Not really, neither this nor the original article claimed it was done on a mass sale (ie. every machine coming off the line). It was likely only done to juicy targets only.
So, what, some time after the line, after a sale was made, during fulfillment, a Chinese super-spy managed to open up specific server that the juicy target was getting and solder some special chip onto the board somehow in a way that worked instead of bricking the board?
I mean, honestly, hats off if that's the case. That would be pretty cool. But you need actual evidence for such a tale.
>So, what, some time after the line, after a sale was made, during fulfillment, a Chinese super-spy managed to open up specific server that the juicy target was getting and solder some special chip onto the board somehow in a way that worked instead of bricking the board?
I'm not sure why you're implying that you need a super-spy to pull this off. If this was done at the factory level they likely had access to the same manufacturing equipment used to make the motherboards, so there's no need to manually solder anything. The implant was alleged to be a surface-mount component so it could be as simple as reprogramming the pick-and-place machine or swaping out the reels. Given that this is china enlisting a couple of technicians to your cause wouldn't be too hard[1]. From there once they figure out a particular order is going to a juicy target they can ship the bugged boards in place of the untampered boards.
> But you need actual evidence for such a tale.
Agreed. My main takeway from the article is that this hack could happen, not necessarily that it has happened.
[1] it's not unlike the concerns that there are NSA backdoors in intel cpus (eg. AMT/vpro, or RDRAND), or windows (NSAKEY).
> I'm not sure why you're implying that you need a super-spy to pull this off.
The factory doesn't have assembly lines marked like 'for apple', 'for the nsa'. It's just an assembly line making a bunch of identical boards. You'd have to identify a specific board way after it's left the assembly line, and probably after being integrated into a chassis to put your spy chip on it if it's targeted at a specific customer.
The way we in the West do it is intercept the shipment en route and make modifications in a special facility. TAO have significant hardware capabilities and do this stuff routinely.
So what you are saying is that they (China?) can and do intercept shipments from Supermicro inside the US? Or how do you get the chip onto the correct piece of hardware when you don't know where each motherboard ends up when it leaves the factory?
If the warehouses and manufacturing lines are all in China (as is the case with just in time manufacturing) I don't see why this is difficult to pull off.
I'd expect shipments across the Pacific to be aggregated into the smallest possible number of containers and only subdivided into batches for individual customers at the last possible moment, in order to minimize both transportation cost and the risk that any single customer loses their entire order when a container falls off the ship.
Is that not how it works? If so, I'd like to know why.
That'd depend on how the shipping is done. What you described would apply for something like retail, where the factory only deals/sells to a distributor (stateside), which then sells/ship them to retailers. Under that setup it would be hard to accurately predict where a particular motherboard would end up at the factory. However, I suspect for large orders, they won't bother with that and would send an entire shipping container or pallet to the customer straight from the factory.
Surely a "juicy target" then would have sufficient resources to confirm or deny this? Last time this came out though, both Apple and Amazon -- who use SuperMicro servers -- explicitly denied that the servers were compromised.
The admitted it when they discovered the NSA was tapping their fiber links. They not only admitted it, they were furious, and encrypted all their internal traffic.
What's more, they didn't just keep quiet, they made very strong public denials, the kind that would result in SEC and shareholder lawsuits if they were proven to be false.
From the outside Apple (the company) looks to be a lot more subservient when it comes to its relations with China compared with its relations with the US government. Parts of the second one can be bought/lobbied almost all the way to the top, China is a little bit more challenging for a Western company, there's Xi and a handful of his underlings who can decide your future as a company on the mainland.
China reacts differently than the US. If you publicly bad mouth the Chinese government there are consequences.
Contrast this to a public showing of anger against the NSA which is beneficial to the company and to the NSA. The NSA wants users to feel secure and not take other measures.
Shareholders can sue for anything (everything is securities fraud), the act of exposing client details to the NSA without telling shareholders is no less problematic than continuing to lie to shareholders about dealings with the NSA.
I would go through zero-day bug instead of this. If one can build a single chip which read sensitive data from hard disk, steal private key from main memory, and send data via the ethernet port, that chip must have a lot of pins connecting to pcie bus, qpi etc., and super complex. This super spy chip must use the latest technology to build such as TSMC which is not possible in mainland China.
>If one can build a single chip which read sensitive data from hard disk, steal private key from main memory, and send data via the ethernet port, that chip must have a lot of pins connecting to pcie bus, qpi etc., and super complex.
Nope, if you read the original article the chip is much simpler than what you described.
>the primary role of implants such as these is to open doors that other attackers can go through. [...] In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.
These buses are operating at gigahertz speeds with nanosecond timings. You would need cutting edge chips to do that. The note is correct. They could of course be manufactured, but it would very hard and very noticeable.
