Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate

  • Thread starter Patrick Kennedy
  • Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

zack123

New Member
Jan 3, 2016
9
1
3
36
Well, Apple's statement does not confirm an attack at all, it specifically says the malware on the server was an accident.

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
 

wildpig1234

Well-Known Member
Aug 22, 2016
2,197
443
83
49
instead of buying their MB, i just bought a few shares....might as well....lol, the shares are a lot cheaper than the MB...
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
I wonder if Bloomberg is going to get hit with libel on this one. Hard to imagine they don't have double sourced facts for an allegation like this.
 

zir_blazer

Active Member
Dec 5, 2016
355
128
43
Wasn't there an article posted a few years ago about how it was possible to add an extra layer onto chips with an embedded trojan during manufacturing? I can't find the article, but it was related to IBM. Basically, unless you have full control of the entire manufacturing process, you can't be sure if someone didn't tampered with your chips. So if AMD or IBM needs to use a third party foundry that has been compromised (Or if they have a rogue employee), they could potentially slighty modify the chip to add some form of advanced backdoor.

I always find amusing that some hardcore open source advocates badmouths AMD or Intel as if they could intentionally be hiding backdoors in microcode because it is propietary, yet they don't ask for the Processor full Verilog schematics and a mean to audit the manufacturing process, heh.
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
There were a couple of 3 letter agencies in the U.S. that were grabbing shipments in transit and doing neat things to bug it a while back. Another company's support software gave them access to all the things remotely. Management Interfaces (lmfao) - don't put them on the network. The number of back doors caused as the result of developer, marketing, corporate management tools is almost uncountable. It is almost impossible to stop the mfr, operating system vendor or anyone with physical or network access to the machine... lol... did I miss anyone? I'm not very smart but if you give me a screwdriver and 15 minutes I can fix most things. Occasionally the customers make it tougher than that but usually I can get them back into their machines no matter how hard they thought they locked them down.
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57
Not quite as cool as the NSA's hard drive firmware hack or as targeted as the US/Israeli attack on Iranian centrifuges but this is fun nonetheless. The whole supply chain issue is a very big deal but practically there is very little anyone can afford to do about it. Against advanced persistent threats (attribute them as you like) we are mostly powerless. The cost of defense and in-sourcing is simply too high for folk to incur. That the NSA is moving onto AWS makes this apparent. That monster hold everything data center they built in Utah turns out to be not big enough.
 
  • Like
Reactions: BeTeP and fohdeesha

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
57


Someone Identified the chip in the picture in the bloomberg story as DPX202500DT-9032A1 : Detailed Information | RF Components and Modules - Diplexers | TDK Product Center Unable to confirm.

Read the Bloomberg articles twice. It is amazing how many words you can write and be entirely fact free. Over 30 companies but they can only name amazon, elemental, apple and supermicro? chips that look like x... but no pictures, drawings or otherwise. It's like a big gray pudding carefully avoiding specifics. A year of careful analysis to report vague statements of a conspiracy? Apples denial was a hell of a lot more clear than Bloomberg's vague accusations. How can it take a year to release a report so vague as to have no identifiably confirmable facts.

Show me a motherboard, a schematic, a chip.... Give me a voice altered voiceover of an actual interview with an engineer describing the specifics. I want to believe but this "report" leaves me doubting Bloomberg's honesty. Nothing in all those words appears to be verifiable. I simply do not believe that there is no individual willing to step forward and say... Look at the motherboard here, here and here. It's bugged. Have a nice day.
 
Last edited:
  • Like
Reactions: BeTeP and eva2000

MiniKnight

Well-Known Member
Mar 30, 2012
3,072
973
113
NYC
I agree. If they had such detailed knowledge, how didn't they have an actual photo? The one atop the pencil looks different than that one.
 

Joel

Active Member
Jan 30, 2015
850
191
43
42
Looking more and more like a hit job (just like something else that's all over the news right now). I agree with Patrick that the SEC should get involved...
 

fohdeesha

Kaini Industries
Nov 20, 2016
2,727
3,075
113
33
fohdeesha.com
As soon as I saw this was done with an "extra hidden chip", alarm bells started going off in my head. This can easily be done using the existing hardware - Adam Nielsen and I did *exactly* this with iDRAC using nothing but the existing EMMC flash / network stack / etc. That's how easy this is with physical access for 5 minutes and zero root of trust / sig checking on the BMC (which SM does not have). Just dump it to the non-volatile user config EMMC partition as well and magic, it now survives firmware updates as well. If Dell was not even checking these partitions for additions, you can bet your whole lab SM isn't either

There's zero reason to risk detection and complicate the process with an "extra hidden chip" (notice how vague all these reports have been, including the picture of a totally unrelated RF part)

I'd put money on someone at bloomberg being in a world of hurt soon
 

arglebargle

H̸̖̅ȩ̸̐l̷̦͋l̴̰̈ỏ̶̱ ̸̢͋W̵͖̌ò̴͚r̴͇̀l̵̼͗d̷͕̈
Jul 15, 2018
657
244
43
Man, if I had money to throw at stock you can bet I'd have been buying SuperMicro on the 4th as the stock cratered.
 
  • Like
Reactions: fohdeesha