Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
China Caught Red-Handed Inserting Backdoors Into Hardware
Quote:For years, security researchers have warned that unscrupulous hardware manufacturers or foreign governments could hijack the manufacturing process, installing backdoors into equipment that would be difficult to detect or stop. Now, we’ve caught the Chinese red-handed, and the fallout could be ugly.
It should be noted that Apple, Amazon, Supermicro, and the Chinese government all contest this story with various arguments about how it’s wrong. Bloomberg notes that their denials are countered by:
Quote:[Six] current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks.
Under the circumstances, we’ll be taking the word of Bloomberg over the word of some corporate flunkies trying to protect their own stock prices. Apple and Amazon have strongly denied the claims, and Bloomberg has strongly defended them. Given the potential implications of acknowledging you’ve deployed backdoored hardware, the companies in question have every reason to lie. For that matter, it’s possible that the companies are under a national security agreement not to acknowledge these attacks to avoid tipping the perpetrators off that the US was aware of them at all. If such an agreement was made back in 2015 – 2016, it wouldn’t have been suspended today just because Bloomberg went public (in fact, if you recall from the Snowden controversy, there were discussions about what program details could be discussed publicly even after news of their existence had formally leaked). Apple has gone so far to as to disclaim this as well, but Bloomberg isn’t backing down either.

We have to give you one additional quote from the Bloomberg piece, which goes into extensive detail in how the hack was carried out and why we’re certain it’s connected to the Chinese government. It deals with why companies were interested in Elemental Technologies servers in the first place:
These attacks are part of why the Trump Administration’s embargo against China has targeted computer components. And it may help explain why most computer manufacturers had no luck getting themselves exempted from tariff considerations.
Quote:Yet here we are, five days later, and the findings Bloomberg alleged have not yet been confirmed by any other outlets. The companies involved continue to strongly protest. Bloomberg continues to just as strongly stand by its story. The potential involvement of national security complicates things because the federal government is perfectly capable of ordering a company to lie about whether it’s received a message — yet companies that are lying tend to err on the side of saying precisely what they can say and precious little else. It’s the surest way to stay out of trouble. Could the story and strongly-worded denials still be part of a national security story meant to sow FUD about what the United States actually knows or doesn’t know about the intelligence capabilities of China? Sure. At this point that makes as much sense as anything. But the fundamentals of this situation don’t make much sense, period.
I may have personally bit a bit too fast to dismiss Apple’s denial. At this point, I’m genuinely unsure. But only one set of stories can be right here. Either these events happened or they didn’t — and so far, there’s no independent confirmation that Bloomberg’s story is true. At the same time, the news of a hardware attack like this — a long-theorized attack vector — that didn’t happen would be astonishingly irresponsible. For all that Apple implies that Bloomberg just got the story wrong, stories that are researched for a year shouldn’t be the kind of stories it’s possible to just “get wrong.” This isn’t a report that one person knocked together in two hours for an online article. And the larger the feature, the more eyes typically on a story before it goes live.

People like to cynically imply that the media does everything it does for clicks, but it makes precious little sense to launch a story of this magnitude on a hoax. The damage to personal and corporate reputation and potential future advertising income outstrips any possible gains from a few days of increased traffic. And given that federal sources were involved in sourcing the story, it’s not clear what national security concerns might also be in play, further clouding the issue.

It’s not clear who’s lying, who’s telling the truth, and who might just be monumentally mistaken. But we’re not to the bottom of this story yet.
Quote:But Bloomberg isn’t just standing by its previous reporting. It’s pushing ahead. The organization notes that a US telecom discovered and removed manipulated SuperMicro servers from its network in August. Bloomberg spoke to security expert Yossi Appleboum, who worked for the telecom in question and reportedly provided documents, analysis, and additional evidence for his claims.
According to Bloomberg, the attacks detailed today aren’t identical to the earlier variants that were discussed but share certain key characteristics, namely: “They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a SuperMicro subcontractor in China.”

Appleboum was able to determine that the device was tampered with at the factory where it was manufactured and that the hardware was built by a SuperMicro subcontractor in Guangzhou. The poisoned hardware was found in a facility with a number of SuperMicro servers deployed inside it, but it’s not clear what data was running on the server, specifically. Bloomberg notes that the analysis of the hardware it has found was handled by the FBI’s cyber and counterintelligence teams rather than Homeland Security, which may explain why DHS had no knowledge of the allegations. Appleboum claims to have consulted with firms outside the US, and they’ve confirmed to him that they’ve been tracking the manipulation of SuperMicro hardware for quite some time.
These details suggest an attack vector more plausible than a piece of equipment soldered to the motherboard or hidden inside the PCB. A component hidden inside an Ethernet jack would be much more difficult to detect. And the new details should shed light on how the attack was supposedly carried out and implemented, helping to answer the question of what took place and what needs to be done about it.
Quote:Amazon and Apple responded forcefully to the report, calling on Bloomberg to retract the story. Meanwhile, Super Micro denied its boards were ever compromised and embarked on a quest to offer proof. The company employed an outside firm called Nardello to analyze its servers to find the supposed spy chips. Nardello got a representative sample of current and older model motherboards from both Apple and Amazon servers. Super Micro did not say what number constitutes a “representative sample.”

