One More Time… (The Chinese Hacked Hardware Singalong begins… again…)
In addition to USB thumbdrives pre-loaded with viruses, and “electronic picture frames” similarly infected, there’s an ongoing effort to bugger computer motherboards and systems. So far this has focused on Intel / AMD oriented hardware, but eventually I think the ARM IoT type SOC (System On Chip) and SBCs (Single Board Computers) will also be targets. That’s why I’ve stopped buying any Chinese SOC based products or any SBCs assembled in China (IF I can determine place of assembly…)
It is just no longer safe to have Chinese origin products in your computer or network. Realize other countries do this too, but they are less malicious in what they do with the buggery.
Supermicro spy chips, the sequel: It really, really happened, and with bad BIOS and more, insists Bloomberg
Server maker says latest article is ‘a mishmash of disparate allegations’
Thomas Claburn in San Francisco Fri 12 Feb 2021 // 23:28 UTC
Following up on a disputed 2018 claim in its BusinessWeek publication that tiny spy chips were found on Supermicro server motherboards in 2015, Bloomberg on Friday doubled down by asserting that Supermicro’s products were targeted by Chinese operatives for over a decade, that US intelligence officials have been aware of this, and that authorities kept this information quiet while crafting defenses in order to study the attack.
“China’s exploitation of products made by Supermicro, as the US company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter,” states Bloomberg in its report, said to rely on interviews with more than 50 sources, mostly unnamed, in government and the private sector.
That’s pretty much proforma how you do it. When you discover a new attack, you do not just immediately shut it down. An assessment is done to decide if it is a dramatic risk Right Now, or is the longer term persistent threat greater? If the “Now” threat is greatest, you shut it down. If the longer term persistent threat is judged the bigger one, you let it run and study it to get mastery.
I did that with an attack on Apple in the ’80s. A Russian source had hit our “Honey Pot” target but could not get inside the corporate network, then bounced off us to a Military site in Hawaii. We contacted the .mil site and informed them of the attack, but given that our important corporate data was not at risk, and only the “attractive appearing but useless false target” Honey Pot was at risk, we let the exploit run while we figured out everything we could about them and their methods.
BUT, doing that for a decade? Really? “Slow learner” comes to mind…
The article – a follow-on to BusinessWeek’s 2018 spy chip bombshell – cites three specific incidents: the 2010 discovery by the Defense Department that thousands of its computers were sending military network data to China due to code hidden in chips that handle the server startup process; Intel’s discovery in 2014 that a Chinese hacking group penetrated its network via a server that fetched malware from an unidentified supplier’s update site; and a 2015 warning issued by the FBI to multiple companies that Chinese agents had hidden an extra chip with backdoored code on one manufacturer’s servers.
In other words, Bloomberg has expanded its claim that chips containing malicious spyware were added to Supermicro server motherboards, to also include claims of malicious alterations to BIOS-level software to load and run surveillance code hidden in firmware, and to include alleged attacks on other vendors.
All we’d heard about before was the last of those three. Why ANY USA .MIL site allows ANY traffic with a Chinese IP address to exit the site is beyond me. Frankly, why are they not limited to only route to other sites in the .mil address range? That’s a first and most basic layer of the many layers of firewall that ought to exist. Only allow addresses of which you approve through your routers.
The buggering of the BIOS chips is very worrisome as that’s something that persists through shutdowns, software updates, etc. That kind of attack is why I’m not fond of the Intel Management Engine. The ME is a small complete computer where you have zero visibility or control of the software running on it. A prime target for all things Buggery and, IMHO, highly likely to have TLA code embedded from the manufacturer (see prior PRISM program in the USA, and CCP domination of all corporations in China, along with similar things in the UK and EU).
The scenario is not entirely implausible to some in the security industry. “In the hierarchy of cyber attack techniques preferred by intelligence agencies, the highest levels attacks are those that are persistent even when machines are turned off and software is reloaded,” said Alan Paller, director of research at the SANS Institute and president of the SANS Technology Institute, in an email to The Register. “A malicious chip is the simplest solution. Simple solutions work.”
After all, even the NSA ran its own chop shops, adding backdoors to IT gear as it was shipped across the world.
It isn’t paranoia when they ARE out to get you…
But at least now you know why I don’t run any Intel / AMD based hardware newer than a decade or two old, and have stopped buying Chinese source products even in the SBC tier as of a few years back. (My older Chinese based SBCs were likely clean, but I’d only bought them to assess function anyway so they have spent almost all their time either powered off or in isolated networks. I’m presently employing one in m “TV_Network” where at most it can discover I watch TV…)
Segmenting and isolating functions by network with firewalls between them and lack of routing facilities is a basic level of protection that folks ought to do. There is NO reason for your financial activities to be on the same network as your TV and your kids video games and chats. Put a second router / WiFi hot spot behind the one from your Telco or Cable provider and segment your network into functional parts, then do not route between them. Do not let Chinese sourced computers or network equipment share the network segment that has things of importance on it. (But realize that likely just means you are sharing with the NSA, GCHQ, or other TLAs instead…)
The Register spoke with a former executive at a major semiconductor company who asked not to be named, about the plausibility that the subverted silicon cited in the Bloomberg report might exist and we were surprised to find that he found it credible.
