How China Used a Tiny Chip to Infiltrate Amazon and Apple - Sensationalist Headlines

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers. During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China. This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

daily reminder that China is not your friend and will fuck you over at any opportune moment if it fits their agenda

the chips had been inserted at factories run by manufacturing subcontractors in China. Well shit this is big isn't it. I know we are incredibly dependent on China for tech hardware due to the cheap prices but now their hardware can not be trusted at all, what's going to happen now?

Fuck China

https://files.facepunch.com/forum/upload/110618/ded32fa1-e132-4207-9b5d-45b6596d8f29/sdfshfgfvcb.png That's insane how such a tiny chip can do something like that

will someone just DO SOMETHING ABOUT CHINA ALREADY

w... was trump right???? What FUCKING TIMELINE AM I IN.

just move it to eastern europe smhtbhfam

There's been warnings about this happening for a long time. It's trivial to bug foreign military and governmental hardware when it's made in your country. Question is what will be the repercussions? Broken clock et cetera

Its a six pin devices so conceivably it could interface with the Baseboard Management Controller (as stated in the article which is Intel's Platform Management Interface, that has a whole mess of out of band access.). Two pins for power/ground and the remaining four pins could snoop/master the LPC Bus or Diagnostic Serial Bus (both of which are 4 pin or 2/4 pin busses) that interface with the BMC/IPMI to access these functions. Tiny fucker, but it is feasible that a full system on a chip could do that, or atleast relay from an outside attacker by snooping network pings. Again, always a good reason to have your iptables locked the fuck down, but I don't know if that would do much good.

Although in Trump's case there's probably at least a barometer, thermometer, and compass that also need all stuck at the correct position as well.

Maybe they shouldn't have picked the lowest bidder, who am I kidding, they could and should have seen this miles coming, it's fucking China. Too bad the motivation of maximised profits under all circumstances isn't necessarily cheaper, you will always inflict cost some other way when always going for the cheapest offer.

If there was an actual incentive and motivation, they could and reasonably would have chosen other locations/jurisdictions, but you run the risk to be compromised anywhere where you set up shop, overseas or otherwise, and offsetting actual cost to minimize a hard-to-quantify risk, you can kinda see which side wins. The questions of being spied or/and getting infiltrated is not if, but when (and how devastating). Doesn't mean China wasn't the worst choice, definitely was, but hey, they gotta keep those shareholders happy.

Maybe once the US removes all its regulation the production can be moved back to the west /s

So next step is chips embedded in the board substrate?

We "have to" because the end consumer doesn't actually want to pay for production.

chips stuffed into your brain through your nostrils as you sleep

This is why I frequently feel paranoid because technology has reached the point where most everything we buy can spy on us.

If it's OOB shit then iptables are going to do fuck-all. That's actually a huge issue some Supermicro IPMI implementations have, wherein the IPMI basically just "snoops" on the integrated NIC for IMPI packets and intercepts them.

We also do this stuff to other countries as well, the NSA planted backdoors in Hard drives to get to Iran and China for a long time. It seems like we should move some server manufacturing back to the US, even if its a price premium, enterprise customers will eat the cost if they can be insured that their systems are free of intentional backdoors.

amazon, apple, and supermicro are denying the reports Chinese spy chips are found in hardware used by Apple, Amazon, B.. "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple" -apple "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems" -amazon

Someone check if that message is from a Chinese IP

even if this was caught fairly quickly in the US, how many other countries does china directly sell equipment to that have far less resources to catch this sort of stuff. By the sounds of this, you'd have to know quite a lot about the design of the boards to even have a shot at finding this, something say an african government buying a server for their documents might not be able to do

yeah I mean you wouldn't want to spook investors

From reddit: I did a penetration test and security assessment for a major electronics manufacturer whose parts are likely in every smartphone and laptop. I identified almost certain compromise by the Chinese government with full access to modify the manufacturing specs using the access paths I identified. They chose to bury my findings as it would cause a huge stock hit. Sadly, NDA. I'm not surprised in the slightest. ..... I'll wait until my report comes to light on their next SOC audit. Wouldn't be the first time the FBI'd contacted me about a report I did for a company. I did let the DOD know through some contacts that they should really vet the security of their suppliers more thoroughly since devices using these chips are on the APL, but no way of knowing if they ever did. ..... The engineering and design schematics were completely accessible. Corporate network was hosed. Domain Admin passwords in plain text on the network anonymously accessible, trivial impersonation, no network security at all, no internal vlan segregation or security controls, years out of date on patching, regular c-level travel to and from China with 6char passwords... No validation of the schematics being unmodified and the spans i took off the environment i saw a ton of botnet and other traffic issues. Too much to analyze in the time period i had but the only real solution was to take some immediate hardening and audit activities that they frankly weren't interested in doing, even when i demonstrated material weakness in their audit process for payments (nullifying their sox compliance). When it was clear they didn't want to take the corrective action nor report to the SEC, our legal determined it was too great a risk to be involved further. You'd think a multi billion dollar company would care more. But as others have said, cheaper to cover it up and the NDA is pretty binding. If i had been able to collect actual evidence of targeted compromise or fraud before the contract ended, i could break it (NDAs don't cover illegal activity), but sadly once i saw the hints they blocked me from digging deeper.

All that ignorance just for more profit. Terrifying in how likely true this testimony is.

take it with a grain of salt. hiding info/lying to shareholders to protect your stock price is super illegal

Take it from someone in the industry: We are. That guy sounds like someone trying to get 15 minutes of fame out this this. "Oh yeah definitely found a massive penetration point in a billion dollar company that allows for random alterations in their schematics, that they didn't fix because 'no time'." Our own IT team went "wut" as well. The article makes it sound as if it's as simple as slapping on a foreign chip on the board and suddenly you have access. It doesn't work that way. Modern electronics are a jumble of complex paths and component chains. You can't just "insert" a chip without it being part of the core design or there being a specific pin-out for it. There's a lot of hot-air being spread over this, but neither myself nor any of my colleague have actually seen valid proof of this happening. A chip with these kind of capabilities needs a significant number of connections to the PCB, if only just for networking capability. For a chip this complex, with the ability to "take over" a system, it'd be really fucking obvious in terms of connectors. And then there's the supposed ability to "modify the host OS"; how exactly? What versions, what OS types? Does this work on Linux, how does it interact with the CPU? What about systems with multiple CPU's which are common on Supermicro hardware? China does some scary shit, but this sounds like scaremongering. I can find no actual in-depth analysis report beyond "expert say" and "investigators found" where the actual investigators are named. "It operated by interfacing with the bus!" Which communication bus, where, how? Details man! You'd think something this big and scary that potentially affects defense systems would have a bit more actual fact to support these claims.