Bloomberg reporting hardware hack

Topic

New Reply

Bloomberg have a feature report on a hardware hack, which has seen the share price of SuperMicro (“one of the world’s biggest suppliers of server motherboards”) tumble since the report was published. They report the attack has been underway for at least 3 years, and impacted up to 30 companies:

 
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.

By Jordan Robertson and Michael Riley

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

 
Read the full article here

7 users thanked author for this post.

Elly, HiFlyer, NetDef, SueW, EyesOnWindows, Bill C., jburk07

Reply | Quote

Replies

Supermicro stock is now down 55%

Apple, Amazon, and Supermicro are all denying the Bloomberg report, but the stock market appears to believe it pic.twitter.com/3LywzKtWmV

— Catalin Cimpanu (@campuscodi) 4 October 2018

Reply | Quote

Amazon and Apple are saying Bloomberg’s story is not true, Bloomberg is sticking to its guns. One will have to wait a while to find out how all this looks after the facts have been thoroughly threshed out. I am not a nervous investor, so am standing pat. (It helps that I’m not holding any Super Micro shares.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

HiFlyer

Reply | Quote

Only a conjecture, if it proves not accurate that is an extremely effective torpedo job. And if proven true then Apple and Amazon are damaging Bloomberg by their denial. Things get messy pretty fast these days.

Reply | Quote

Re; #221673  “Amazon and Apple are saying Bloomberg’s story is not true…”

CYA?  If they’ve known about it for so long and did nothing are they exposed to humongous lawsuits?

 

Reply | Quote

HiFlyer ( #222409 ):

My thoughts on those possible “humongous lawsuits”:

If those companies are vulnerable to those lawsuits it would be because, as it seems entirely possible, there is enough proof out there that the problem is real and that they have been covering it up. But if so, a CYA exercise would be pointless: there would be just too much “territory” to cover. That begs the question: if there is proof they are lying, and they must know quite well if there is proof or not, why would they be saying now so firmly that there is noting wrong? Perhaps as part of some very clever time-gaining maneuver? Or could this be just a knee jerk reaction from their CFCOs (their Chief Flack Catcher Officers)? Or none of the above? Including, perhaps, that they are really telling the truth?

I would much prefer “telling the truth”, because it would be so extremely disappointing if any of the alternatives were true.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

HiFlyer

Reply | Quote

Pretty scary stuff. Now that the word is out, I hope that everyone quits doing business with Supermicro. Why do business with a known compromised company?

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

If I understood it correctly, the problem is not just Super Micro, but there might be “tweaks” to the hardware of personal computers made in China, and most PCs are made in China even if they are sold with familiar US brand names (e.g. “Apple”.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

MrJimPhelps asks: ” Why do business with a known compromised company?

Sadly, the answer probably is: because there may not be a better short term option for those unfortunates whose companies have bought and are using a lot of servers and PCs with motherboards made by SuperMicro.

Here there is more about this latest scandal:

https://arstechnica.com/gadgets/2018/10/bloomberg-super-micro-motherboards-used-by-apple-amazon-contained-chinese-spy-chips/

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Well, you could purchase new servers that don’t have any SuperMicro parts in them. That wouldn’t take long, maybe a couple of weeks to switch everything over from the old to the new servers. And you don’t have a lot of servers, as opposed to user’s computers – there could be hundreds of user’s computers, whereas you may have only five to ten servers.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

It seems likely that PCs’ motherboards are also “chipped” that way. Not just servers.

There was a similar issue of insecurity with Lenovo, not so long ago, and now this company is again in the news as part of this whole new issue:

https://www.cnbc.com/2018/10/05/lenovo-tumbles-after-report-about-alleged-chinese-spy-chips.html

Then there are those who run very large server farms: Google, MS and all those “Cloud” titans… MS is experimenting with a submarine server farm, to see if they can cut down energy costs by dissipating the heat, passively, into the ocean. But not the kind of heat generated by these stories.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

HiFlyer

Reply | Quote

Some of the servers at my clients offices are based on SM parts.  Migrating them to a VM host on new hardware would not be difficult – just a little time consuming.  Migrating them to bare metal hosts would be much more difficult and take much more time.

It’s the expense that would be involved that’s a show stopper.

I’ve been reading a lot on this topic since my morning coffee yesterday.  Some thoughts:

1) I am not convinced that the lower priced servers (that my SMB clients buy) are impacted.  Everything I can find suggests these are the high enterprise level/cloud host server grade systems.

2) I am also not convinced that Bloomberg got it right. If they did, this is well and truly scary news.  But the denials from AMZN and fruit are uncharacteristically plausible — there is little if any of the usual weasily “get out of future trouble with shareholders and customers” language being used in their press releases.

