The Tiny Chip from Big China

It seems to me that this sort of thing could be a bigger threat to world trade than Donald Trump.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

Please do be so kind as to share this post.
Share

6 thoughts on “The Tiny Chip from Big China

  1. There seems to be increasing doubt as to whether the devices actually exist. I admit to having had some doubts from the beginning, mostly about where in the production process active devices could be inserted that wouldn’t trigger various test failures. Assuming that they’re real, it remains to be seen if the devices can actually inject malicious code, data, or commands via the serial link(s) the devices would camp on.

      Quote  Link

    Report

  2. I worked with BMCs for a number of years and they have not changed much since 2004, and even that revision is unlikely to have added anything useful here. The claims in this article are pretty spectacular. Given the size and how it is attached, it almost certainly is not as amazing as claimed. Certain other claims seem VERY unlikely. (e.g. like placing between the fiberglass layers of the circuit board)

    The only new thing I see coming out of this is confirmation that China is doing hardware implants. This is not surprising, but it is new to have actual confirmation. China’s stance when questioned has been interesting. They want to up-level the discussion to broad what should and should not be allowed when nation states perform espionage. Included in this is the implication that US has been shown to be doing exactly the same type thing, so they have no intention of stopping or apologizing unless the US does too.

      Quote  Link

    Report

  3. I am not an electrical engineer, but I have been building my own computers for decades now and I am a little confused as to what kind of chips can be secretly installed that can open back doors without being part of the BIOS or the CPU.

    Unless it’s somehow sitting on the bus for the memory and hoping it can catch some information?

      Quote  Link

    Report

    • Most “real” servers have a BMC/IPMI. It goes by different names from different vendors. It is functionally a small management computer built into the system. It has tiny, processor, RAM, storage, even it’s own operating system. It’s purpose is to monitor the health of the server and provide basic access if the server is non-responsive. Most of what it does is low risk. However, it functions like add-in card with direct system memory access(DMA). The means the BMC can freely read and write to system memory independent of the processor. It also has other interesting features like access to a network port and emulating a USB keyboard or flash drive to the server environment.

      This implant is reported to connect to the BMC. None of the interfaces provided by BMC have DMA access. So the implant would need to somehow modify the BMC operation to even get access to system memory. None of the BMC provided interfaces I am aware of provide pass through DMA. The implant would need to get the BMC to actually execute code from the implant. If it can get some sort of process going on the BMC that can communicate with a command and control server, that server would have the large tool bag of BMC capabilities to go after the actual server.

      In this case the implant is very small so I doubt it has the capability to jump through multiple layers of attacking. But if it can get enough control of the BMC to be able to run code and get code/commands from a remote server, that server has the adaptability and capabilities to pass on what is needed to get almost anything from the target server.

        Quote  Link

      Report

      • I thought it was on the bus between the BIOS where the IPMI gets its boot code, and the IPMI itself. So (it’s theorized) it doesn’t directly do those things, but it injects undocumented capabilities into the IPMI at power-up time.

        Nowadays even lots of desktops and laptops have a basic IPMI in them. At my work I got to investigate a laptop that got hacked by way of its IPMI.

          Quote  Link

        Report

        • Desktops and servers are different. Desktops use DASH, which has simliarites to IPMI but is different. Servers use IPMI. These correspond to ME(Management Engine) and BMC(baseboard management controller). There are a lot of high level functional similarities, but they are different. I am not as familiar with desktop side of things as I am the server stuff, but I have passable understanding of the desktop implementations. Some servers are starting to add ME as well as BMC because ME adds some code integrity features that BMC/IPMI does not.

          BMC has separate boot code locations, CPU and RAM. You could remove the BIOS flash chip entirely and the BMC would continue to function and generate an alert or attempt corrective action when the BIOS failed to start. I don’t know which specific motherboards are implicated and would need details or one to examine to see how BMC flash is implemented. If the flash chip only uses a two wire communication bus to the controller a chip like the one pictured might have enough pins and large enough die to be just their version of the firmware on a small flash die. It seems to me it would be easier to just flash their own code to the existing flash instead of disabling existing flash and adding their own.

            Quote  Link

          Report

Leave a Reply

Your email address will not be published. Required fields are marked *