“I have physically held evidence in my hands,” he said with regard to the existence of compromised hardware. “I have seen it from multiple governments.”
China, Israel, and the UK have excelled at these operations, he said, with France, Germany, and Russia also involved but, in his view, somewhat less capable in terms of hardware subversion.
Such attacks absolutely do happen, our source said, adding that there are government contracts seeking to study subverted hardware attacks so they can be replicated and improved upon. However, they’re generally not directed at the public, he said. Rather they’re focused on obtaining access to critical systems, on developing durable national security assets.
If a Chinese chip has indeed been identified, he said, then those involved in the operation messed up by not spending the resources to hide it better.
So some expectation of un-buggery by obscurity from buying “uninteresting” hardware. That’s been my basic SBC strategy. There’s little likely gain from, for example, putting spying exploits in a board that’s likely to end up running a yard thermometer or toy robot and the risk of discovery is great when it is sitting on the developer lab bench hooked up to monitoring gear during system design / devo. So why expose your secret exploit that way? Instead reserve the high end exploit for high end targets and high end equipment, then put your simple stupid virus plant into random bits of low end gear like USB Thumbdrives that are unlikely to be tested and examined before use.
So I try to occupy the middle ground between those two. Uninteresting and likely to be discovered if used.
Another reference to the Bloomberg story:
It starts off with a lot of denials of evidence, then moves on to the same story.
Years later, Bloomberg doubles down on disputed Supermicro supply chain hack story
Providing more context and quotes to back up a huge claim – that China put secret chips on Supermicro servers
February 12, 2021 By Sebastian Moss
Supermicro hired a third-party investigations firm, Nardello & Co, to examine the veracity of the report, but it was unable to find any evidence supporting Bloomberg’s claims. The US Department of Homeland Security also disputed the claim, while the NSA said it was “befuddled” by the article.
Following the article, Supermicro moved manufacturing out of China, due to customer concerns from the reporting, but continued to deny it. Bloomberg said that it stood by the article, but did not provide any other updates. The two journalists named in the article did not have any more bylines for months.
Now the same journalists have returned with a new, deeper report. It looks at a wider history of alleged tampering of Supermicro motherboards.
But there’s 2 problems with that denial process. First off, the US TLAs were interested in “exploiting the exploit” and getting a good bit of study of it done. So they (along with the companies supposedly buying the equipment) would all have strong motivation to hide the fact of it. Second,the denials were in some cases of the form “it never went into production” and NOT of the form “it didn’t exist”…
Then there’s the Boomberg article itself:
The Long Hack: How China Exploited a U.S. Tech Supplier
For years, U.S. investigators found tampering in products made by Super Micro Computer Inc. The company says it was never told. Neither was the public.
By Jordan Robertson and Michael Riley
February 12, 2021, 5:00 AM
Whether that probe continues is unknown, as is a full account of its findings. But as recently as 2018, the FBI enlisted private-sector help in analyzing Supermicro equipment that contained added chips, according to an adviser to two security firms that did the work.
The Supermicro saga demonstrates a widespread risk in global supply chains, said Jay Tabb, a former senior FBI official who agreed to speak generally about China’s interference with the company’s products.
“Supermicro is the perfect illustration of how susceptible American companies are to potential nefarious tampering of any products they choose to have manufactured in China,” said Tabb, who was the executive assistant director of the FBI’s national security branch from 2018 until he retired in January 2020. “It’s an example of the worst-case scenario if you don’t have complete supervision over where your devices are manufactured.”
A spokesperson for the Chinese Foreign Ministry called accounts of these attacks “attempts to discredit China and Chinese enterprises” and accused U.S. officials of “making things up to hype up the ‘China threat.’”
“China has never and will never require enterprises or individuals to collect or provide data, information and intelligence from other countries for the Chinese government by installing ‘back doors,’” the spokesperson said in a written statement.
This story is drawn from interviews with more than 50 people from law enforcement, the military, Congress, intelligence agencies and the private sector. Most asked not to be named in order to share sensitive information. Some details were confirmed in corporate documents Bloomberg News reviewed.
Yeah, right, China claims it would never do what it has laws demanding companies do and what has been observed to be done in the past. Sure, I believe every word… NOT!