off, and it's the kind of novel hack that could go undetected for years and yield an incredible amount of information.

    I am curious if the resistance to the notion of China pulling off this caper is due to academic skepticism (rare enough these days, and refreshing when exercised), or is instead a reflexive reaction, based upon little more than opposition to the American president's well publicized, ham-fisted opprobrium toward the Chinese government.

    1. Anonymous Coward
      Anonymous Coward

      Equally it could be planting disinformation for future leverage. Potentially against another target, but the blame for some subsequent event could then be attributed to this.

    2. JohnFen

      "I am curious if the resistance to the notion of China pulling off this caper is due to academic skepticism"

      I don't really see resistance to the notion that China is doing this, specifically. I see resistance to the notion that it's being done at all (and that resistance is founded on solid technical and logical analysis, not politics). Until that's established, the "who" question is a bit premature.

    3. Anonymous Coward
      Anonymous Coward

      China yes. What other country has the design and fabrication capability and the largest external spying organisation in the world, and I don't mean Russia?

      1. eldakka

        China yes. What other country has the design and fabrication capability and the largest external spying organisation in the world, and I don't mean Russia?

        The Federated States of Micronesia? You gotta watch those Micronesians!

        1. Julz

          @ eldakka

          Elbonians?

          1. John Brown (no body) Silver badge

            "Elbonians?"

            Nah, they don't know their Arseonions from their....

    4. WatAWorld

      "China has repeatedly demonstrated significant skill in industrial espionage. I don't doubt they have the means to pull this off, "

      They've demonstrated zero technical skill in creating electronic devices capable of high speed data manipulation without a power source and without connection.

      Obviously any technologically advanced country can produce a tiny IC and place it on a circuit board. But just sitting there not connected to anything accomplishes nothing.

      The USA has even greater expertise and more practical experience, but they couldn't make a piece of unconnected silicon sitting on a non-conductive area of a PC board hack a system.

      1. bombastic bob Silver badge
        Meh

        "they couldn't make a piece of unconnected silicon sitting on a non-conductive area of a PC board hack a system."

        that's not what's being alleged here. the allegation is that the circuit board was modified in such a way to support having some kind of 'spy chip' in the data stream. That means adding power, ground, signal lines, whatever else it might need, exposing pads where the chip gets mounted, and then having some means of installing it there so that is' not very visible, yet totally functional.

        if it were me designing it, it would be done with a heat gun and tweezers, under a microscope, following the main assembly process. In China they pay slave-wages, so an extra manual step like that wouldn't really add very much extra cost at all, easily compensated for by bribes, etc.. You'd mount the thing, maybe like a bga device or QFN [with solder pre-applied], setting it onto a mating surface with vias in the right spots, hit it with a heat gun until the solder melts, and it would tend to center itself if you do it right. Done. maybe 1 minute to mount the board in a rig, mount the chip onto the board with tweezers under a microscope, hit it with a heat gun for 5 seconds or so, done. 60 per hour per person.

        1. Anonymous Coward
          Anonymous Coward

          @bombastic bob

          That's a highly polished and plausible bit of tech research you put into your post.

          You should try flogging it to Bloomberg as a follow-up to their article on this topic.

        2. StargateSg7

          95% of the time it will be a Network Interface Chip (NIC) or a Drive Controller which is re-soldered and changed over. AND it's sole task will be to intercept targeted text strings (i.e. text with certain keywords) or packets having specified source or destination IP addresses and then compress/encrypt that data into LEGITIMATE data streams such as image files, OS data files, web-based temp files, etc. which tend to be served to outside locations within network data packets which can be intercepted at the local or regional telecom level.

          Unfortunately, the more insidious intercepts are re-flashed GPU and NIC BIOS'es that have interactive user text-input, screenshot output and mouse-HID-event re-directs to privileged memory locations and/or previously compromised kernel mode drivers which will re-package/compress/encrypt that intercepted data into legitimate traffic for outside intercept. It's basically impossible to change a BIOS that can PREVENT user-flashes and/or show FAKE update credentials to an operating system (i.e. the "Fake" bios prevents a legitimate update and mere changes its version numbers and presents a fake digital signature to low-level services) which will never know incoming data is being intercepted.

          I would have to douse the whole chipset in liquid helium so I can examine under specialty lab conditions using chip layer-by-layer examination the values of local data and cpu registers and other flash memory locations for evidence of "fake" BIOS code.

      2. Anonymous Coward
        Anonymous Coward

        >They've demonstrated zero technical skill in creating electronic devices capable of high speed data manipulation without a power source and without connection.

        Yet they demonstrated sufficient skills to obtain data on F-35.

        1. MiguelC Silver badge

          sufficient skills to obtain data on F-35

          and I'm guessing sufficient skills to build a working plane out of them too!

          1. Anonymous Coward
            Anonymous Coward

            Re: sufficient skills to obtain data on F-35

            > and I'm guessing sufficient skills to build a working plane out of them too!

            That would be worrying. Less obvious but still troublesome is that they could use the information to locate weaknesses in the F-35 design.

    5. StargateSg7

      Indeed you are correct, China is probably THIRD on the list of nations able to intercept CPU/GPU/NIC lithographs and insert new circuits! I am more inclined to believe that it is actually the USA that put the extra circuit layers or circuit blocks into common designs and or specially-modified versions of common chips into SuperMicro motherboards.

      Modern Chip design systems that are mostly from Mentor Graphics (look at up) or those from various French and German companies were originally US products and from what my "sources" have said in the past, there are means to NOT FLAG intentional modifications upon tape-out so that the IR/UV/EBM layer technician doesn't actually notice the changes. There's only about 5 to 10 people in a typical FAB who actually interact with each mask AND of those only two who actually are tasked with true Quality Assurance at the mask level. Those employees could easily be bribed and/or coerced into cooperating. The testing regimes will pan out because the modified chip designs WILL pan out to design specifications in terms of specified performance and computational results.

      The high resolution QA cameras which examine each chip upon each doping procedure and mask layering etch use common image recognition algorithms and specialty communications and drivers from the QA vendor which ARE fairly easy to be changed/compromised from a spy-works point of view.

      Even a basic visual inspection from human QA personnel will miss the extra blocks because their comparison masks will differ from what was originally designed at the original chip design bureau.

      AND not every chip will be compromised. It will be specific manufacturing runs containing specific part numbers which will be changed, tracked and forwarded to specific companies via outside influence. Probably on the order of a few hundred or few thousand chips will changed and redirected to specific manufacturers for inclusion into their products.

      In fact, at the NSA (Ft. Meade) there is a small room about the size of a typical bedroom that has three technicians that specifically de-solder chips from intercepted motherboards and put the modified chips in and resend them out to specified destinations. Typically the motherboards are done in advance and if that MOBO is ordered by a specific department in a specific foreign entity, the "fixed" motherboard has it's FEDEX, UPS, DHL, POSTAL delivery intercepted and changed over to the new one.

      It used to be done on the fly where mobos were actually intercepted, fixed up, and re-inserted into the supply chain on a 1-day or 2-day basis but now it's typical for whole classes of common server and workstation components from Dell, Lenovo, HP, IBM, Sun/Oracle, SuperMicro, TYAN, etc to be bought up, have their chips changed over and only inserted into the supply chain when needed or when a target client orders one. That order is intercepted to make sure the right "changed" board or chip is in stock. The courier company and client never know of the switch which is typically done just before shipping from the local customs warehouse or just before final delivery. Very rarely is it intercepted during actual transit except for postal-service shipped goods!

