October 04, 2018

Are we Surprised? No. (UPDATED)

Are we terrified concerned?


It appears that there has been a hack involving at least 30 companies, as well as the D.O.D and C.I.A.

Worse, it's a hardware issue. 

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.
This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

One can assume that this is NOT an isolated incident. This is probably one of many, and  one can infer that very little is now beyond the reach of the CCP. On a global level, it is very likely that all those Chinese funded infrastructure projects in Oceana, Latin America, Africa and South Asia are riddled with similar, and perhaps more hard to detect bugs, possibly embedded into the very structures of the facillities.  

Pretty much every technical advancement made by compromised companies as well as state and military secrets can now be assumed to be in China's possession.

This doesn't mean they know them all yet. The sheer quantity of data that China must now have to sift through is daunting, and to be useful needs to be looked at by people who have enough knowledge in the given subject matter and sufficient imagination to be able to recognize something's merits. Encryption is a further obstacle. However, they probably have at least as big an edge on our Military as we had over the Japanese and German's after breaking or acquiring their respective codes in WW2.

This turn of events should not be the least bit surprising given that our self anointed aristocracy has off-shored much of our electronics manufacture to China (because slave labor is so cheap). Well, as we learned from Google & Facebook, if one finds something exceedingly cheap, one might well be the product.

Of course, knowing is the first step to fixing, so it should be pretty straightforward to correct this right?

Fixing this is beyond daunting.  The expense of pulling out all the old circuit boards is going to be phenomenal and replacing them is subject to the same issue. The complexities of the global supply chain means that tracking down not just the manufacturers, but subcontractors, will be next to impossible. 
Going forward, we may need to have some blockchain certification for all our electronic components, certainly for D.O.D. related applications. This is a sufficient breach of trust with sufficiently troubling ramifications that it ought to remove some of the opposition to restrictions on imports from the Middle Kingdom. 

If oughts were dollars though we would have no debt.

This is outside my ballywick, so I eagerly look forward to the perspectives of commenters on this mess. 

UPDATE: In the comments section, Pixy Misa is expressing considerable skepticism. Pixy is the owner and administrator of the Mee.Nu domain (Praise the lathe of the maker!) and an IT professional himself. He has an extensive disquisition on this topic over at his place that you should read in full

Now. Answer the following question. Did you read Pixy's post?

No: Go back and read it.
Yes: Proceed.

I found the story credible because I already have concerns about China and spying. That something like this could be done seems completely plausible.

However, all other sources I've looked at since posting this have been either rewritten versions of, or link back to, the Bloomberg article with no additional info. The Bloomberg article is anonymously sourced. 

One thing I had not fully grokked, but Pixy mentions extensively, is how LONG this story has been in development. 

The Gell-Mann Amnesia Effect is a very real thing.

To Wit: The following excerpt from the article on the nuts and bolts of the alleged hack sounds plausible to me, partly because it comports with my limited understanding of how these systems work, but mainly because the words, Dilithium, turbo-encabulator, and Midichloreans do not appear anywhere in it. 

Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. "Hardware attacks are about access,” as one former senior official puts it. In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.
Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.
This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser.  

In the comments, Pixy (who, again, does IT for a living) seemed spectacularly unimpressed with the plausibility of this scenario. 

Over at Medium, one of those linked to in Pixy's piece on the subject has objections , but they are mostly about how on earth this would have been detected, as it would have been an insanely comprehensive audit to detect this. However, he closes with this...
For me, Bloomberg’s article could go either way. The logic of backdooring the BMC makes a lot of sense. Whether it happened in this case — given all the categorical denials — I have no idea.

I will go so far as to say that I think something along these lines is likely to happen at some point, however, if this story does turn out to be bunk then Bloomberg will, via the cry wolf effect will have facilitated the very thing they pretended to report on.

This story is looking sketchy, but for now, we await more info....

Posted by: The Brickmuppet at 07:37 PM | Comments (11) | Add Comment
Post contains 1238 words, total size 10 kb.

1 I'll see what I can find, but a couple of thoughts:

1.  If the network is secure, this doesn't matter.  If the server can't make unauthorised connections to the internet, that's it.

