Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate

  • Thread starter Patrick Kennedy
  • Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

markpower28

Active Member
Apr 9, 2013
413
104
43
Looks like our "state media" is setting the stage for the fear of everything related to China. This is just a beginning...
 

epimetheus

New Member
Jan 15, 2013
23
2
3
"Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip."

This is ludicrous! Did it self destruct? What kind of self respecting security firm can't analyze a supposed hardware breach after it's been removed from service? Surely a picture of said ethernet connector compared with a normal one would not violate any NDA's. I hesitate to say it, but the comment above about "state media" may not be far from the truth. The question is who is behind this presumably false (until proof is provided) accusation(s). I didn't particularly like Bloomberg before, but I really question them now. How can you trumpet your journalistic integrity without a shred of proof? Are we supposed to just trust them? The media in general lost all trust long ago, except for STH of course...
 
  • Like
Reactions: Patriot

BLinux

cat lover server enthusiast
Jul 7, 2016
2,669
1,081
113
artofserver.com
"Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip."

This is ludicrous! Did it self destruct? What kind of self respecting security firm can't analyze a supposed hardware breach after it's been removed from service? Surely a picture of said ethernet connector compared with a normal one would not violate any NDA's. I hesitate to say it, but the comment above about "state media" may not be far from the truth. The question is who is behind this presumably false (until proof is provided) accusation(s). I didn't particularly like Bloomberg before, but I really question them now. How can you trumpet your journalistic integrity without a shred of proof? Are we supposed to just trust them? The media in general lost all trust long ago, except for STH of course...
I don't think it is about integrity and trust, I think it is about money. I suspect the 1st piece was targeting AMZN and AAPL, but then SMCI became an easy target and the focus shifted. Just look at the movement on SMCI with today's bloomberg...
 

WeatherDave

New Member
May 4, 2017
7
1
3
50
"Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip."

This is ludicrous! Did it self destruct? What kind of self respecting security firm can't analyze a supposed hardware breach after it's been removed from service?"
(from the Bloomberg article)
"... alerted the client's security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip."

The way I read it is that Sepio's client removed the server(s), thus severing Sepio's access to the chip. Furthermore, it makes sense in the way one company charges another... Sepio says "Hey, we found something and we feel your security concerns are valid. Do you want us to investigate further by performing chip-level analysis?" Company says "err... no. Give it back to us and we'll take care of it."

To me, that's the way I read it given the bare wording in the article. More knowledgeable types, not to mention the more suspicious types (especially those who've gone full paranoid) certainly can argue otherwise.
 
  • Like
Reactions: eva2000

epimetheus

New Member
Jan 15, 2013
23
2
3
(from the Bloomberg article)
"... alerted the client's security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip."

The way I read it is that Sepio's client removed the server(s), thus severing Sepio's access to the chip. Furthermore, it makes sense in the way one company charges another... Sepio says "Hey, we found something and we feel your security concerns are valid. Do you want us to investigate further by performing chip-level analysis?" Company says "err... no. Give it back to us and we'll take care of it."

To me, that's the way I read it given the bare wording in the article. More knowledgeable types, not to mention the more suspicious types (especially those who've gone full paranoid) certainly can argue otherwise.
Good point about the lack of further analysis. If this truly is what they say it is, then hopefully someone is analyzing the chips.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
  • Like
Reactions: jfeldt and eva2000

kapone

Well-Known Member
May 23, 2015
1,095
642
113
I spoke to Yossi today. He is trying to get the word out that his research showed this is a bigger issue, likely post manufacturing, and impacts other major server vendorsvas well as big networking vendors. Read our interview with him. https://www.servethehome.com/yossi-...-positioning-his-research-against-supermicro/
I did. And I'm not suprised in the least (other vendors as well...)

I have a sneaking suspicion that the majority of hardware out there is compromised, one way or another. Whether it's the US or China, once you build a backdoor in....

