Supermicro server motherboards with hardware backdoor?

Couple of articles in The Register as well. Have said for years that we should keep the Chinese at arms length for hi tech, as even if they are not stealing the ip, they have more than enough reason to subvert the designs for their own good and the intellect to implement it. All good and furry on the outside, cheap manufacturing etc, but an undemocratic police state at core, with an expansionist agenda.

More than ever, nations progress through advances in the sciences and technology and it should be considered a national security asset. Don't need a tinfoil hat to see that...

Chris

This is my analysis:

Theo

Thanks for that write-up, but why do you find it more feasible that the firmware's being fetched across the network than that the interceptor chip simply has 32Mb of flash on it? It seems like that additional network traffic at boot time would be a pretty recognizable signature.

Very interesting. Thanks.

It is possible that the implant is simply replacing the existing QSPI flash, but then a firmware update would either replace it, or the update checksum would fail. So it has to be something that keeps the original flash functioning and tampers with it conditionally.

A regular SPI flash chip couldn't that. A very basic flash edit (overdrive the real data lines and force some bytes of config settings) could be done in a CPLD - I didn't check what die sizes vendors have, but they can be small. An FPGA would likely be too big.

A full custom chip is also feasible, but in another league in terms of costs.

Theo

Thanks. Nicely thought out blog article. I agree that putting the chip on the SPI bus would be the ideal location. I might add that is would be possible to add microcode instructions to the CPU via the SPI bus (depending on how the added chip is wired into the system).

Some deficiencies and unanswered questions in the original Bloomberg article:

1. Since Bloomberg apparently has possession of several of these mystery chips, why haven't anyone done an autopsy or xray analysis on what's inside? From the few photos, it looks like a resistor network.
2. If I wanted to compromise a server, it would much easier to add a few more undocumented instructions to an existing chip, such as a bus controller (which sees the entire data bus), than to add a new device that might be detected by the production equipment that uses optical comparators to detect missing, backwards, and misaligned components. A white alumina or porcelain chip, among the usual brown ceramic chips, would be easily visible.
3. The photos of the mystery chip seems a little odd: The solder pads on the sides of the chip look slightly oxidized and do not look like anything that has been unsoldered by a hot air SMT desoldering station, where the solder would be shiny and tends to collect near the PCB side of the chip.
4. What is a "signal conditioning coupler"?

1. With a PCB and chip in Bloomberg's possession, it would be fairly easy to determine how it was connected into the server. This should have been done before announcing to the world that they had discovered a spy chip, rather than discovering a capacitor or termination resistor.

2. There seems to be nearly zero demonstratable information on how the chip could actually do something useful. Plenty of theoretical possibilities, but nothing that an SPI or serial bus analyzer couldn't handle.

etc...

Not currently having the answers to these questions doesn't bother me. The lack of anyone close to the source actually bothering to answer them does bother me.

Sorry to be so vague but I've had a rotten day dealing with Microsoft's October 2018 Windoze 10 update destroying customer data. This has not been a good day.

They don't claim that, and we don't know it. The motherboard photos could have been sent by their inside source. It would have been much more risky to provide a whole MB to Bloomberg. The chip photos are probably something off Digikey.

If they don't have the board or chips, the rest of your questions don't matter.

Clifford Heath.

Good point. If they don't have physical possession of a working chip and/or motherboard, then that's the end of the physical evidence making literally everything written so far no better than speculation.

Incidentally, the photo of the chip and the finger look edited: At that level of magnifications, the ridges of the finger and the nail show substantial levels of dirt, cuts, and irregularities. Most peoples palm and back of the hand are different colors. To produce a perfectly rounded edge view, clean nails, clean ridges, an uniform color requires considerable photo editing. Since the chip seems to be back lighted, while the finger is lighted most from the right side, I would guess that the chip was added to the finger photo. Looking again at the solder plate on the chip, I'm sure it's never been attached to a PCB.

Fake news? I think so.

He has a good analysis IMNSHO. Sure hand anything to the press, especially the biased press, and it will publish that. The whole issue here is to get the reality show manager re-elected, mid-terms are knocking on the door, keep republicans in power, create a common enemy, standard stuff. Truth and 'tronics has little to do with it.

Any kid can make up this story.

Maybe that 'chip dot' is just flee poop, like the rest of what the reality lost show manager does. And as significant as that.

At the same time companies like Apple may hand all user data to China, they only have to ask for it.. Money, sales, profit is the law. Snake oil is the trade. :-) Oh well... remember in the last cold war how Russia was accused of spying on every one... Now US does it as one bigger number.

And there is nothing to know really, of value, that China does not already have, or can do better. That includes running a country.

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Did you even read the article? Did you not see the picture of what the chip contained?

And I am quite sure that the DoD's investigation into it was much more comprehensive than a news agency's most elite hardware nerd.

