I'm beginning to think this is a fantastic fake story. It works beautifully for everyone involved (directly or indirectly) except SuperMicro (the victim), who just happen to be the ideal fall guy. SMCI clearly has some issues - they've been delisted from the NASDAQ, for accounting problems, and they've had some security issues in the past (like all vendors). There are not many billion dollar companies that get delisted, and that probably made some investors very mad. Next we have general paranoia about security, stoked by the press, and a public unable to to determine fantasy from reality. And we have a very specific desire from the current US administration to heighten tensions with China. What I can't tell is if Bloomberg are complicit in the scheme or not, although I think yes is more likely (but more on that in a moment).
Let's start with SuperMicro stock: The stock peaked around mid-2015, and has been in a slow, bumpy decline since then, ostensibly because of accounting issues. But in 2016 there was this incident with Apple and the bad firmware. That probably means that some big contracts got cancelled and machines returned. As the stock as declined there has been some significant short interest in the stock, but because the issues appeared minor there are also people going long, feeling it would bounce back. As things have been getting progressively worse, up to the delisting, there are going to be some big winners and losers. But more importantly, this fall in the stock over time is can be dressed up as a company failing for unexplained reasons and cooking the books to prop the company up.
Next we have actually security issues: Like all BMC/IMPI implementations, they have had holes, and then there is this bad firmware update for Apple, which looks like it was a compromised SuperMicro FTP site that handed Apple a hacked network card firmware. That seems to have been enough for Apple to dump them, and likely other companies followed suit. Others might also have received the hacked firmware, and just not gone public. Large scale cancellations/returns would also complicate the accounting audits, especially if revenue has been taken with the hardware still sitting in the loading dock, and then the client "returns" it. And, not being Dell/HP/IBM is always going to bring some level of FUD.
Then we have the general security climate: People have been talking about the dangers of BMC, IPMI, Intel ME, etc from when they were first announced. While they are clearly big security risks, there have not been major attacks against them. However, people love to believe in sci-fi, and right now there is huge paranoia about TLAs and foreign governments. There is just enough truth here for anonymous commentators from across the internet to announce that this is just more evidence that they are being spied on by anyone and everyone. People really also want to believe that hardware is much more advanced than it is, and that software and "AI" are much smarter. In the US in particular there is a complex love/hate relationship with TLAs, where Americans really don't want the government tracking them, but want to believe the James Bond/Superhero image of the NSA/CIA/FBI - they believe them to be capable of any and all feats, but hate that they are probably more likely to use this against them. IT security also loves to play up these threats, along with the press.
This is not to say that IT security is not an issue, only that the cleverness of attacks in the popular imagination tends to be border on the fantastic. For example, when the Meltdown issues were disclosed, many commentators took the stance that the NSA had probably been exploiting this for years, if they didn't actually design it into the chips. You also see this at work in the Bloomberg story (tiny chips, etc.) and in the commentary here and across the intrawebs - the CIA/NSA have probably been doing this for years; this or that TLA can of course make whole computers smaller than a grain of rice (obviously, how else to they get them into the tiny robots that are spying on me ;-).
Then we have the current US administration that is trying to start a Cold War with China, and part of that is hyping the value of "Made in America". Even if this story is not a plant, the administration has every reason to play the story up. SuperMicro is a "Chinese" firm, the Chinese are always stealing technology and trade secrets. And as a bonus, the current administration would like to paint Silicon Valley as liberal and in bed with foreign powers, and clueless about security/privacy. And overrun with Chinese spies (funny how the Indians don't spy on people - they're just "too dumb to be a real CS" H1Bs stealing American jobs). But at the same time they would like to insert their own back doors into any and all hardware.
So then we get to the first Bloomberg story. Combine a few rumors from the Apple incident, "embedded chips that control the computer" (i.e. the BMC), some people who want SuperMicro to fail (and probably have a financial interest in that), a black-hat talking about hardware hacks, government agents that want to badmouth China and presto you have a story. It really helps that the stock has been falling, and they've been delisted, because that signals that the story is true! Even better, after the story someone else comes forward and says they've seen this sort of thing in an RJ45 port - on a SuperMicro server! Maybe that's what Apple found! And even better SuperMicro is a "Chinese" firm that makes their stuff in China! What more proof do you need!
Except, the story has no proof, all of the sources listed either deny the story, claim they are being quoted out of context or that they specifically warned the reporters that what they were claiming was not possible. Some other things are fishy:
- the story opens with a security firm finding an extra chip, even though they wouldn't have gone looking for one, and wouldn't have known it was extra anyway;
- the chip is magically disguised as a signal conditioner, which pushes the bounds of what is possible with a few pins, but also requires a chip that can "do" things (tamper with memory, make connections) despite being a tiny fraction of the size of the BMC controller next to it. Now, something like a ATtiny85 might work between the flash and the BMC, but it would still be quite a hack... You're down below the Audrino in terms of processing power, so you could hack the flash, but you're not going to be sniffing packets;
- people monitor machines for all types of outgoing traffic all of the time, but only one guy found it? Many BMCs are on unrouted networks with pack sniffers looking for this stuff. If I had a fancier setup I would sniff all of the traffic on the management LAN and log it (and as you can tell from this rant, I don't really care for IT security). People sniff outgoing traffic from server farms all of the time, especially big homogeneous clusters. If your database servers do anything other than talking to the web servers, you want to know right away. This is even more true when the "real" LAN is virtualized, and so the only non-customer traffic on the LAN is between the hosts. With VLANs, VXLANs, proxies, etc, there is little chance that only one machine tripped over something - unless there was only one machine out there... No doubt this is how Apple found the problem in 2016 almost immediately.
- Why do this in hardware when you could do it in software? If you know enough about the BMC to hardware attack it, you know that it has little or no security and and that you could just flash your fake firmware directly, or just have the BMC do the hacking work for you.
- In the new Yossi story: Metal RJ45 ports are very common and are mostly for shielding...
So, here is a story that might or might not involve actual US officials, companies and TLAs that deny all of the allegations, the named sources say they are being misunderstood. Sadly no-one has a picture of the actual hardware, a working attack vector, packet traces, etc. But now senators are asking questions, and pointing a finger at China... And it is very likely that at least some people made some money off the shares plummeting, even if revenge itself was not sweet enough. If you shorted SMCI just before delisting, that obligation would not have gone away, and others might have long positions and be forced to buy your now junk shares. It is also not clear from the SEC web site that they will investigate insider trading of OTC shares...