I think this is just the beginning of a lot "dirt" around this.

p.s. Where's my socket 604 servers with no BMC or management chips or the like???!!!??? :) Dust them off and put em back in production!
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
I would say a majority could be compromised. There is a distinction in that.

The good side of this is that it is raising awareness.
 
  • Like
Reactions: eva2000

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
I just wish someone who has actually seen this sort of hardware attack would post pictures or supply some form of evidence. All we have right now boils down to "China Bad". Which, ok, I guess is a valid opinion, but it doesn't help anything. I don't doubt that many nations have the ability to pull something like this off, and China is certainly one of them. But do we have any physical evidence it's happening at scale? At the moment, no. If it's so common, why do we not have boards in the hands of research teams? There are people/groups that specialize in hardware level work like this. Decapping and photographing the silicon in various ICs is pretty common. Not that it would be easy, but I haven't seen anyone even mention that they have such a device and are working on it.

I absolutely agree that if it is happening at scale, it's certainly not only Supermicro affected. That's just ridiculous on the face of it.
 

Patriot

Moderator
Apr 18, 2011
1,450
789
113
There is a reason I like to have a seperate isolated network for management ... there will always be cracks in the armor, and perhaps backdoors...designed maliciously or for maintenance or upgrades.
 
  • Like
Reactions: Robert Fontaine

arglebargle

H̸̖̅ȩ̸̐l̷̦͋l̴̰̈ỏ̶̱ ̸̢͋W̵͖̌ò̴͚r̴͇̀l̵̼͗d̷͕̈
Jul 15, 2018
657
244
43
Looks like our "state media" is setting the stage for the fear of everything related to China. This is just a beginning...
My guess is that this story was planted by Moscow to drive a further wedge into us/China high tech manufacturing and stir up redneck xenophobia in the red states.

This story popped up, what, 3-4 weeks before the midterm elections?
 
  • Like
Reactions: fohdeesha

Dawg10

Associate
Dec 24, 2016
220
114
43
My guess is that this story was planted by Moscow
Bloomberg News is 88% owned by former NYC mayor Michael Bloomberg, who succeeded Rudy Giuliani in that position. Mr Giuliani is presently employed as a personal representative of the real Mr. DT.

I'm thinking this is a homegrown boondoggle.

In other news:

Chinese spy charged with trying to steal U.S. aviation trade secrets | Reuters

“We cannot tolerate a nation stealing our firepower and the fruits of our brainpower.”

I find the timing suspicious; the Chinese operative was detained in Belgium in April on a federal complaint and extradited to the United States on Tuesday. It's almost as if the groundwork is being laid for an official tweet....
 

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
Bloomberg News is 88% owned by former NYC mayor Michael Bloomberg, who succeeded Rudy Giuliani in that position. Mr Giuliani is presently employed as a personal representative of the real Mr. DT.

I'm thinking this is a homegrown boondoggle.

In other news:

Chinese spy charged with trying to steal U.S. aviation trade secrets | Reuters

“We cannot tolerate a nation stealing our firepower and the fruits of our brainpower.”

I find the timing suspicious; the Chinese operative was detained in Belgium in April on a federal complaint and extradited to the United States on Tuesday. It's almost as if the groundwork is being laid for an official tweet....
Mike Bloomberg ran (and won) as a Republican after Rudy in 2002 because of his snowflake's chance in hell of getting the nomination in New York as a Democrat, so I really doubt Bloomberg ran the story as a plant. Keep in mind that there is supposedly a "trade war" (whatever the hell that means) between US and China at the moment. Who knows, maybe it's the scheisskopffuhrer's way of setting up an executive order demanding major tech firms to open up silicon factories in Alabama and stop trading in Shenzhen to keep all the precious silicons pure.
 