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Bullshit. Operator error. Always backup first for one thing, and I still think you did something to cause the loss. And you do not have an instantaneous mirror on another machine for their data?

Sounds like something Trump would say.

Actually it looks very little like those types of parts. The article mentioned that it looks like a specific type of device. I'm confident they made this look exactly like some specific device.

AOI (Automated Optical Inspection) works by being trained on a known good board. It looks at and for expected chips. I'm pretty sure they don't have built in any capability of looking for extraneous parts although I'm sure they are adding that now.

Most units are built to RoHS standards and the solder is definitely not very shiny. It typically is very grainy just as in the photo.

I believe they are talking about EMI filters. Notice the similarity to the device on this page.

I don't think Bloomburg was doing any of the work and I seriously doubt they have possession of any spy chips. More likely is that every device you see in the pictures are the commercial chips the spy chip was designed to look like.

Maybe that's because it is spy stuff and they don't wish to reveal every detail of what they know.

Yeah, I've been reading a bit about that. Don't they back up data before performing updates?

Rick C.

What? Bloomburg is not an analysis lab. They are reporting news. The fact that Bloomburg doesn't have the engineering data or devices doesn't mean they don't have the info.

Duh!

This is called, presentation. Most likely the finger is from a more than perfectly manicured hand model. In fact, I was pretty amazed by how perfect it is. This guy must wear gloves all day and a manicurist is at the photo shoot!

Huh? You need to get out more. Not fake news, just a very well written and well illustrated article in a web publication. If JL hand draws a graph or schematic in one of his doodles, does that make it a fake design?

Rick C.

YAIV

Much better if they don't publish anything that isn't so verified that it is common knowledge.

How is this helping anyone currently in power. I thought the article made it clear that this exploit took a long time to enact across multiple administrations.

So you are suggesting the entire story is fake?

Now that is fake news!

lol

Rick C.

Yes.

Do you mean this rubbish?

You have a good imagination. Perhaps you might know what a "signal conditioner coupler" mentioned in the first paragraph might be? While you're working on that, perhaps you can also explain what an operating system core might be as in "...the microchip altered the operating

core memory?

Certainly they'll investigate. So will every other government agency and publicity hungry entity will conduct their own independent investigation. This was discovered by Amazon's outside security contractor something like 2 years ago. One might suspect that there are now a fair number of these chips floating around and that they have been rather thoroughly analyzed over the last 2 years. Oddly, I don't see any reports, photos, or info leaks. However, I'm sure they'll take their time releasing any real results, when they discover it's an SMD resistor network.

Is that like blame the victim? I would think that the average user might assume that an operating system update wouldn't erase all their data. Actually, that begs the question of what was Microsoft doing digging around in the users files anyway? Were they building a catalog of "interesting" files for the NSA? Why was this update so big when it only added a few new features: New spyware, err... telemetry perhaps?

Incidentally, MS has suspended the update and is investigating the problem. Pulling the plug 5 days after a huge number of rather serious complaints is what is now called "decisive action".

The first step to solving a problem really is to blame someone, but never blame the person in charge of fixing the problem. They might get angry and do nothing.

I have a simple method of dealing with such complainers. I construct a clone of their computer. I then push pins and needles into the motherboard until it exhibits erratic behavior. By sympathetic voodoo and quantum entanglement, your identical PC will exhibit identical problems.

For my former medical office customers, that was standard procedure. I also didn't install updates of any kind until after a suitable waiting period. However, for the typical small business and home user, I prefer image backups, which allows me to quickly restore literally everything. For backups between image backups, I just copy or rsync a few directories that I consider important to a local NAS (network attached storage) drive.

Trump doesn't say anything. He tweets.

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Especially when the FIRST thing they are ALWAYS supposed to do is perform a backup. Yeah... you might get angry and... start blaming Microsoft for your missteps.

At that frequency of "updates" I hear windows 10 is doing backing up a a few terabytes all the time sounds the practical thing to do, yeah.

Dimiter

====================================================== Dimiter Popoff, TGI

I wouldn't touch win 10 with yours, never mind my own. Completely untrustworthy if you value personal or even corporate privacy. Modern systems are getting so complex, who can verify what's been hidden in either the hardware or software ?.

This report has really been a wakeup call for me, even though it doesn't impact work here at all. Never even considered that substitute or added h/w might have been fitted, but state level actors have the resources to do just that. Where are most of the management engine cpus made, for example ?...

Chris

Dimiter_Popoff wrote in news:ppapdd$s8$ snipped-for-privacy@dont-email.me:

The word for today is "Incremental"

No guarantees that it will get properly interpreted.

Still not convinced that it ws the update that caused it. Perhaps there was activity taking place during the update that should not have been.

I set all my machines to manual and update regularly with that being all that runs during the update.