According to Super Micro’s statement, Nardello found no evidence of malicious hardware on the boards it tested. The company also reviewed design files used to manufacture the boards, finding no unexpected alterations. Super Micro even produced a video explaining its hardware inspection process. The posting stops short of promising a lawsuit, but the company is rumored to be leaning in that direction.

Bloomberg’s initial report cited numerous experts in government and the technology industry who confirmed Bloomberg’s story. However, no one has come forward publicly with evidence—no one seems to have one of these compromised motherboards to analyze. It’s still possible that Bloomberg’s story was technically correct, but there were only a handful of malicious chips implanted, and Nardello’s sample of Super Micro boards didn’t include those. The ball is in Bloomberg’s court if it wants to rebut the latest report.
Quote:Last year, Bloomberg ran a report, saying Supermicro-supplied servers come with Chinese backdoors and that this may have been a reason for Apple to dropped them in 2016; although Apple denied espionage concerns at the time. Although new research publsihed today doesn’t exactly confirm Bloomberg’s report that Supermicro servers ship with pre-installed backdoors, it does point to the microcontrollers used by Supermicro and the firmware that comes with them being easily backdoored without detection.

Researchers from Eclypsium, a firm specializing in firmware security, were able to commission a bare-metal server from IBM, install a backdoor in one of its microcontrollers, and then allowed IBM to re-use the server for other customers. The researchers were later able to reclaim that same server and noted that the backdoor was still active on the server, which means IBM lacks proper reclamation process that can clean previously used bare-metal servers of accidental or intentional backdoors. Attackers could use the same process that the researchers used to brick or steal data from other IBM customers.
Over the past few years, more companies have come to realize that supply-chain security is just as important if not more important than applying software patches. Verifying that purchased hardware hasn’t been tampered with either from factory or somewhere in the supply chain should be an even bigger priority for cloud service providers who are responsible for the data protection of millions of customers.
Quote:According to a report by the Nikkei Asian Review this week, Super Micro has told its suppliers to move production out of China, after its U.S.-based customers started becoming concerned about Chinese espionage. In December, Bloomberg reported that Super Micro chips came with Chinese backdoors and that that was the reason Apple ended its contract with Super Micro.
In 2017, more than 90% of motherboards were being built in China. Since then, multiple manufacturers have started to move production out of China, and in 2018 less than 50% of motherboards were built there, according to Digitimes Research data Nikkei Asian Review cited.

Super Micro has mirrored this trend, and the company now also reportedly makes less than 50% of servers in China. It also plans to increase the in-house server production in the future to eliminate any perceived risk. Right now, the company mostly assembles the server components in-house, but the parts themselves are outsourced to other suppliers who have typically manufactured them in China.
Quote:Supermicro, Apple and Amazon all denied claims that they’d discovered the chips vehemently, the NSA said the threat was a false alarm, and the debate ended there. Last December, however, the hack was proven possible by Trammell Hudson, who’d found a spot on the Supermicro motherboard where a tiny chip could replace a small resistor and remain unnoticed. He connected a proof-of-concept chip only slightly larger than the resistor through external wires and completed the hack, concluding that anyone with a fab would be able to do a better job and remain undetected.

Monta Elkins, who’s the “hacker-in-chief” for security firm Foxguard, can do it without the budget. Elkins, who’ll be formally presenting his work at the CS3sthlm security conference this month, was able to gain control over a Cisco ASA 5505 firewall server with a chip lifted from a $2 Digispark Arduino board. He assembled his hack using a $150 hot-air soldering tool and a $40 microscope.

"We think this stuff is so magical, but it’s not really that hard," Elkins told Wired. "By showing people the hardware, I wanted to make it much more real. It’s not magical. It’s not impossible. I could do this in my basement. And there are lots of people smarter than me, and they can do it for almost nothing."

Once soldered to the board (which didn’t require any special rewiring) the ATtiny85 chip impersonates an administrator as the server boots up and triggers a common password recovery feature. It gains access to the firewall settings which can be reconfigured remotely, enabling the hacker to disable security features or access logs of connected devices. Elkins says the hack could also be used to gain full control over the system, but he didn’t go that far with his proof-of-concept.

Perhaps the scary thing about all this is that Elkins didn’t exactly do too much here – he chose the server board because it was the cheapest one on eBay, and he chose the chip because it was the fastest to program. He could have gone further as well, by hiding the chip inside a radio-frequency shielding can on the board, but he wanted to be able to point it out on diagrams.

"What I want people to recognize is that chipping implants are not imaginary. They’re relatively straightforward," says Elkins. "If I can do this, someone with hundreds of millions in their budget has been doing this for a while."

Forum Jump:

Users browsing this thread: 1 Guest(s)