      1. John Brown (no body) Silver badge

        "In fact, at the NSA (Ft. Meade) there is a small room about the size of a typical bedroom that has three technicians that specifically de-solder chips from intercepted motherboards and put the modified chips in and resend them out to specified destinations. "

        That's a very specific piece of information which you specify as a fact. Care to share how you came by it?

        1. Anonymous Coward
          Anonymous Coward

          How big (or small) is a typical bedroom?

          I need to let my architect know.

  3. Doctor Syntax Silver badge

    "I am curious if the resistance to the notion of China pulling off this caper is due to academic skepticism "

    I don't think it's resistance to the notion, it's just that it's difficult to square a story based on unnamed sources against such unequivocal denials. There's something distinctly odd going on. here.

    1. Anonymous Coward
      Anonymous Coward

      Something odd going on here

      I agree; there's something wrong about this affair.

      It seems to me that Bloomberg has probably uncovered something but what they have uncovered is not what they [Bloomberg] think it is.

  4. Destroy All Monsters Silver badge

    Ha HA!

    So less a "China Spy Chip" are more likely a US John "Bolt-On" Chip

    The Ethernet idea is especially bizarre. Send out Ethernet frames in the blind hope that they are somehow routed to the Internet. What?

    1. Dan 55 Silver badge
      Black Helicopters

      Re: Ha HA!

      Why bother routing them to the Internet yourself when you've got an ME that's so eager to help? Send frames inwards, not outwards.

    2. tip pc Silver badge

      Re: Ha HA!

      “The Ethernet idea is especially bizarre. Send out Ethernet frames in the blind hope that they are somehow routed to the Internet. What?”

      Exactly that.

      Every place I’ve worked at by design nothing gets direct access to the internet, you need to go through a proxy. Quad zero is null routed and only the proxies can resolve internet dns. Also by design some segments and systems never get access to the proxy, for example the management (loopbacks) and ILO networks are not permitted to access the proxies, some have explicit fw rules prohibiting those subsets access. So even if someone put dodgy chips on the systems or even blatantly tried to ex filtrate data off the management components the networks they connect to have no direct or indirect internet access.

      Same story for the other segments, in fact only segments specifically permitted internet access get internet access, with their 1 IPS’s and appropriate next gen firewalls with tight policies.

      Gpg13 is a good place to start to understand how to detect something like this.

      https://www.computerweekly.com/tutorial/How-to-approach-Good-Practice-Guide-13-GPG13-for-CoCo-compliance

      1. duhmb
        Angel

        Re: Ha HA!

        Non routed packets...... OK, STUXNET was created with the expectation of no access to the internet, and worked a treat. The use of Very High Density Very high Latency packets(USB etc) got around this, and can again. And before you point out the highly secure environments in US military, I'm sure IRAN has the same security features, didn't do them any good.

    3. OldCrow

      Re: Ha HA!

      Depends.

      Does DHS still practise "security through obscurity" in their own systems, like they used to?

    4. Anonymous Coward
      Anonymous Coward

      Re: Ha HA!

      >The Ethernet idea is especially bizarre. Send out Ethernet frames in the blind hope that they are somehow routed to the Internet. What?

      What really is bizarre here are all the postings taking a premise never stated. So where in the article did you see that they sent "Ethernet frames in the blind hope that they are somehow routed to the Internet"?

      1. Anonymous Coward
        Anonymous Coward

        Re: Ha HA!

        "So where in the article did you see that they sent "Ethernet frames in the blind hope that they are somehow routed to the Internet""

        The whole article is about China stealing information. Sending Ethernet frames only to the local network won't quite achieve that, will it? At some point, they'll have to get out, which means they'll get routed. Even if they didn't say IP, it's more likely to be used nowadays than IPX, SNA, VINES, ...

        1. Anonymous Coward
          Anonymous Coward

          Re: Ha HA!

          > The whole article is about China stealing information. Sending Ethernet frames only to the local network won't quite achieve that, will it? At some point, they'll have to get out, which means they'll get routed.

          I know that. And it is well documented that China was able to exfiltrate F-35 data from Lockheed-Martin. My point is that successful exfiltration does not rely on "blind hope," instead it relies on careful planning. People still talking about "blind hope" are grossly underestimating the Chinese.

  5. WatAWorld

    Why are ICs always in large packages, how is this dot powered?

    It is easy to create an IC smaller than the point of a pencil.

    1. Problem #1 is that you need to connect it to power and ground and data buses -- which is why ICs are put into large packages, and why there are circuit board traces leading to them.

    2. The dot had neither a windmill nor a solar panel nor a connection to a powerbus, so how is it supposedly powered? Itsy bitsy tiny little nuclear reactor?

    And how does it connect to data paths? Psychokinetics?

    Simple physics proves that the story has huge errors in its vague technical descriptions and photos.

    And with the technical details like power and data connections left out, Bloomberg's story has less than zero credibility.

    +++ That said, I do not doubt for a minute that the USA, UK, China, and probably Russia ALL engage in this sort of hardware hacking on a regular basis against key non-governmental targets. +++

    (Doubtlessly this sort of spying occurs between governments, but with government targets it is expected. Hopefully no educated person is so arrogant, imperialistic and immoral* that they think their government should be exempted from other governments doing to it what it does to others.

    * Accepting others doing to you what you do to others is part of the Lord's Prayer -- the "trespassing part". People living in countries that are truly and sincerely Christian do not claim exceptionalism.

    To claim exceptionalism while claiming to be Christian is to lie to yourself and your god.)

    1. MrDamage Silver badge

      Re: Why are ICs always in large packages, how is this dot powered?

      It could be theoretically possible. Physically possible, not sure.

      An inbuilt thermocoupler could potentially provide enough power for such a small chip to do its work, depending on what exactly the "work" is.

      El Reg has detailed before how its possible to snoop on CPU proceeses using the innate sounds the CPU makes, especially when dealing with RSA keys. El Reg have also detailed other hacking methods based on sound from other input devices as well.

      So this chip could potentially be listening in for those sounds in order to get a hold of those keys to help facilitate hacking from an external source based on the RSA keys it "heard" .

      The exfiltration of those keys is where it starts to get tricky, especially if it has no tracks to any comm ports of any style.

      Could the chip then also use sound to broadcast those keys at a specific, seperate frequency that could be picked up by a mic placed somewhere in the data centre by a spy/bought agent, or even just a mobile phone connected to a powr source and secreted under a floor tile or roof panel? Maybe.

      Theoretically, its possible, based on existing technology and methods, it's just whether all this stuffed into a ridiculously small package is technically possible at this stage of micro-electronics is the question.

      After all, what better way to completely throw off suspicion than to include such a chip, but not have it connected to anything?

      1. EveryTime

        Re: Why are ICs always in large packages, how is this dot powered?

        > "An inbuilt thermocoupler could potentially provide enough power for such a small chip to do its work, depending on what exactly the "work" is."

        A thermocouple will not work. It will generate under a millivolt and trivial power. You need a significant temperature difference for a usable voltage, and significant heat flow for usable power.

        And a small chip isn't likely to have enough cleverness to analyze a system, let alone extract keys. A realistic scenario would be to rely on direction from an external system.

        And even if it could extract the keys, how would it transmit with a near-zero-length antenna?