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
I spoke to Yossi today. He is trying to get the word out that his research showed this is a bigger issue, likely post manufacturing, and impacts other major server vendorsvas well as big networking vendors. Read our interview with him. https://www.servethehome.com/yossi-...-positioning-his-research-against-supermicro/
Yeah well, considering just how much manufacturing is farmed out overseas, you'll probably should assume that some shenanigans are going on. it's certainly not just SuperMicro - they are just a relatively small player that were hit with allegations at the wrong place at the wrong time. Either you can scream / demand for proof and assume that the story has no merit, or you can just assume that the hardware is sketchy already (i certainly don't trust mine entirely) and work around it.

It's kinda funny that we entrust so much of our infrastructure on software shims talking to encrypted binary blobs that were "claimed" to be secure running on hardware that were put together overseas by the cheapest vendors (who just so happen to be located in an authoritarian nation-state with heavy socio-economic imbalances and less-than-stellar history of respect for IP rights) on designs that we assumed to be secure, and those trusts were found repeatedly to be misplaced.

Between Spectre/L1TF, iDRACula and the supply chain tampering allegations (I don't think SuperMicro was the first - Dell had malware pre-installed on replacement R410 server motherboards back in 2010), I would take any assurances issued by major firms with a large grain of salt (remember Yahoo's assurance that it was only a small subset of their userbase were compromised?).
 

amalurk

Active Member
Dec 16, 2016
311
116
43
102

Jeremy Lea

New Member
Apr 21, 2017
4
14
3
Davis, CA
I'm beginning to think this is a fantastic fake story. It works beautifully for everyone involved (directly or indirectly) except SuperMicro (the victim), who just happen to be the ideal fall guy. SMCI clearly has some issues - they've been delisted from the NASDAQ, for accounting problems, and they've had some security issues in the past (like all vendors). There are not many billion dollar companies that get delisted, and that probably made some investors very mad. Next we have general paranoia about security, stoked by the press, and a public unable to to determine fantasy from reality. And we have a very specific desire from the current US administration to heighten tensions with China. What I can't tell is if Bloomberg are complicit in the scheme or not, although I think yes is more likely (but more on that in a moment).

Let's start with SuperMicro stock: The stock peaked around mid-2015, and has been in a slow, bumpy decline since then, ostensibly because of accounting issues. But in 2016 there was this incident with Apple and the bad firmware. That probably means that some big contracts got cancelled and machines returned. As the stock as declined there has been some significant short interest in the stock, but because the issues appeared minor there are also people going long, feeling it would bounce back. As things have been getting progressively worse, up to the delisting, there are going to be some big winners and losers. But more importantly, this fall in the stock over time is can be dressed up as a company failing for unexplained reasons and cooking the books to prop the company up.

Next we have actually security issues: Like all BMC/IMPI implementations, they have had holes, and then there is this bad firmware update for Apple, which looks like it was a compromised SuperMicro FTP site that handed Apple a hacked network card firmware. That seems to have been enough for Apple to dump them, and likely other companies followed suit. Others might also have received the hacked firmware, and just not gone public. Large scale cancellations/returns would also complicate the accounting audits, especially if revenue has been taken with the hardware still sitting in the loading dock, and then the client "returns" it. And, not being Dell/HP/IBM is always going to bring some level of FUD.

Then we have the general security climate: People have been talking about the dangers of BMC, IPMI, Intel ME, etc from when they were first announced. While they are clearly big security risks, there have not been major attacks against them. However, people love to believe in sci-fi, and right now there is huge paranoia about TLAs and foreign governments. There is just enough truth here for anonymous commentators from across the internet to announce that this is just more evidence that they are being spied on by anyone and everyone. People really also want to believe that hardware is much more advanced than it is, and that software and "AI" are much smarter. In the US in particular there is a complex love/hate relationship with TLAs, where Americans really don't want the government tracking them, but want to believe the James Bond/Superhero image of the NSA/CIA/FBI - they believe them to be capable of any and all feats, but hate that they are probably more likely to use this against them. IT security also loves to play up these threats, along with the press.