2. There's a limited amount of functionality you can put on a chip that size.  A keylogger, sure.  Which is great if you want to hack laptops, but servers don't have keyboards.  Snooping on a 100GbE connection?  No chance.

3. The companies named - including the victims - have very explicitly denied it.

4. The sources are anonymous.

5. The chief selling point for the story is Bloomberg's credibility.

Posted by: Pixy Misa at Thu Oct 4 20:17:55 2018 (PiXy!)

2 Apple says:
Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.
To translate: Bloomberg is full of shit.

Posted by: Pixy Misa at Thu Oct 4 20:21:57 2018 (PiXy!)

3 Hmmmm...
Thanks for the quick response Pixy.

Well...I can't let all those keystrokes go to waste, so I'll resort to special pleading.
Everyone denying it has considerable incentive to do so. If this were true this could be their end. 

Special Pleading Ends:

The sheer capacity issues of the chip were something I hadn't the expertise to consider, though the logistics of sifting through the Yotabits of data are daunting on their own. 
I am concerned, perhaps unwarrantedly so, about back doors and such in our millitary IT, C4i, and fire control hardware.

On the Gripping hand...

Gell Mann Amnesia Effect.

Posted by: The Brickmuppet at Thu Oct 4 21:26:59 2018 (3bBAK)

4 Yeah, it's being taken seriously and independent researchers are looking into it.  Too soon for confirmation or disconfirmation yet.

Posted by: Pixy Misa at Thu Oct 4 22:34:10 2018 (PiXy!)

5 Though one researcher I follow simply responded with a GIF of Bloomberg getting egg on its face, so there's a fair bit of skepticism.

Posted by: Pixy Misa at Thu Oct 4 22:35:13 2018 (PiXy!)

6 Some more statements.


As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.


On this we can be very clear: Apple has never found malicious chips, "hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

Posted by: Pixy Misa at Fri Oct 5 03:35:48 2018 (PiXy!)

7 Conclusion: Probably bullshit.

Posted by: Pixy Misa at Fri Oct 5 08:21:08 2018 (PiXy!)

8 Well...This requires an update. 

Posted by: The Brickmuppet at Fri Oct 5 09:41:27 2018 (3bBAK)

9 Same reporters wrote this 2014 "cyberwar" story that is widely regarded as complete and utter nonsense.

Posted by: Pixy Misa at Fri Oct 5 21:23:53 2018 (PiXy!)

10 Actually, for the story to be developed for a long time is a good thing, IMHO. I remember how National Enquirer developed John Edwards story. It dragged on for months before they ambushed him in the hotel lobby. They had anonymous sources. This prompted people to share what they knew. Finally, they managed to buy photos of Edwards holding his love child. And even that was not enough for most, so they had to stage the operation to get him. I'm sure Bloomberg marshalled resources in a similar fashion.
As for the chip being small, puleeeeeeeeeeeze. The important part is what trace on the mobo it taps, and the power consumption in doing so. I think it probably goes into an I2C EEPROM that boots one of stupid Intel controllers.
So, my bet is it's almost certainly true.

Posted by: Pete Zaitcev at Sat Oct 6 18:33:40 2018 (LZ7Bg)


Devil's Advocate here, but comparing Bloomberg's coverage of the nano-spychip vis-a-vis the National Enquirer's coverage of John Edwards' affair not of state is not quite an apples to apples comparison.

The love affairs of a politician with someone who is not his or her significant other is something that most newspapers and periodicals would be suited to cover.  That is the kind of story the gossip pages are for - except that the subject in question would make it to the front page.

Bloomberg's coverage of cyber-warfare, on the other hand, causes one to wonder if they know what they are talking about.  Have they demonstrated they are well-equipped to report a cyber-warfare story?

Or are they pulling a Stephen Glass on us?

Posted by: cxt217 at Sun Oct 7 21:46:22 2018 (2ZW6Y)

Hide Comments | Add Comment

What colour is a green orange?

47kb generated in CPU 0.8656, elapsed 2.8803 seconds.
71 queries taking 2.8408 seconds, 369 records returned.
Powered by Minx 1.1.6c-pink.