3) While technically possible, the presence of a physical chip is a smoking gun.  Why would anyone take that chance when corrupting the firmware on existing chips in the design would to the same job and be more deniable?

4) I have not yet seen pictures.  Just illustrations.  Show me already. 

~ Group "Weekend" ~

1 user thanked author for this post.

HiFlyer

Reply | Quote

… China … by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. 

If the extent of People’s Liberation Army espionage was this far in 2015 what is there to prevent them from having hacked into common microcircuits shipped out of China by now? Any microcircuit found in electronic equipment could be changed in nearly undetectable ways. The hacks could also be installed anywhere in the supply chain where China has access through a controlling interest, some kind of leverage or nefarious cooperation. Even more nefariously, server boards could be swapped out during maintenance of server farms. How can you really ever be sure of hardware security anymore? What is there to prevent NSA from having done this too and that the hack’s vital control information has not already been leaked to Russia by now?

HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 22H2
Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
HP ProDesk 400 G5 SFF PC / Windows 11 Pro / 23H2
Intel®Core™ “Coffee Lake” i3-8100 3.6 GHz / 16.00 GB

2 users thanked author for this post.

HiFlyer, Bill C.

Reply | Quote

A very informative Twitter thread from @securelyfitz is well worth the time to read, for those interested in the technical background:

There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic.
threaded: https://t.co/7VdmaDaQNr
— Joe Fitz (@securelyfitz) 4 October 2018

2 users thanked author for this post.

HiFlyer, OscarCP

Reply | Quote

Statement from DHS Press Secretary on Recent Media Reports of Potential Supply Chain Compromise
https://www.dhs.gov/news/2018/10/06/statement-dhs-press-secretary-recent-media-reports-potential-supply-chain-compromise

Release Date: October 6, 2018

“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.”

3 users thanked author for this post.

Elly, OscarCP, HiFlyer

Reply | Quote

Thanks Kirsty for bringing this news in.

Now that all the parties I think might form a minimum set necessary to start looking for some resolution to this very worrying issue have made themselves present and been heard, I hope that when a plan of action is arrived at, preferably in the not too distant future, whatever actions (if any) might then be deemed necessary are undertaken both vigorously and effectively.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

DHS are saying they don’t think it’s a real problem – “no reason to doubt the statements from the companies named in the story”.
No action required.

cheers, Paul

2 users thanked author for this post.

OscarCP, HiFlyer

Reply | Quote

Paul T wrote:

DHS are saying they don’t think it’s a real problem – “no reason to doubt the statements from the companies named in the story”. No action required. cheers, Paul

Hmmmmm.  AFAIK there weren’t large numbers of server MBs affected.    If it’s been quietly known for three years perhaps ‘dezinformacja’ was possible.

Reply | Quote

This now in the news:

https://www.bbc.com/news/technology-45922621

Executive summary: strong claims, strong denials: a raging “we said, they said” exchange.

Tim Scott says they have turned Apple’s records and piles of relevant technical reports upside down and inside out and found no credible evidence at all. Bloomberg’s says they have all the necessary credible information to know and affirm that their claims are, so to speak, “true and righteous altogether.” While not quite a direct quotation of Lincoln’s Second Inaugural speech, their counterclaims seem to me are given in much the same deadly earnest and uncompromising spirit.

Light or smoke coming out of the fire? We’ll see… maybe.

In the main time and as a precaution: keep your friendly chips close, and those Chinese ones people are talking about, uh… closer.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

The stand-out to me in that article was the other side of the coin:

Businessweek has said it stands by its reporting.
“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” the publication said in a statement.
“We stand by our story and are confident in our reporting and sources.”
What’s left is an intense stand-off between a magazine famed for its thorough fact-checking, and companies that have offered their denials in the firmest of terms.

3 users thanked author for this post.

Elly, HiFlyer, SueW

Reply | Quote

HiFlyer wrote:

Paul T wrote:

DHS are saying they don’t think it’s a real problem – “no reason to doubt the statements from the companies named in the story”. No action required. cheers, Paul

Hmmmmm. AFAIK there weren’t large numbers of server MBs affected. If it’s been quietly known for three years perhaps ‘dezinformacja’ was possible.

Bizweek & Bloomie may have exposed an effective counter-intel disinformation   operation.   Wouldn’t be the first time media has published against the wishes of authorities to the detriment of USA.

Reply | Quote

Who benefits that is not USA based?

cheers, Paul

Reply | Quote

Probably depends on assigned classification assigned to protect sources and methods, e.g. Noforn, 5 Eyes, etc.

Google “intel sharing” for more.

Cheers

 

Reply | Quote

Looks like the blame was not with Super Micro:

ZDNet

Windows - commercial by definition and now function...

Reply | Quote