        1. doublelayer Silver badge

          Re: Why are ICs always in large packages, how is this dot powered?

          I'm not saying it happened--in fact, it seems likely that it didn't happen, but the chip in practice does not need all of the things you say it does. If the original description is correct, it merely sits between a flash chip and a processor, replacing serial traffic. It could use the data traffic from the flash as enough power to inject another signal. After that, the new code could be run just fine by the processor running the servers' firmware, which can do all of the actual stealing, embedding of information into something hard to detect, and exfiltration over the internet. I don't think this happened, but your reasons wouldn't explain why not.

          1. bombastic bob Silver badge
            Devil

            Re: Why are ICs always in large packages, how is this dot powered?

            it has a name: 'parasitic power'. If you rely on open-drain logic circuits for the signals, you can get away with ONLY data (and ground) lines. DS18B20 is one such device [1-wire interface] that can use parasitic power.

        2. aks

          Re: Why are ICs always in large packages, how is this dot powered?

          You pose an interesting challenge. There is a huge amount of energy of all sorts sloshing around inside a computer. Vibration/noise, electromangnetic hum, etc. The antenna could be the motherboard itself, the chassis, the earth lead.

          Then again, there are easier ways to do this.

          I prefer the story that it's a what-if that's been converted to a this-happened. Maybe the real motive is to reduce the trust and thereby the usage of Chinese computer equipment.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why are ICs always in large packages, how is this dot powered?

      It is about 20 years since I worked in electronics and chip packaging though the pitch has become finer the basic principles remain the same. So...

      >It is easy to create an IC smaller than the point of a pencil.

      Yes. You just saw the wafer to size.

      >1. Problem #1 is that you need to connect it to power and ground and data buses -- which is why ICs are put into large packages, and why there are circuit board traces leading to them.

      Wrong. Chip packaging allows for easy handling including testing. The alternative you forget is flip chip technology.

      >2. The dot had neither a windmill nor a solar panel nor a connection to a powerbus, so how is it supposedly powered? Itsy bitsy tiny little nuclear reactor?

      It is attached to pads. These can be disguised as test pads during design and board production.

      >And how does it connect to data paths? Psychokinetics?

      See above. This is well known technology, has been for over 20 years.

      >Simple physics proves that the story has huge errors in its vague technical descriptions and photos.

      Physics is a branch of science and in science you do not prove facts but you disprove a hypothesis. None of what you write is anywhere near disproving the story.

      >And with the technical details like power and data connections left out, Bloomberg's story has less than zero credibility.

      The story, had you read it, stated that the chips were disguised as signal conditioners. It follows that these had to be connected to tracks carrying signals to be conditioned. The opposite would have immediately raised suspicion. Also, how do you attach a chip to anything other than a pad?

      >+++ That said, I do not doubt for a minute that the USA, UK, China, and probably Russia ALL engage in this sort of hardware hacking on a regular basis against key non-governmental targets. +++

      That does not make any sense. OK, or they do it except from that China does not do it here?

      >(Doubtlessly this sort of spying occurs between governments, but with government targets it is expected. Hopefully no educated person is so arrogant, imperialistic and immoral* that they think their government should be exempted from other governments doing to it what it does to others.

      See above. Claiming others do it but China does not is bizarre. Please at least attempt to clarify.

      >* Accepting others doing to you what you do to others is part of the Lord's Prayer -- the "trespassing part". People living in countries that are truly and sincerely Christian do not claim exceptionalism.

      What does this has to do with anything?

      >To claim exceptionalism while claiming to be Christian is to lie to yourself and your god.)

      And who claimed exceptionalism? From what I can see you were the first to bring it up.

  6. Jay Lenovo

    A Matter of Trust

    You either believe the Bigfoot testimony or you don't.

    Proof apparently is under non-disclosure.

    1. WatAWorld

      Re: A Matter of Trust

      So you're saying it is a matter of belief and religion.

      Do we believe in Bloomberger Infallibility? Are we of the Bloomberg faith?

      Pretty much the only electrical engineers and physicists who believe the story are going to be doing so in the face of facts they know. So yeah, I totally agree, it would be a religious belief for them.

      To most professional programmers, the thermodynamic, electrical and quantum mechanical stuff going on inside a computer is magic that they just accept. (It would be useless details that get in the way of coding.) So out of ignorance, and not realizing the limitations of their expertise, they might sincerely believe Bloomberg.

    2. JohnFen

      Re: A Matter of Trust

      "You either believe the Bigfoot testimony or you don't."

      I disagree -- I take a third option, which is "I don't know". I try not to believe or disbelieve claims in the absence of evidence (although I often have a sense of whether or not a claim is likely to be true, that isn't the same as believing or disbelieving).

      Instead, I try to merely note that the claim was made.

      1. Sam Liddicott

        Re: A Matter of Trust

        True dat!

        Too many people feel the need to come to a premature conclusion, and get very choppy with Occam's razor to help them do it.

        They consider that extraordinary claims require extraordinary evidence and then chop away, not thinking of the extraordinary value that they might be chopping away for want of a little patience.

        1. Doctor Syntax Silver badge

          Re: A Matter of Trust

          They consider that extraordinary claims require extraordinary evidence

          FTFY

      2. Mark 85

        Re: A Matter of Trust & False Flags

        I too am taking the long view of "I don't know" and "I'm not sure who to trust" in this. The story could be a plant to discredit the Chinese or it could be a cover up of something else... a distraction. Bloomberg does have a reputation for accuracy but in this case...is it real or is BS? If it's BS, it's of the highest order but then there's "agencies" that are well funded and have some very creative people involved.

        Best bet is to not to jump to a conclusion that someone wants us to believe, but wait and see how this plays out. Sherlock Holmes comes to mind: "The game is afoot!".

      3. Charles 9

        Re: A Matter of Trust

        Most people won't accept a third option: adopting a strict for/against mindset, assuming vacillation equals dissent.

        1. JohnFen

          Re: A Matter of Trust

          Yeah, it's the old "if you're not with us, you're against us" bullshit. Too many people have internalized that.

  7. MX9000

    Market Moving Bonus - Incentives and how they Fail.

    Bloomberg has a Market Moving Bonus incentive.

    Mic Drop.

    1. Anonymous Coward
      Holmes

      Re: Market Moving Bonus - Incentives and how they Fail.

      Probably the most plausible conspiracy theory this time is that it was someone wanting to manipulate market prices for tech stocks. So come on journos, do some digging and tell us who's been buying? Or indeed shorting!

      Or would that itself lead to a false trail ... perhaps to someone who's being framed for corruption?

      Or just someone being tainted? If this is outed as nonsense, it could cast a shadow over a man who ruled himself out as presidential candidate because he thought his standing would improve Trump's chances of winning. Especially if there's a dark hint those untraceable Cayman Island accounts might be linked to him.

  8. EveryTime

    A small die-bonded chip on a motherboard is feasible. When attached to the BMC, either on the SMBus or SPI-connected program flash, it could modify just enough to accept very simple remote commands. It would be fragile and take lots of network traffic, but it could work.

    Saying that such an attack is technically feasible is far different than saying that it occurred, or occurred that way. It's a complicated approach that would involve subverting the board fabrication company at multiple points. It would be far simpler to just modify the BMC firmware directly.

    I think that someone was spinning a yarn, and the reporters fell for it.

    1. Charles 9

      So how would you approach it if you can't be sure the firmware will stay the same due to custom flashes or security updates?

