Chinese backdoors on Supermicro

nva

New Member
Aug 19, 2018
4
0
1
Is there any mitigation given that BMC is compromised? If I put it in isolated VLAN it can theoretically try to share same NIC with CPU.
 

Samir

Well-Known Member
Jul 21, 2017
1,417
428
83
45
Of course! If your company is hanging by a thread because of the news. Admitting that it happened will only kill them off completely.

If the public accepts the findings as true, it will rob the stakeholders (whoever they are) of their ultimate goal (whatever it is). And whoever they are, they don't want that, so the middlemen are on the firing line--Amazon, Apple, SM. And even if the middlemen care less about the 'ultimate goal', to save their companies, they will also help the 'ultimate goal' (whatever that may be) because otherwise if they accept the findings, they too will suffer terrible losses.

Obviously this is just the deployment stage for something really large as only bits and pieces of all the spyware, hacks, exploits are revealed as people stumble upon them. I believe that a nation-state as large and as powerful as China has something in mind not only for the US, but the whole world in terms of these exploits. Or maybe they're even just a grunt? Who knows--I will never pretend to understand the complexities of world politics and how it affects the behavior of people. But this is obviously being done for a purpose by someone on purpose.

I believe this is pattern of espionage is probably also copied by other nation-states in the world as global warfare becomes global cyberwarfare.

I believe Patrick more than SM.
So #1 - chips fabbed at big fabs have had extra logic added. I have had enough people tell me this that I believe it.
The ultimate results of this issue will have lasting effects--especially for IT--which has already been dragged to the front lines in this war.

It's personally really sad for me to see this state of affairs. I still have a Supermicro board from 1995 with a cyrix p166+, and was really happy to see that at least one manufacturer from the computing days I knew was still around making good products--until this news.
 

Dawg10

Associate
Dec 24, 2016
220
112
43
The Bloomberg 'expose' reads like a supermarket tabloid: it contains only the slightest hint of anything factual. This reeks of market manipulation; the SM share price closed yesterday at $21 and opened today at $15... A lot of shares got dumped before this was released.

Bloomberg offers zero facts other than to say they "stand by their sources" who apparently were privy to classified information in 2015 that someone tried to backdoor someones BMC by exploiting compromised hardware. You can imagine the water-cooler talk of the time, and how the story has grown over the years.

It's all bullshit. Someone 3 years ago intercepted a foreign entity attempting to backdoor Lockheed or their kin, got caught, and the ensuing fallout surrounding BMC exploits was initiated. About this time I started noticing delays in F-35 deliveries due to the governments insistence that not one chip could come from China. It doesn't take a rocket scientist to figure out the PRC had compromised the hardware.

But to make a big deal of it now, after we know the CIA was doing the same thing, is not only hypocritical, it's entirely self-serving.

A couple dozen people just helped themselves to a billion dollars of market cap.
 
  • Like
Reactions: Rain and alex_stief

Samir

Well-Known Member
Jul 21, 2017
1,417
428
83
45
The Bloomberg 'expose' reads like a supermarket tabloid: it contains only the slightest hint of anything factual. This reeks of market manipulation; the SM share price closed yesterday at $21 and opened today at $15... A lot of shares got dumped before this was released.

Bloomberg offers zero facts other than to say they "stand by their sources" who apparently were privy to classified information in 2015 that someone tried to backdoor someones BMC by exploiting compromised hardware. You can imagine the water-cooler talk of the time, and how the story has grown over the years.

It's all bullshit. Someone 3 years ago intercepted a foreign entity attempting to backdoor Lockheed or their kin, got caught, and the ensuing fallout surrounding BMC exploits was initiated. About this time I started noticing delays in F-35 deliveries due to the governments insistence that not one chip could come from China. It doesn't take a rocket scientist to figure out the PRC had compromised the hardware.

But to make a big deal of it now, after we know the CIA was doing the same thing, is not only hypocritical, it's entirely self-serving.

A couple dozen people just helped themselves to a billion dollars of market cap.
This makes a lot of sense too as why would a story from a few years ago matter today unless someone was going to profit from it. Short-selling has become 'a thing' in the last few years, so this could make sense as well.

Who knows? Maybe because of this attack vector being busted it was time to make some money by putting the story out there and shorting some stocks. It would be interesting to see how many overall short options for the public companies mentioned there were between yesterday and today, and maybe this whole week versus the normal volume.
 