This is not to say that IT security is not an issue, only that the cleverness of attacks in the popular imagination tends to be border on the fantastic. For example, when the Meltdown issues were disclosed, many commentators took the stance that the NSA had probably been exploiting this for years, if they didn't actually design it into the chips. You also see this at work in the Bloomberg story (tiny chips, etc.) and in the commentary here and across the intrawebs - the CIA/NSA have probably been doing this for years; this or that TLA can of course make whole computers smaller than a grain of rice (obviously, how else to they get them into the tiny robots that are spying on me ;-).

Then we have the current US administration that is trying to start a Cold War with China, and part of that is hyping the value of "Made in America". Even if this story is not a plant, the administration has every reason to play the story up. SuperMicro is a "Chinese" firm, the Chinese are always stealing technology and trade secrets. And as a bonus, the current administration would like to paint Silicon Valley as liberal and in bed with foreign powers, and clueless about security/privacy. And overrun with Chinese spies (funny how the Indians don't spy on people - they're just "too dumb to be a real CS" H1Bs stealing American jobs). But at the same time they would like to insert their own back doors into any and all hardware.

So then we get to the first Bloomberg story. Combine a few rumors from the Apple incident, "embedded chips that control the computer" (i.e. the BMC), some people who want SuperMicro to fail (and probably have a financial interest in that), a black-hat talking about hardware hacks, government agents that want to badmouth China and presto you have a story. It really helps that the stock has been falling, and they've been delisted, because that signals that the story is true! Even better, after the story someone else comes forward and says they've seen this sort of thing in an RJ45 port - on a SuperMicro server! Maybe that's what Apple found! And even better SuperMicro is a "Chinese" firm that makes their stuff in China! What more proof do you need!

Except, the story has no proof, all of the sources listed either deny the story, claim they are being quoted out of context or that they specifically warned the reporters that what they were claiming was not possible. Some other things are fishy:
  • the story opens with a security firm finding an extra chip, even though they wouldn't have gone looking for one, and wouldn't have known it was extra anyway;
  • the chip is magically disguised as a signal conditioner, which pushes the bounds of what is possible with a few pins, but also requires a chip that can "do" things (tamper with memory, make connections) despite being a tiny fraction of the size of the BMC controller next to it. Now, something like a ATtiny85 might work between the flash and the BMC, but it would still be quite a hack... You're down below the Audrino in terms of processing power, so you could hack the flash, but you're not going to be sniffing packets;
  • people monitor machines for all types of outgoing traffic all of the time, but only one guy found it? Many BMCs are on unrouted networks with pack sniffers looking for this stuff. If I had a fancier setup I would sniff all of the traffic on the management LAN and log it (and as you can tell from this rant, I don't really care for IT security). People sniff outgoing traffic from server farms all of the time, especially big homogeneous clusters. If your database servers do anything other than talking to the web servers, you want to know right away. This is even more true when the "real" LAN is virtualized, and so the only non-customer traffic on the LAN is between the hosts. With VLANs, VXLANs, proxies, etc, there is little chance that only one machine tripped over something - unless there was only one machine out there... No doubt this is how Apple found the problem in 2016 almost immediately.
  • Why do this in hardware when you could do it in software? If you know enough about the BMC to hardware attack it, you know that it has little or no security and and that you could just flash your fake firmware directly, or just have the BMC do the hacking work for you.
  • In the new Yossi story: Metal RJ45 ports are very common and are mostly for shielding...
So, here is a story that might or might not involve actual US officials, companies and TLAs that deny all of the allegations, the named sources say they are being misunderstood. Sadly no-one has a picture of the actual hardware, a working attack vector, packet traces, etc. But now senators are asking questions, and pointing a finger at China... And it is very likely that at least some people made some money off the shares plummeting, even if revenge itself was not sweet enough. If you shorted SMCI just before delisting, that obligation would not have gone away, and others might have long positions and be forced to buy your now junk shares. It is also not clear from the SEC web site that they will investigate insider trading of OTC shares...