      1. Anonymous Coward
        Anonymous Coward

        Pictures or it didn't happen

        Readers may have seen:

        * pictures of Supermicro-class motherboards where the SROM (or SPI Flash or whatever) chip can go in a choice of two clearly labelled adjacent locations, depending on what's readily available in the stores on the day, and what they need to do with them.Not big difference, but...

        * well-verified articles where firmware upgrades, downgrades, and 'fixes' provide a trivial mechanism for changing the behaviour of a system without any need to add 'malicious chips', especially when the firmware update mechanism doesn't have much built in security.

        * writeups of high volume low cost LAN connectors being replaced with visually identical connectors with different innards. What kind of thing can go inside a typical LAN connector without anybody noticing, till the unwelcome and unintended traffic gets on a LAN and somebody happens to see it?

        Now make it a combined LAN/USB connector as seen on many motherboards. Plenty of power and connectivity to play with there, if you want to hide something inside it in plain view.

        * instances where an allegedly secure site wouldn't let unauthorised/unauthenticated kit onto its LANs, but did nothing to stop laptops that had been on the LAN (slurping data they shouldn't be slurping, from the chip hidden on some other box's motherboard?) being taken offsite and then dumping their slurped data into someone else's systems ready for the next round.

        There's not enough hard information in the Bloomberg story to be able to make an informed technical comment. But the underlying capabilities are probably real enough.

      2. DropBear

        @Charles 9 so pray tell, exactly when was the last time you updated your BMC firmware...?

        1. Spazturtle Silver badge

          At which point we get to the stage were we ask: If the hack relies on the firmware not being changed then why not just flash a hacked firmware to the boards instead of using a chip?

  9. mhkool

    we need real hard proof, not opinions

    ok, the spy-chip is plausible, but does it exist?

    I no longer want to see a good photo + details about what the chip actually does, no there is too much pushing from all sides, that only hard evidence can convince a techie.

    Show us the motherboards! 30 companies and the US government has these spy-chips, so show at least 3 motherboards and make them available for an independent party to verify the claims about the spy-chip.

    1. DropBear

      Re: we need real hard proof, not opinions

      That could be problematic considering those in possession of the kit insist there is nothing to show and those insisting there is have no access to the PCBs. Seizing stuff wouldn't really prove anything at all either at this point since if the claims are real, moving the evidence out of the way would have likely been the first thing that was done...

    2. Anonymous Coward
      Holmes

      Re: we need real hard proof, not opinions

      make them available for an independent party

      Now there's an interesting dilemma. To squash conspiracy theories, it has to be a party the would-be conspiracy-theorists trust. And not subject to intimidation from a government that might be implicated. Is there any such?

      Hmmm. Maybe Kaspersky? A strong track record, and someone whose government (for a change) isn't a suspect?

  10. WatAWorld

    Glomar Explorer; Gulf of Tonkin; UFOs and SR71 & F117 test flights; ...

    "Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign."

    Yes, obviously it is easier for Five Eyes intelligence agencies to thoroughly hack and backdoor stuff totally designed and built within either Five Eyes nations or vassal states. And that is important because you can't infiltrate something by gluing a tiny piece of silicon on it.

    Here in Canada we've constantly got the USA trying to tell us to exclude Huawaii from government and private company contracts.

    But shouldn't Bloomberg have asked someone at MIT, Stanford, Intel or AMD whether this could function? That a piece of silicon glued to the surface of a circuit board and not connected to conductors could do anything useful?

    Bloomberg might well have been duped by the US government, US government's (like probably all national governments) has a long history* of dubbing their press, but an outfit like Bloomberg should have caught it.

    * And in the case of the USA, a long officially admitted history. Other countries, especially those on the "other side" don't usually admit things 30 years later.

    1. Anonymous Coward
      Anonymous Coward

      Re: Glomar Explorer; Gulf of Tonkin; UFOs and SR71 & F117 test flights; ...

      >That a piece of silicon glued to the surface of a circuit board and not connected to conductors could do anything useful?

      Got a source for that premise?

      1. DropBear

        Re: Glomar Explorer; Gulf of Tonkin; UFOs and SR71 & F117 test flights; ...

        This is devolving into "I swear the story I read said those motherboards come with embedded Youkai who steal your soul when you power it up". It's thoroughly amazing how initially objective information completely turns into whatever agrees best with what was already in the reader's head upon consumption and how fiercely most people insist that absolutely no such thing is happening...

      2. StargateSg7

        Re: Glomar Explorer; Gulf of Tonkin; UFOs and SR71 & F117 test flights; ...

        You don't even have to modify the CPU or GPU chip itself!

        I could put an entire chip in the ceramic or metal cap that COVERS any given CPU/GPU which can be powered parasitically via induction, direct connect to leads, etc. This chip-under-the-cap can even include a Fractal Antennae design or a very narrow band antennae to send data over low-bandwidth but long-range/penetrating wavelengths. The emitted signals would likely be seen as extraneous noise but modern DSP (Digital Signal Processing) could recover actual compressed/encrypted data over long periods of time. Even a Faraday cage won't necessarily help because any TEMPEST (look it up!) signals screening would be specific to certain wavelengths usually in the 1.5 to 6 GHz bands that cell phones and wifi use. Goto Terahertz or lower than 1.5 GHz or even acoustic communications bands and then even the typical mesh-screen or punched metal Faraday cage will be compromised. Only a FULLY ENCASED SOLID SHEET Tungsten, Copper And Polymer Faraday Cage will block those signals!

        In some cases the signal may need to travel only a few inches/cm or a few feet/metres since the destination storage medium may be embedded into clothing, jackets, buttons, shoes, or disguised as common personal gear, etc. A person who works in a sensitive location MAY NOT even be aware they are the external data transmission medium since THEIR personal clothing/goods may be intercepted and modified by external spy agencies. Once the targeted employee walks out at the end of the day, an external system can intercept and download the latest data using non-physical extraction (i.e. wireless comms)

        The typical front door security/user entry system and even a physical body search would NOT detect these PASSIVE data storage devices which can be as thin as a postage stamp or as small as a pencil head! (or they might actually BE embedded into pens/pencils/erasers/sheets of blank paper!) Even teh X-ray system wouldn't detect the passive device since the typical security guard would NOT know what they are looking at on-screen and just "Let It Go Through!"

      3. StargateSg7

        Re: Glomar Explorer; Gulf of Tonkin; UFOs and SR71 & F117 test flights; ...

        AND FOR THE KICKER.....Modern Spyworks have gotten sooooo SOPHISTICATED that I can embed a whole signals intercept, storage and communications chip within those fake shiny red woman's fingernails that many women get for cosmetic looks!

        Modern chips can be parasitically powered from local EMF, from the human body itself and they can be made so small I can put one on or under a woman's (or man's) finger nails or toenails and cover it up with nail polish. No one will be the wiser and almost NO security guard will have the ability or skill to find such hidden devices. I could compromise the local nail esthetician to implant or paint-on the device off-site at the local nail parlour which the targeted wearer would be UNAWARE OF !!!

        THIS SHOWS YOU JUST HOW FAR the USA, RUSSIA, CHINA, UK, ISRAEL, FRANCE, GERMANY, etc DO GO in their daily spyworks activities!

        1. Charles 9

          Re: Glomar Explorer; Gulf of Tonkin; UFOs and SR71 & F117 test flights; ...

