The Tiny Chip from Big China

Will Truman

Will Truman is the Editor-in-Chief of Ordinary Times. He is also on Twitter.

Related Post Roulette

6 Responses

  1. Michael Cain says:

    There seems to be increasing doubt as to whether the devices actually exist. I admit to having had some doubts from the beginning, mostly about where in the production process active devices could be inserted that wouldn’t trigger various test failures. Assuming that they’re real, it remains to be seen if the devices can actually inject malicious code, data, or commands via the serial link(s) the devices would camp on.Report

  2. Mr.JoeM says:

    I worked with BMCs for a number of years and they have not changed much since 2004, and even that revision is unlikely to have added anything useful here. The claims in this article are pretty spectacular. Given the size and how it is attached, it almost certainly is not as amazing as claimed. Certain other claims seem VERY unlikely. (e.g. like placing between the fiberglass layers of the circuit board)

    The only new thing I see coming out of this is confirmation that China is doing hardware implants. This is not surprising, but it is new to have actual confirmation. China’s stance when questioned has been interesting. They want to up-level the discussion to broad what should and should not be allowed when nation states perform espionage. Included in this is the implication that US has been shown to be doing exactly the same type thing, so they have no intention of stopping or apologizing unless the US does too.Report

  3. Oscar Gordon says:

    I am not an electrical engineer, but I have been building my own computers for decades now and I am a little confused as to what kind of chips can be secretly installed that can open back doors without being part of the BIOS or the CPU.

    Unless it’s somehow sitting on the bus for the memory and hoping it can catch some information?Report

    • Mr.JoeM in reply to Oscar Gordon says:

      Most “real” servers have a BMC/IPMI. It goes by different names from different vendors. It is functionally a small management computer built into the system. It has tiny, processor, RAM, storage, even it’s own operating system. It’s purpose is to monitor the health of the server and provide basic access if the server is non-responsive. Most of what it does is low risk. However, it functions like add-in card with direct system memory access(DMA). The means the BMC can freely read and write to system memory independent of the processor. It also has other interesting features like access to a network port and emulating a USB keyboard or flash drive to the server environment.

      This implant is reported to connect to the BMC. None of the interfaces provided by BMC have DMA access. So the implant would need to somehow modify the BMC operation to even get access to system memory. None of the BMC provided interfaces I am aware of provide pass through DMA. The implant would need to get the BMC to actually execute code from the implant. If it can get some sort of process going on the BMC that can communicate with a command and control server, that server would have the large tool bag of BMC capabilities to go after the actual server.

      In this case the implant is very small so I doubt it has the capability to jump through multiple layers of attacking. But if it can get enough control of the BMC to be able to run code and get code/commands from a remote server, that server has the adaptability and capabilities to pass on what is needed to get almost anything from the target server.Report

      • dragonfrog in reply to Mr.JoeM says:

        I thought it was on the bus between the BIOS where the IPMI gets its boot code, and the IPMI itself. So (it’s theorized) it doesn’t directly do those things, but it injects undocumented capabilities into the IPMI at power-up time.

        Nowadays even lots of desktops and laptops have a basic IPMI in them. At my work I got to investigate a laptop that got hacked by way of its IPMI.Report

        • Mr.JoeM in reply to dragonfrog says:

          Desktops and servers are different. Desktops use DASH, which has simliarites to IPMI but is different. Servers use IPMI. These correspond to ME(Management Engine) and BMC(baseboard management controller). There are a lot of high level functional similarities, but they are different. I am not as familiar with desktop side of things as I am the server stuff, but I have passable understanding of the desktop implementations. Some servers are starting to add ME as well as BMC because ME adds some code integrity features that BMC/IPMI does not.

          BMC has separate boot code locations, CPU and RAM. You could remove the BIOS flash chip entirely and the BMC would continue to function and generate an alert or attempt corrective action when the BIOS failed to start. I don’t know which specific motherboards are implicated and would need details or one to examine to see how BMC flash is implemented. If the flash chip only uses a two wire communication bus to the controller a chip like the one pictured might have enough pins and large enough die to be just their version of the firmware on a small flash die. It seems to me it would be easier to just flash their own code to the existing flash instead of disabling existing flash and adding their own.Report