If the malicious chips exist and were deployed as described in the Bloomberg article, as others have pointed out, it has a number of suspect and vague elements both technical and non-technical, plus the possibility of market manipulation for any of a number of reasons is strong. That said, if the chips exist, it would be interesting to know more about what they are actually doing, and it would be nice to know how to determine if your motherboard is compromised or not.
Therefore, let's assume for a moment that it is all true, we can still rule out a lot if the article is correct:
- Servers manufactured in or certainly before 2013 seem to be exempt from this program, so we are talking mostly about X10 generation and possibly some late X9 generation boards as well, but X8 and earlier generations would definitely be exempt.
- The attack vector is loosely implied to be i2c bus interception of BMC serial memory. Boards without a BMC would be exempt - X7 and earlier all have removable BMCs, X8 and X9 were made in BMC and non-BMC variants. X10 and X11 mostly seem to just come with a BMC standard.
- The implication is that only certain customers' orders were targeted when they ordered so much that overflow production was required from China, and happened to fall into the hands of one or more of the allegedly compromised subcontractors. This implies that any boards made in Taiwan were not compromised, and that any boards made in China were only compromised if they were handled by certain factories.
- The article also implies both that blades were the type of motherboard compromised, and that intelligence data is the target, not user data. It does seem slightly odd that blades are also the main type of board allegedly compromised, since production systems with user data are highly likely to be large installations of high density blades, whereas one-off single function IT systems are more likely to be lower spec pizza boxes, but there are other patterns people follow, so that is hardly conclusive. Let's just say that blades are likely, larger boards might be less so.
So, if the supply of compromised boards was limited to 30 targeted companies, were any of them liquidated on ebay or elsewhere?
It seems that the most likely boards we should look at to find malicious chips are X10 blades made in China and previously owned by a high profile company.
If anyone has a system which could meet the above criteria, please test it:
- Dump the BMC firmware - if it is actively being modified, there may be signs of the modifications
- Do packet captures during cold boot and operation:
- in isolation
- with BMC and regular network ports are connected to a DHCP server
- with a static IP defined for the BMC
- during and after install 2014 era Linux - probably Centos 6 or Ubuntu 12.04 or 14.04 would be good candidates.
We should be able to detect unusual network activity.
If they exist and we can find one, I'd love to know what IPs they are pinging at what intervals, so we can devise an easy test for compromised boards.
Overall though, it sounds like the earlier
NSA compromise of encryption algorithms used in Juniper VPN appliances which was later
exploited is a much easier and likely way to try to get the type of data the alleged infiltrators are allegedly after.