          "AND FOR THE KICKER.....Modern Spyworks have gotten sooooo SOPHISTICATED that I can embed a whole signals intercept, storage and communications chip within those fake shiny red woman's fingernails that many women get for cosmetic looks!"

          PROVE IT. Where's the example?

  11. Anonymous Coward
    Anonymous Coward

    Denials

    So far AT&T, Verizon, Sprint and TMobile have denied being the "major telecommunications company" in question. Who does that leave, Centurylink?

    1. Munchausen's proxy
      Pint

      Re: Denials

      "So far AT&T, Verizon, Sprint and TMobile have denied being the "major telecommunications company" in question. Who does that leave, Centurylink?"

      Comcast. But it couldn't be them -- if it were they would have charged the customers for it.

    2. JohnFen

      Re: Denials

      "Who does that leave, Centurylink?"

      I think it leaves AT&T, Verizon, Sprint and TMobile. Absent actual information, there's no reason to believe that those companies are being honest in their denials.

      1. Anonymous Coward
        Anonymous Coward

        Re: Denials

        "Absent actual information, there's no reason to believe that those companies are being honest in their denials."

        Sure there is. fiduciary duty, as last I checked, they're all publicly traded, and lying in public can affect their values, meaning the SEC can step in. That's also a reason why we have to assume Bloomberg did at least some homework, or they'll have to answer to higher authorities due to their journalistic obligations.

        1. JohnFen

          Re: Denials

          "Sure there is. fiduciary duty, as last I checked, they're all publicly traded, and lying in public can affect their values, meaning the SEC can step in"

          That doesn't mean that they can be believed in the absence of evidence. History shows us that "fiduciary duty" isn't enough to prevent lying, particularly if the fines that the SEC might saddle them with (if they get caught) are less than the losses they may incur if they tell the truth.

  12. Anonymous Coward
    Anonymous Coward

    NSM is on record

    Perhaps the journalists could contact NSM who is on record of having stated they knew Supermicro was compromised?

    Site: https://nsm.stat.no/english/

  13. gerritv

    It could just as easily have been a grain of rice from someone's lunch that glued itself to a board.

    Remember when quite a few senior govt types in the US were concerned that the different colour centre in Canadian 2 dollar coins were microphones being used to spy on their secret meetings? http://rabble.ca/babble/national-news/your-pocket-change-spying-you

  14. Anonymous Coward
    Anonymous Coward

    China, Russia, Iran and North Korea are bad. It's not that hard to figure out. I should also add that the dual pentium boards from Supermicro (P3TDEi) were such a sack of shit I sometimes wish China had hacked them. Then at least I would have had an excuse for the failure rate.

  15. tip pc Silver badge

    Tom Clancy covered this in Threat Vector

    https://en.m.wikipedia.org/wiki/Threat_Vector

    It’s a while since I read it but the book describes how careful some buyers are in procuring kit, shipping to false addresses in the hope that kit won’t be adulterated etc.

    I do agree there are easier ways of infiltrating systems by doctoring firmware instead of commissioning chips to be embeddd in a place that can be xrayed.

    If it’s possible to determine the presence of the doctored systems by network traffic analysis then Bloomberg should tell us what to look for so we can check our systems and see if we have any.

    I suspect it’s yet another case of check/blame the network as so few people understand how networks work. Put another better next gen firewall in perhaps? That’ll stop those Chinese hackers!!! <—- Sarcasm as without knowing what to look for we don’t know what to block.

  16. Christoph

    Of course there's hidden spyware in electronics

    It's well known that some electronic kit has hidden spyware included. As Snowden revealed, it is put there by the NSA.

  17. Nate Amsden

    I believe bloomberg myself

    Though I am obviously biased I suppose as I have had a small fear about this exact kind of thing since Lenovo bought IBM's Thinkpad line.

    Fortunately I don't have anything of value that the Chinese would want. After being a die hard Thinkpad fan for many years when Lenovo bought them I swore off of them for 11 years - I used Toshiba in between. I am on Thinkpad again after I guess I accepted whatever could happen to Lenovo Thinkpad is just as likely to happen to Toshiba (that and Toshiba didn't have the hardware I was looking for at the time).

    I've read conflicting comments on whether or not this kind of thing is possible, and to me based on history of other sorts of surveillance activities from other countries I absolutely have to be on the side of the fact that is probable this happened given the resources of a country like China. I'm just as likely to believe something similar could happen in the U.S. as well with NSA/CIA whomever. I also totally believe that the intelligence community is pissed off at the report for revealing that they knew what China was doing. They'd rather keep that secret so they can continue monitoring and quietly contain it.

    I'm just hoping some day to see another Snowden-style leak of internal documents that say yes this did in fact happen, and those paranoid folks were right all along. Sort of reminds me of the early days of the reveals about the taps that the NSA had at AT&T facilities. As a AT&T data center customer at the time I joked with their staff about it, but really didn't surprise me, I continued as their customer until I moved to another job.

    Some folks say why didn't more places encounter this well the answer seems obvious they targeted the attacks to lessen the likelihood of it being detected, like any good APT.

    Certainly sucks for Supermicro right now though I'd suspect the vast vast majority(99.99%) of their customers have nothing to worry about(as they are not juicy targets). I run (1) supermicro server myself in a colocation in the bay area. I was thinking about getting a new one as that one is 7 years old. This report does nothing to sway my opinion either way.

    However I wouldn't be caught dead running supermicro in mission critical production (again, this report has absolutely nothing to do with that either, just based off of ~18 years off and on of using their hardware). I do realize of course some 3rd party appliances I have may very well have supermicro hardware on the inside, but at least those are managed by the vendor as in I don't have to worry about diagnosing strange hardware faults or asking fortune tellers what changes are in the latest firmware, and don't have to worry about resetting all configurations to defaults when flashing said firmware(and the obvious negative implications from doing so from a remote location -- my critical servers are 2,400 miles away from my home)

    To me at the end of the day this is hopefully a good thing in that it would raise awareness. I think it's totally possible for similar things to happen to other manufacturers as well even the big guys like HP and Dell. The trend of racing towards the bottom on pricing really puts pressure on the abilities for companies to be willing to be extra vigilant.

  18. FuzzyTheBear
    Black Helicopters

    After all .. NSA ?

    Say that the board really has a chip and that the board is going to the USA in places the American services don't have access to ( Apple for example ) what better way to hide their doings than by having fingers pointing the Chinese as the evil country's wrongdoings ?

    Really .. Denials by any US government agency or anyone else involved for that matter seems rather suspect that the true perpetrator is the US secret services and agencies.

    Yeah .. i don't trust the US. For good reasons. And neither should anyone with a critical mind go pointing fingers to China when we know darn well the US can't be trusted just as the Chinese can't.

    1. Anonymous Coward
      Black Helicopters

      Re: After all .. NSA ?

      ... If there is indeed a device in there, but it's the NSA that's responsible.

      That's the obvious reason why US and UK governments would be keen to deny there's anything to see. Let's talk about something else.

      But is that reason just too obvious? Oh dear, conspiracy theory eats its own tail[1]. So it's a decoy for [???].

      Whatever the underlying motivation, Why Bloomberg? Left-field for something like this, but a source that lends credence to an otherwise-implausible story. An insight into that might offer a clue as to who. Is Bloomberg one of the media organisations Trump brands Fake News? That might put it off his radar as a vehicle for a story, but that of course doesn't apply to many others in the US and around the world.

