Thursday, October 4th 2018
Chinese Government Allegedly Used Supermicro Motherboards to Spy on US Enterprises
In a development that underlines the national security necessity of moving electronics manufacturing out of China, server motherboards made by Supermicro in China, have been found to carry a "spy chip." This startling development is the result of a secret 2015 US Government investigation unearthed by Bloomberg. The Chinese government has allegedly been using hardware-based spyware in Supermicro motherboards that are manufactured in China; to spy on major American enterprises, including (but not limited to) Amazon Web Services and Apple, among others, who use Supermicro motherboards in their data-centers. The level of surveillance includes attempts to steal trade-secrets and intellectual property.
Fearing loss in business, affected cloud-computing providers, including AWS and Apple, have each posted strong denials that their hardware infrastructure is vulnerable to foreign government surveillance. Apple stated: "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."
Amazon Web Services (AWS) stated: "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems." The entity in the middle of the storm, the Chinese Government, posted a more restrained and cryptic denial. "China is a resolute defender of cybersecurity," said a Chinese Foreign Ministry spokesperson.
Sources:
CNBC, Bloomberg
Fearing loss in business, affected cloud-computing providers, including AWS and Apple, have each posted strong denials that their hardware infrastructure is vulnerable to foreign government surveillance. Apple stated: "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."
73 Comments on Chinese Government Allegedly Used Supermicro Motherboards to Spy on US Enterprises
What about Tyan?
Imagine the fountain of possibilities spouted by a compromised IPMI + iKVM + VGA chip with its own network interface.
While savings matter, your security is on the line.
Every major power spies on every other one. The US was caught at it with its Western allies a few years ago (wikileaks?). Our own GCHQ is no Saint either.
Also, the companies concerned have stated it's not quite like Bloomberg says.
On topic, I'd suggest reading the source article - www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
They have some interesting graphics showing where on the boards the chip was found and some additional details about it.
It just doesn't sound that plausible, there must be more to it, as the size of the chip suggests it can't do much, but maybe it doesn't need to?
edit: Reading more about it just pisses me off. Even as a customer, I hope they get crushed and China isolated even more as well.
Apple also deserves a beating.
"Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons."
www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
edit: Maybe this is a wakeup call to manufacture more in US..... or at least with it's ALLIES. Ugh. If SM decides to do that, I may not remain pissed.
Probable that some of it is true, but the part of it claiming that a chip the size of a SMD has a full CPU and network stack, capable of modifying modern 32-bit OS cores? Lol, no. It's piggybacking off something else, probably the IPMI. It makes me wonder how much else is lost in translation..
I can only imagine how innovative they got if this was just 1st and 2nd gen stuff.