  • Like
Reactions: Dawg10

kapone

Well-Known Member
May 23, 2015
824
405
63
This is a prelude to the kinds of things that'll pop up in the future, due to the "trade war with China". Trump's got his pea shooters out and Xi is...considering his options. From a brutally honest perspectuve, China cannot survive a prolonged trade war with the US. Their indigenous economy cannot support even a 10th of their GDP.

We're gonna see more "exposes".
 

Samir

Well-Known Member
Jul 21, 2017
1,417
428
83
45
This is a prelude to the kinds of things that'll pop up in the future, due to the "trade war with China". Trump's got his pea shooters out and Xi is...considering his options. From a brutally honest perspectuve, China cannot survive a prolonged trade war with the US. Their indigenous economy cannot support even a 10th of their GDP.

We're gonna see more "exposes".
I hope we don't play the 'chicken' game because I don't know how well the US would do without all the things manufactured there. We can always recover, and maybe that's the reason we could win a 'game' like this. But instead of playing games maybe we should just bit smarter about things like farming out manufacturing to people who aren't exactly your buddy.
 

PigLover

Moderator
Jan 26, 2011
2,975
1,283
113
Back in my youth one of my favorite authors was Asimov and his best work was the Foundation trilogy. One theme: build great tech, get your enemies hooked on it and when they try to revolt to just disable it all with the Trojans you built in. Not a bad prediction for 1942, eh?
 
  • Like
Reactions: poto

kapone

Well-Known Member
May 23, 2015
824
405
63
I hope we don't play the 'chicken' game because I don't know how well the US would do without all the things manufactured there. We can always recover, and maybe that's the reason we could win a 'game' like this. But instead of playing games maybe we should just bit smarter about things like farming out manufacturing to people who aren't exactly your buddy.
Lord Acton once said... "Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men."

Keyword - The highlighted part. It doesn't matter who you farm out stuff to. Once they control enough of it, they tend to...not be your buddies.
 
  • Like
Reactions: Samir

lunadesign

Member
Aug 7, 2013
121
9
18
Possibly silly question here. If the BMC were compromised by this extra chip, wouldn't any "phone home" or other nefarious network activity be initiated by the BMC's IP? (I'm assuming the BMC has its own IP like mine do.) If so, it seems like it would be really easy to detect any unexpected network traffic to/from that BMC IP.
 

Samir

Well-Known Member
Jul 21, 2017
1,417
428
83
45
Possibly silly question here. If the BMC were compromised by this extra chip, wouldn't any "phone home" or other nefarious network activity be initiated by the BMC's IP? (I'm assuming the BMC has its own IP like mine do.) If so, it seems like it would be really easy to detect any unexpected network traffic to/from that BMC IP.
Yep, and for shops that have management interfaces segregated and locked down hard, this really shouldn't be too much of an issue.
 

lstink

New Member
Aug 28, 2018
11
2
3
What I am trying to understand is,

1. In the Bloomberg article they claim that four subcontractors were the source of the infestation, So how did the hacking party made sure that the boards manufactures in these factories reach their destination(their targets?), in the article they themselves say it is like I quote "throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle" :confused:

2. If we are to accept that somehow this is happening, all is true, wouldn't the sheer number of Supermicro will make one of these boards end up in a security firms or with individual pen testes, who runs them in isolated network just to check whats happens? The article says the first instance of such intrusion was detected in 2015 that too as a secondary effect, so the infestation should have been happening for a long long, so for more than 3 years no one found any suspicious network traffic, that's really strange.

3. The article claims that the factory managers were threatened and the chips were included, but the probe started only after the chips got included and reached the customer, so how does the "source" know what happened before? Claiming the intercepted call records and all are fine but only if they knew well in advance that something is happening and started monitoring the calls, else did the "source" just monitor all the communication happening in china? I cant seem to understand how that might work.

4. The article says the subcontractors were manufacturing the chips for the past two years, what these two years refer to? two years from 2015? 2016? 2018? if it is 2018, wouldn't that make this entire thing impossible? If we are to assume it is 2015, then this is happening since when 2013? really? :confused:

more I study more I get confused
 

AlphaG

Member
Jun 8, 2017
84
16
8
50
Let’s start with proof, not conjecture.

Someone will find these chips. Or they won’t. We go from there...
 
  • Like
Reactions: Rain

sfbayzfs

Active Member
May 6, 2015
247
104
43
SF Bay area
If the malicious chips exist and were deployed as described in the Bloomberg article, as others have pointed out, it has a number of suspect and vague elements both technical and non-technical, plus the possibility of market manipulation for any of a number of reasons is strong. That said, if the chips exist, it would be interesting to know more about what they are actually doing, and it would be nice to know how to determine if your motherboard is compromised or not.