      Chinese conspiracy: plant a decoy story? That needn't be a decoy for anything they're doing, it could just be aimed at countering baseless allegations. Or it could be designed to be outed as a Chinese decoy conspiracy. Oh dear, another self-consuming conspiracy[1]. Dammit, it's nearly 3 a.m. and I really shouldn't be reading stories like this.

      [1] Not that I'm saying it is a conspiracy theory: I keep an open mind on such things.

      1. DropBear

        Re: After all .. NSA ?

        There's also the possibility that nobody actually did any of this yet, but someone form either side is intending to, knowing full well that the next time this becomes news absolutely nobody would believe it even if there were photos of the stuff this time - in fact it would probably never get published at all for that exact reason. A creative bit of prior restraint perhaps...?

  19. This post has been deleted by its author

  20. Unbelievable!
    Boffin

    Sooo.. to 'PARSE' this story to real terms..

    ..is that the news outlets are untrustworthy.

    We knew this. We go fact checking, against...uh...other news media. no wait.!!!

    It amounts to 'Yes you may have your freedom to report truths, however, by that very rule, we cannot control the sea of contradictory reports which will whitewash and drown your less popular and more damaging report, so that it will be only known by few.'

  21. Big Al 23

    It seems to me that...

    ...if these compromised machines are so prevalent then Bloomberg's sources should be able to at least display one of them or show a photo taken at the time of discovery to substantiate the claims of added chips. There should also be some data logs to show unauthorized outbound data traffic.

    1. Unbelievable!

      Re: It seems to me that...

      i agree. the onus is upon the accuser.

      I'm not questioning them (accuser). we all know that there's a lot of high level secrecy in any business. And if they can consolidate ... well... how would we know.

      Todays news, tomorrows "chip wrapper" (you can have that tag line The Register. ;) )

  22. aregross
    Big Brother

    Where there's smoke.... there's a burning chip!

  23. Anonymous Coward
    Anonymous Coward

    <A mystery wrapped in a riddle inside an enigma>

    Is this a$$ covering by BB or is this outside confirmation?

    "In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been "aware of an issue" connected to Supermicro products since June. It couldn’t confirm the details of Bloomberg's reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue."

    https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom

  24. Anonymous Coward
    Anonymous Coward

    One special fried rice, one won ton soup

    You want extra chips with that?

  25. T. F. M. Reader

    Semiconductors, doping, electrons, and holes

    While one may argue that adding a small chip to a motherboard is feasible, that it will only need to inject some extra/modified code into the loaded kernel at boot, will need only a small amount of power at that point, will be passive/dormant the rest of the time, and the actual spying will be done by the injected code in main memory, etc., what I could not understand from the start is how the gathered information (that may be very damaging indeed) will be sent stealthily to the mothership. Even less so, how it will be done from a data centre server that isn't even supposed to ever make outbound connections to the rest of the world.

    Outbound traffic is routinely monitored, and a server trying to reach a machine outside of the organization will be detected fairly quickly by a serious player such as AMZN or AAPL. AAPL say as much in their letter to Congress.

    I didn't see any statements anywhere that said, e.g., that any of the affected servers were involved in serving external requests. Even if they did, it would, IMHO, take too many miracles to arrange for useful and undetectable "steganography" in the responses. Besides, a machine service external requests is not likely to have the information that would justify such a complex hack.

    Supply chain malware is nothing new and has been seen in the wild and it is usually its activity - either lateral movement or "phoning home" or both - that gives the game away.

    IMHO, this is the most glaring hole in the Bloomberg story.

    1. Anonymous Coward
      Anonymous Coward

      Re: phoning home

      Remember Stuxnet?

      Undwelcome data crossed from one LAN to another, allegedly "airgapped". Data transfer was not quite in real time, but not far off, and without "phoning home" being visible on the equipment (or LAN) which was leaky.

      It did that by using a box that was physically or logically moved from the automation LAN to the office LAN, and back again. No "phoning home" visible.

      Or am I misremembering.

      1. Charles 9

        Re: phoning home

        It went via USB sticks which were a necessary evil in the Stuxnet case since the machines needed programming code to run, which Stuxnet covertly altered in the compiling phase.

      2. Primus Secundus Tertius

        Re: phoning home

        The prime purpose of Stuxnet was not to phone home but to sabotage the industrial plant that it reached.

        1. doublelayer Silver badge

          Re: phoning home

          Some assumptions you made:

          1. The chip, assuming it exists, is meant to exfiltrate data.

          2. The chip, assuming it exists and is meant to exfiltrate data, would be doing so frequently, rather than sleeping most of the time and sending out bursts on some occasion.

          Assuming that it did need to exfiltrate data, it could be doable on Amazon's network if it could be programmed to recognize an AWS image with specific characteristics. The data could be sent to that VM by the kernel, and stored there. From there, it could be encapsulated into traffic that is sent out as normal.

          This wouldn't explain exfiltration from other systems, as Apple doesn't run others' VMs on their systems. However, it could be possible to send data in standard-looking packets if there wasn't that much. This is not an explanation, but it is feasible.

          It doesn't make that much sense that the chip would have another purpose, although I suppose you could come up with one. It could be a remote destruction device that merely watches for a request, then takes the system down. That doesn't seem like a useful thing to do, but that could be the purpose. I'm sure we could think of lots of other things the chip might be doing if it exists, so let's not assume that exfiltration is the only task it might perform.

  26. Anonymous Coward
    Anonymous Coward

    The main problem...

    ... is the glaring lack of scientific/technology understanding of the average journalist.

    They are, for the most part, just arts graduates after all. How can they be expected to understand how stuff works?

    Same applies in other areas. Motoring journalists come to mind too.

    1. Primus Secundus Tertius

      Re: The main problem...

      I once applied for a science editor position at a weekly journal. Got nowhere, no interview, no nothing. Probably because I was a techie (now retired), not a journalist. I also have the honour of having been turned down by El Reg.

  27. This post has been deleted by its author

  28. Potemkine! Silver badge

    "Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign."

    I bet for that one, without any proof to sustain my opinion, as I don't see any one to sustain's Bloomberg one.

    During this time, some people made a lot of money with this story and its consequences, it could be interesting to follow that trail.

  29. Steve Cooper

    The chips are probably available on AliExpress with a badly translated PDF datasheet :)

  30. YetAnotherJoeBlow

    Played

    I also believe Bb was played like a fiddle.

    For a moment, pretend that the story IS true. How do you think the US Government would play their hand?

    I have seen devices that lie hidden and passively monitor. When the agency needs to reel it in, they just break in an operators home to plant a device capable of activating and receiving a burst transmission.

    That device is then picked up later with no one the wiser.

  31. Anonymous Coward
    Anonymous Coward

    The fact that so many western agencies were quick to deny the existence suggests that it might not be of eastern origin after all.tin foil hats at the ready!

    Conspiracies aside, pics or it didn’t happen.

  32. DropBear

    Red pill or blue pill? There is no 'neither' option...

    People seem to think this is an case of either "we are being spied upon by preposterously crafty chips" or "nothing really happened, move along", apparently forgetting that the latter option is off the table. Either the former case is true, or if it is not, then someone went to a lot of trouble setting up a large scale scam sufficiently elaborate to convince / fool a major news outlet - that in itself is very much major news if so. The option with zero actual credibility is "oh, Bloomberg just had a bad dream..."

