But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.
One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
Both Apple and Amazon aggressively deny the reports, but such was to be expected – these companies aren’t going to openly admit their products and data could be vulnerable to sophisticated Chinese hacking attempts. In addition, especially Apple is beholden to remaining in the Chinese government’s good graces, and won’t openly admit they’re being targeted by them – like no other company in the world, Apple is dependent on China, because no other country has the manpower, labour laws, and welcoming totalitarian government required to build the massive amount of devices Apple orders from China.
None of this should surprise anyone, and further illustrates that any company – especially major ones – claiming their products are secure and privacy-focused have really no way of guaranteeing as such. Whether it be domestic carriers snooping in on internet traffic or the Chinese government adding small microchips to hardware, nothing is secure or private.
Is it too radical of an opinion to say that the efforts of the current US president to deprive trade of the Chinese regime (via import duties) are a good thing?
Edited 2018-10-04 19:07 UTC
It’s not too radical, but you have to temper that with the fact that the US government has done almost the exact same thing for servers we sent to Asia and other regions
Which I guess is the fatal flow of globalisation? State actors using industries located in their territory to spy on other states.
More of a fatal flaw of still keeping nation states around, but same difference.
If we had a global parliament that kept all the countries in line, and reduced their ability to violate human rights, that would be great.
Mind you, I’m cynical enough to think that if we ever do get a global parliament, it’s gonna just kowtow to major corporations and give them power instead.
No thank you. I like being able to decide of the political representation and laws with people from my country who share some values with me.
Hahah. The best quote from the article:
Imagine, for a moment, that this happened with a chip fabricator, instead of a board manufacturer. It would be microscopic, and even less likely to be discovered.
Intel’s ME ?
[q] Whether it be domestic carriers snooping in on internet traffic or the Chinese government adding small microchips to hardware, nothing is secure or private.[q]
True. Probably. But some platforms and some devices are more secure than others, and the difference is not trivial.
And what platforms do you have in mind as the more secure?… :rolleyes:
This is what you get when you are bent on producing such sensitive equipment in the cheapest place you can find. It has always baffled me, and then this happens.
It is not like you couldn’t imagine them doing this…
Now you are hearing this story because of the so-called “trade war”. They need to rally their people against China for obvious political reasons.
But trust me, if the roles were switched, the US would be doing the same to China, politics 101 really. Most probably they already do this (hiding backdoors in the CPU or Management Engine….)
A classic, when it’s money it’s all great, China and US are great friends then, then they backstab each other at the best possible moment, for the greatest profit.
And while the elites accumulate wealth, the common man has less and less.
I hope people realise that this story effectively just killed the possibility of China becoming a global player in the chip design business. cui bono?
Edited 2018-10-05 08:32 UTC
The scary thing about these backdoors is that once they’re discovered, there’s no telling who’ll use them. After all, some of the deadliest malware out there is what some black hat copied and pasted from something the NSA engineered and released into the wild. This is going to blow up in all of our faces one day, and there’s no telling who’s going to lose the most.
Another perspective
https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-a…
As they say…
Even though the Chinese will fuck our industries and societies by undercutting our labor costs, making shitty copies of our things and later improving them until they are better than the originals, and stealing information from our companies and governments…
… WE CAN REST ASSURED THERE WILL BE NO WAR AGAINST THEM …
Because surely any politician knows that if the moment ever came, all our missiles, fregates, airplanes, drones and submarines would instantly shut themselves off, if not turn themselves against us.
So peace has exploded! Against China, at the very least. We can save a bunch of money in advanced armament (or information security, for what it is worth) and use it to feed our jobless population for a few more months, or more likely to buy even more chinese stuff.
Looks like (As Apple and Amazon said) it^aEURTMs all a crock of shi_ the funny part is that anyone would even believe the technical aspects of the story, that this little chip is able to do things that full SOCs can^aEURTMt do.
Anyway they claimed the government investigated etc and now the Government is coming out and calling the whole thing Poppy Cock.
https://appleinsider.com/articles/18/10/05/uks-gchq-us-officials-cas…
On to the next story.
Edited 2018-10-05 13:45 UTC
Yeah. It all smells like a FUD campaign and will keep doing that until some actual proof is produced.
But it’s possible to do such an attack given enough money.
^aEURoeTwo words: firmware backdoor.
Change things enough that an attacker can “tickle” the device with a special code and then command it to do whatever is wanted. Many things use serial EEPROMs (Flash memory) to store firmware so just add a tiny memory, some logic to detect the right time to send the contents of that memory. Not that hard, doesn’t require a large chip and very few hijacked signals.^aEUR
Sounds good on paper please show someone preistalling something similar (the size of a pencil point in this case) and then hiding the traffic out of the network for years without being caught??
Edited 2018-10-06 05:44 UTC
This is called shifting goalposts and is considered rude.
An exploit doesn’t have to exist to be possible – if so no exploit could ever be possible as the initial creation wouldn’t be possible.
The exploit doesn’t have to be detected to be out in the wild* and there are plenty of examples of exploits having been active for many years before being detected. It is reasonable that a bugged system would only be accessed in a few exceptional cases to reduce the chance for detection.
Designing such a chip requires a lot of expense so it’s reasonable only states can (or will) create something like it. Not something that is usual IOW.
Expenses: small process node to be able to have a tiny chip with large enough memory plus custom chip encapsulation.
(* After all they have to be used to be detected in the first place, there have been active exploits detected… What is the logical conclusion?)
Sorry but that is not the meaning of moving the goalposts, I just asked a simple question. As we all know no exploit is created in a vacuum. Everything has a past and path to that past, back to the very first virus ever made on down. I can’t think or or can even find some exploit that was crated and was successful out of thin air. Normally even, most exploits are a combination of previous things all put together to make a successful exploit.
So to ask where in the past this has been attempted is not moving the goal post, its a straight forward question.
Yes the creators needed to know that this will get exposed once and it must communicate through some way with its CC so well configured IDSes should pick it up over time and the traffic can be investigated.
Same goes for all hardware stuff where you try to push security through obscurity like those set top boxes what the guy reverse engineered by buying 20 of them and start taking off layers from the chip.
https://www.dhs.gov/news/2018/10/06/statement-dhs-press-secretary-re…
^aEURoeThe Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS^aEURTMs cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month ^aEUR“ National Cybersecurity Awareness Month ^aEUR“ we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation^aEURTMs collective cybersecurity and risk management efforts.^aEUR
to embed a chip in a motherboard, you either need to change the pcb layout to supply power, signal, connect to ground, connect to eth/wifi circuit, or maybe antenna if the chip has a wireless transmitter, or add a layer to achieve these connections. no matter how small the chip is, the modification will be obvious. or, any expert here mind to explain how you can achieve this in a stealth way?
Except Open Source Hardware + Open Source Software.
There are couple of attempts for open source hardware out there such as Pinebook, unfortunately currently they are overpriced and not made for the masses.
Don’t you have the sense of security when using OpenBSD or Linux by default because you know it’s being reviewed by thousands of people around the world and it doesn not contain built in backdoors like MicroSht/Apple products.
We should see the same in hardware. I never review 1 line of source code of OpenBSD or Linux but I trust the developers who do so.
https://appleinsider.com/articles/18/10/08/security-researcher-cited…
Because it was Apple people jumped on it and were wrong!