Therefore, let's assume for a moment that it is all true, we can still rule out a lot if the article is correct:
  1. Servers manufactured in or certainly before 2013 seem to be exempt from this program, so we are talking mostly about X10 generation and possibly some late X9 generation boards as well, but X8 and earlier generations would definitely be exempt.
  2. The attack vector is loosely implied to be i2c bus interception of BMC serial memory. Boards without a BMC would be exempt - X7 and earlier all have removable BMCs, X8 and X9 were made in BMC and non-BMC variants. X10 and X11 mostly seem to just come with a BMC standard.
  3. The implication is that only certain customers' orders were targeted when they ordered so much that overflow production was required from China, and happened to fall into the hands of one or more of the allegedly compromised subcontractors. This implies that any boards made in Taiwan were not compromised, and that any boards made in China were only compromised if they were handled by certain factories.
  4. The article also implies both that blades were the type of motherboard compromised, and that intelligence data is the target, not user data. It does seem slightly odd that blades are also the main type of board allegedly compromised, since production systems with user data are highly likely to be large installations of high density blades, whereas one-off single function IT systems are more likely to be lower spec pizza boxes, but there are other patterns people follow, so that is hardly conclusive. Let's just say that blades are likely, larger boards might be less so.
So, if the supply of compromised boards was limited to 30 targeted companies, were any of them liquidated on ebay or elsewhere?

It seems that the most likely boards we should look at to find malicious chips are X10 blades made in China and previously owned by a high profile company.

If anyone has a system which could meet the above criteria, please test it:
  1. Dump the BMC firmware - if it is actively being modified, there may be signs of the modifications
  2. Do packet captures during cold boot and operation:
    1. in isolation
    2. with BMC and regular network ports are connected to a DHCP server
    3. with a static IP defined for the BMC
    4. during and after install 2014 era Linux - probably Centos 6 or Ubuntu 12.04 or 14.04 would be good candidates.
We should be able to detect unusual network activity.

If they exist and we can find one, I'd love to know what IPs they are pinging at what intervals, so we can devise an easy test for compromised boards.

Overall though, it sounds like the earlier NSA compromise of encryption algorithms used in Juniper VPN appliances which was later exploited is a much easier and likely way to try to get the type of data the alleged infiltrators are allegedly after.
 
Last edited:
  • Like
Reactions: chirality

BlackHole

New Member
Jul 21, 2018
17
8
3
Just a quick thought:
While everyone focuses on the BMC, there is another management facility: Intel ME.
  • Intel ME has more access to the host than the BMC.
  • The ME is known to have (had) 'quality issues'.
  • The ME has networking capabilities.
An attack could work the similar as for the BMC, with the chip attached to any of the 'management' IOs - network, SMBus, TPM access, maybe USB - and inject malicious code once the ME is up and running. Manipulating the ME FW during the boot would seem unlikely to me.
Can we completely discount this as an attack vector?
 

chune

Member
Oct 28, 2013
107
22
18
Just a quick thought:
While everyone focuses on the BMC, there is another management facility: Intel ME.
  • Intel ME has more access to the host than the BMC.
  • The ME is known to have (had) 'quality issues'.
  • The ME has networking capabilities.
An attack could work the similar as for the BMC, with the chip attached to any of the 'management' IOs - network, SMBus, TPM access, maybe USB - and inject malicious code once the ME is up and running. Manipulating the ME FW during the boot would seem unlikely to me.
Can we completely discount this as an attack vector?
I have an x9 board I got off eBay that has corrupt ME firmware that I could not get to flash for the life of me. Can yafukcs dump ME firmware?
 

Robert Fontaine

Active Member
Jan 9, 2018
113
28
28
53
If boards had been bugged and a specific chip at a specific location had been identified on a specific motherboard it would be easy and filled with brownie points to include this information in your articles. The lack of anything like this suggests that the authors don't have this little thing that we like to call proof. So they appear to have a preponderance of anonymous and semi-anonymous hearsay. It could all be true and it is likely at least sort of trueish maybe but facts and proof are generally requisite to say that something actually happened unless it is found in the editorial section, marked as a paid advertisement, or written by an agency of the U.S. Federal government since they repealed the law to propagandize their own citizens in 2013... (lmfao U.S. Repeals Propaganda Ban, Spreads Government-Made News to Americans) .

I am double wrapping my tinfoil hat for this occasion. Love a good conspiracy theory.
 
  • Like
Reactions: Tha_14