    1. _LC_
      Holmes

      Re: Red pill or blue pill? There is no 'neither' option...

      > ... then someone went to a lot of trouble setting up a large scale scam sufficiently elaborate to convince / fool a major news outlet ...

      It's the opposite, which makes it the real problem. The scam is nowhere near "sufficiently elaborate". So far, there's been nothing but empty (and quite silly) allegations. It's as if I'd report having found Excalibur, unfortunately not being able to show it to you for your own good. *pffft!*

  33. chivo243 Silver badge
    Holmes

    I'll just leave this tidbit

    Supermicro shares plunged 41 percent last Thursday... Sounds like a smear campaign

    and this... fell as much as 27 percent on Tuesday after the latest story.

  34. Matthew 17

    Even if the magic chips were real

    You'd need magic switches, routers, firewalls etc to enable these magic chips to send the magic data over the network to get it to the evil overlords.

    I know the US media seems to want to manufacture a cold war with China and paint them out to be evil overlords but someone needs to actually provide some evidence of how all of this was supposed to work otherwise I'm going to have to call BS on it all.

  35. one crazy media

    Now you know why engineers are engineers and journalists are just that.

    One cannot put chips wherever one wants willy-nilly.

    Where would insert a chip in parallel with Ethernet chip before or after? How does it control the network data flow?

    Here is a clue, IT software can be messy and doesn't follow rules all that much and is left to the developer. Network protocols, on the other hand, are unforgiving. You change one bit, it stops working.

    1. StargateSg7

      Actually, YOU CAN put chips willy nilly on a motherboard IF you de-solder them from their original locations and put a compromised version of them on the target / interception gear. I absolutely KNOW from multiple insider sources that the US (mostly the USA rather than Russia and China!) have had for MANY YEARS (since the Intel 8086/8088/80286 days of the 1980's) CUSTOM versions of common Northbridge/Southbridge chips (in those days it was separate DMA and Peripheral controllers), and now CPU chips, GPU chips, NIC chips, drive controllers (i.e. Promise, Mediatek) and various DSP and PIC's with extra circuit layers and circuit blocks they make at their own facilities (in Maryland mostly) that can in fact intercept, store, and re-direct data to external destinations without affecting system timings or causing extra signal jitter, etc.

      Those custom chips are ordered in batches and when a particular computer system or part is intercepted, the new version is soldered in. Again, low bandwidth antennae can be embedded into the chips themselves which can export data using various near-field and medium-field communications links and storage mediums that are embedded into security-sensitive environments via common social engineering means. (i.e. usually by compromising either or both multiple knowing and unwitting personnel employed at any given security-sensitive site)

      During President Ronald Reagan's era (1980 to 1988) chip-compromised Gravis soundcards and keyboards were embedded into various Soviet Union ministries that had illegally purchased western computer gear from grey and black market resellers. Acoustic sensors recorded short audio clips and keyboard input which were temporarily stored within hidden internal memory systems and picked up later by unwittingly compromised janitorial staff who had passive networked recording devices embedded into cleaning machines, gear and personal clothing.

      External agents picked up the recorded data as employees went home after a shift. At the time, the GRU and KGB headquarters, various agricultural ministries, various cosmodromes and aircraft/spacecraft/ship/submarine production facilities were targeted. While the retrieved keyboard data and acoustic data was on the order of a mere few hundreds of kilobytes (or in some cases a 2 to 5 megabytes), the resulting ACTIONABLE intelligence gathered made the effort VERY worthwhile!

      Defence Secretary Caspar Wienberger started this hardware modification program and they also modified common industrial control software that was ensured to be "stolen" by Soviet agents and installed in their own systems, which in 1987 caused one of the largest natural gas line explosions EVER when modified control software made a Soviet gas distribution control system to become overly pressurized!

      AND for the kicker...I think I even still have a film-based PHOTO of Caspar looking rather pleased with himself on the DAY AFTER the explosion strutting down the White House hallway to brief Ronnie on what happened! (the CIA/NRO detected an explosive event and "spy photos" were taken very shortly after -- Don't ask how I know that BUT I think I may still have those photos too!)

      Let's just say that while I may have been very young at the time AND a foreign-ally citizen, I had lots of "insider technical skill, knowledge and MANY insider contacts" ........

  36. I&I

    Discredit Bloomberg Pres. Bid ?

    Just read (on BBC News) that Michael Bloomberg has elected to become part of Democrats and may bid to become US President.

    Could Bb have been seeded with a fake (mal-hw) story as part of campaign to discredit him (and his news org) early-on ?

    Plame described most of her colleagues (back then) as being Fox (TV) lovers.

  37. Anonymous Coward
    Anonymous Coward

    Well for anyone who cares, it is bullshit, the NSA should not be pissing off the average joe.

    Supermicro is not involved and the story is made up.

    It is true that it came from secret services but as a made up story from a depressed guy.

    It was just a phone conversation to show how that guy was doing wrong and it became an international complete mess.

    Like soylent green, NSA is made of normal people (even if they think they're 31337) and many of them are stooopid and keep snooping where they should not. It is really amazing what they can do but they lack common sense and fear themselves. The worst thing is that they think they're right when they are just crazy.

  38. wownwow

    SEC Hibernating?

    SMCI was targeted alone and its stock dropped more than 40% in one day. Has SEC been hibernating with paychecks being automatically and directly deposited?

  39. quasimodo69

    Paul Handon

    2 days ago

    It’s fake news. Bloomberg’s photos are also fake. The part they show is called a Balun and no, it’s not even a semiconductor. Check here: https://www.digikey.com/product-detail/en/murata-electronics-north-america/LDB182G4520C-110/490-4747-1-ND/1531443 And technically speaking the BMC is allowing only one SPI flash on the bus and if a hacker deactivates the existing one by cutting a PCB trace then this hack chip one will be able to load the BMC Linux but it’s size is too small for that amount of data thus it will have to load the BMC Linux via the shared NIC but then the server board will never boot BMC without internet. That will be found out right away. Besides, the flash IC used is type MX25L25635F that exist in both a 16 and 8 pin version. The Supermicro PCB of type B1DRi allows for both flash IC versions and this hack IC is by Bloomberg’s photoshopped rendering supposed to sit near the Vcc pin of the vacant space for the 8 pin flash option IC with component code UM8. Yes, that is indeed where it could make sense but you would need long wires to connect all pins of this hack chip and it would be rather visible as the layout doesn’t condense all pins to near the Vcc soldering point. Bloomberg has totally failed in making the story technically credible but perhaps the journalists don’t actually understand it deeply. Perhaps they got fooled by some fake news makers? Who gains from this fake news most do you think?

  40. Mahhn

    I remember

    when the US gov was installing malware into the bios of hard drives years ago - interrupting shipments after leaving warehouses - before they got to customers. So, is it possible, yeah, would china do this if they could, hell yeah, would the nsa? likely has for years.

    Bloomberg needs to submit more details, but the accusations are doable.

  41. MrBlack

    Wow. Complete turnaround in reporting, hey Reg ?

    'Just as likely however is that Bloomberg's reporters made mistakes in their reporting and the organization failed to adequately fact check the article.'

  42. Milton

    The invisible hardware advantage

    One reason for doubts is that it should be easier, more deniable or more flexible, or all of those, to introduce spy- or malware into soft- or firmware than to use a physical addition which can be discovered, potentially attributed and analysed.

    That said, it is counterintuitively true that a hardware spy may be more effectively hidden than a software one. A software intruder cannot be permanently dormant and, without a hardware element, has to run somewhere on its host's substrate. Look hard enough and long enough and you'll find it, even while it isn't doing mischief. Its code has to execute somewhere.

    A hardware intrusion, on the other hand, can run on its own substrate, completely invisible until and unless it gets a wakeup call, or a timer activates, or some other conditions are met. (It may, for example, passively observe traffic for days or weeks before deciding that its host is likely in production and working hard.) You might very well program the thing to sleep for the first n hours or days after power up, for example, sacrificing some data gathering time for undetectability.

    It's also been argued that it would be more logical to build the nanobugs into existing chips ... but that is not necessarily so. Arguably, chips are where you'd look first, and their small size makes investigation relatively easy. Whereas, introducing a nanobug into the layers of a board—perhaps right underneath a ground zone or a heatsink, where x-rays will be fuddled—might make perfect sense. A mobo offers a lot more real estate than a chip for your visitor to hide in.

    If it were not for the fact that the chubbier electroytic caps tend not to be attached to data lines (for obvious reasons), I would have thought them an excellent hiding place, given their in-plain-view innocent appearance. Maybe investigators should look for electrolytics that are not doing their job, and, on a close inspection, squat in proximity to subterranean data lines? Not so difficult, if you're a board manufacturer, to slip a few extra whisper-thin leads from the bottom of a component into the third or fourth layer of a complex board, surely? Make them fine enough and you might not even notice them when you yanked the component. (Also, as standard non-tantalum electrolytics, you could self-destruct them without suspicion. The only component you'd expect to occasionally blow its own head off.)

    I'd also point out that once the technology has been cracked—once you, Black Hat, have successfully built and tested a virtually nanoscale bug—you may well look for all sorts of hosts: why be confined to motherboards, when a tailored version could go inside an RJ45 plug? Why go to the trouble and expense of finagling them into a run of 10,000 servers when you could sneak them into routers, switches, sockets—heck, even into cable runs?

    I cannot speak to the veracity and completeness of the story itself: but if it is not true, I'd have to ask— whyever not? Given their appalling track record, the Chinese absolutely would do this if they could. I for one am guessing they can.

    PS: Putting nanonbugs in phones has also been suggested. But why not put them into even smaller things, especially those which can become indirectly connected? Why not headphones and watches? Say, anything that can talk Bluetooth. Let Fred Contractor dutifully leave his phone in the Faraday cage at reception, and the earbuds in his pocket can do some light data harvesting while he wanders the building, only to phone home when they are connected for some Buns&Noses relaxation on the commute home through Maryland?

    1. StargateSg7

      Re: The invisible hardware advantage

      You are one of the FEW on here who actually RECOGNIZE just how far an intelligence agency (and criminal organizations!) will go to compromise data processing system and IT infrastructure. Becuase of modern nano-scale engineering almost ANY device, peripheral and plug can be compromised.

      USB cables, RJ-45 plugs, Wifi Antennae, keyboard, drives, memory chips, displays...ANYTHING that is big enough to have a circuit hidden in it and have parasitic power drawn from an external source is embeddable and can intercept, store, re-direct and exfiltrate actionable data and intelligence!

      and there is LITERALLY NOTHING anyone can do about it!

      ---

      Anyways...What's Happening? -- Uhhmmm I'm gonna have to ask you to move your desk again and I'm gonna get that red stapler off you....

  43. Anonymous Coward
    Anonymous Coward

    *checks to see if there's a chip marked 'secret chinese spyware' on the mouse*

    nope, all secure here.

    signed Capita.

    1. Anonymous Coward
      Anonymous Coward

      Not sure it's Crapita. Try this instead.

      "HUAWEI CYBER SECURITY EVALUATION CENTRE OVERSIGHT BOARD

      ANNUAL REPORT" (extract below)

      Find it in full at

      https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2018

      As reported on this very fine organ here:

      https://www.theregister.co.uk/2018/07/20/huawei_security_appraisal/

      What could possibly go Bong?

      "HUAWEI CYBER SECURITY EVALUATION CENTRE OVERSIGHT BOARD ANNUAL REPORT

      Part I: Summary

      1. This is the fourth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board. HCSEC is a facility in Banbury, Oxfordshire, belonging to Huawei Technologies (UK) Co Ltd, whose parent company is a Chinese headquartered company which is now one of the world’s largest telecommunications providers.

      2. HCSEC has been running for seven years. It opened in November 2010 under a set of arrangements between Huawei and HMG to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. HCSEC provides security evaluation for a range of products used in the UK telecommunications market. Through HCSEC, the UK Government is provided with insight into Huawei’s UK’s strategies and product ranges. The UK’s National Cyber Security Centre (NCSC, and previously GCHQ), as the national technical authority for information assurance and the lead Government operational agency on cyber security, leads for the Government in dealing with HCSEC and with Huawei more generally on technical security matters.

      3. The HCSEC Oversight Board, established in 2014, is chaired by Ciaran Martin, the Chief Executive Officer of the NCSC, and an executive member of GCHQ’s Board with responsibility for cyber security. The Oversight Board continues to include a senior executive from Huawei as Deputy Chair, as well as senior representatives from across Government and the UK telecommunications sector. The structure of the Oversight Board has not changed significantly, but membership has changed in the year 2017-18. Mainly, this is due to staff rotations in both HMG and Huawei positions.

      4. The Oversight Board has now completed its fourth full year of work. In doing so it has covered a number of areas of HCSEC’s work over the course of the year. The full details of this work are set out in Parts II and III of this report.

      [continues]""

  44. StargateSg7

    ".....Amazon’s security team conducted its own investigation into AWS’s Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says. ..."

    This quote is Bloomberg quoted record of data from a semi-secretive source I am VERY WELL FAMILIAR WITH and who has access to high end hardware security toolsets.

    Like I said earlier modern CPU's anc antennae can be made SO THIN I can even embed them into the in-between layers of a blank PCB !!!! AND I can have them draw power parasitically from almost ANY circuit line I desire at ultra low-voltages and system current draws!

    The USA has done thus much longer than China or Russia....BUT....I am inclined to say TODAY that the two most SOPHISTICATED countries for being able to manufacture and place ultra-small embedded circuits into common compute systems for spying purposes is China and Israel.

    The USA lost it's edge on the small ceramic capacitor-sized circuits about 5 years ago and is UNLIKELY to catch up to China or Israel without spending a few tens of billions on a catch-up innovation wave. I.e. extra DARPA funding!

    On a technical basis, I can even make an ENTIRE LED/OLED display mask into a hidden circuit which has HUGE surface area for acting as a long-range antennae. The actual diodes themselves can be repurposed as switches and/or logic gates working IN-BETWEEN the refresh cycles of the display for form a slow but giant-size parallel processing system.

  45. Grinning Bandicoot

    Suppose

    Maybe it is a longer operation and involves discrediting sources. If a normally trusted source is thought to have become unreliable, then it follows that 'false news' charges might be considered as valid. Open information is dangerous to those that have agendas and its not necessarily just the Chinese. If you shout it long enough and loud enough you will get believers and the believers become a movement. The movement cries it suffering and needs protection from its attackers and regulations are then promulgated to the deterrence of open,free speech after all the Bolsheviks were in the minority.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like