Chinese Government Allegedly Used Supermicro Motherboards to Spy on US Enterprises

[btarunr]

In a development that underlines the national security necessity of moving electronics manufacturing out of China, server motherboards made by Supermicro in China, have been found to carry a "spy chip." This startling development is the result of a secret 2015 US Government investigation unearthed by Bloomberg. The Chinese government has allegedly been using hardware-based spyware in Supermicro motherboards that are manufactured in China; to spy on major American enterprises, including (but not limited to) Amazon Web Services and Apple, among others, who use Supermicro motherboards in their data-centers. The level of surveillance includes attempts to steal trade-secrets and intellectual property.

Fearing loss in business, affected cloud-computing providers, including AWS and Apple, have each posted strong denials that their hardware infrastructure is vulnerable to foreign government surveillance. Apple stated: "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."



Amazon Web Services (AWS) stated: "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.‎" The entity in the middle of the storm, the Chinese Government, posted a more restrained and cryptic denial. "China is a resolute defender of cybersecurity," said a Chinese Foreign Ministry spokesperson.

View at TechPowerUp Main Site

 

[eidairaman1]

Well Supermicro will now be banned from the U.S.

What about Tyan?

 

[R-T-B]

Damn, I was starting to like Supermicro. I am curious what the actual chip is. If this is true, that should be easy to admit, and silence critics.

 

[btarunr]

Damn, I was starting to like Supermicro. I am curious what the actual chip is. If this is true, that should be easy to admit, and silence critics.

I'd point my finger at the IPMI chip.

Imagine the fountain of possibilities spouted by a compromised IPMI + iKVM + VGA chip with its own network interface.

 

[R-T-B]

I'd point my finger at the IPMI chip.

I'd bet on that too but would prefer an official statement.

 

[PerfectWave]

wasnt china scare to be spyed by us when importing server from usa?

 

[Deleted member 50521]

Meanwhile I am pretty sure NSA has been spying on everyone using the now known CPU exploits. Pot calling kettle black.

 

[Divide Overflow]

My company won't touch networking, computer or telecommunications equipment manufactured in China.
While savings matter, your security is on the line.

 

[R-T-B]

Meanwhile I am pretty sure NSA has been spying on everyone using the now known CPU exploits. Pot calling kettle black.

No, that's a tinfoil hat theory if you really understand the exploits. Spectre really isn't suitable for that unless you have about 10 years to acquire 10MBs.

 

[TheoneandonlyMrK]

No, that's a tinfoil hat theory if you really understand the exploits. Spectre really isn't suitable for that unless you have about 10 years to acquire 10MBs.

That's a bit missguided in a way, they don't need 10MB , just a few K's worth of key data and their on legit but i get and agree it's not a very workable initial intrusion.

 

[R-T-B]

That's a bit missguided in a way, they don't need 10MB , just a few K's worth of key data and their on legit but i get and agree it's not a very workable initial intrusion.

I mean that was just an example. Getting ANY data from a chosen point is fiendishly difficult.

 

[BumbleBee]

Chinese make really good food.... I'm just sayin'

 

[the54thvoid]

Meanwhile I am pretty sure NSA has been spying on everyone using the now known CPU exploits. Pot calling kettle black.

Yup.

Every major power spies on every other one. The US was caught at it with its Western allies a few years ago (wikileaks?). Our own GCHQ is no Saint either.
Also, the companies concerned have stated it's not quite like Bloomberg says.

 

[hat]

Also, the companies concerned have stated it's not quite like Bloomberg says.

A likely response, don't you think?

 

[R0H1T]

wasnt china scare to be spyed by us when importing server from usa?

The Chinese, mainly CCP, are lying hypocrites ~ news @11

No, that's a tinfoil hat theory if you really understand the exploits. Spectre really isn't suitable for that unless you have about 10 years to acquire 10MBs.

Depends on the exploit, there's also meltdown & a few others like SGX & possibly another huge one that'll be revealed later this year

 

[TheLostSwede]

Chinese make really good food.... I'm just sayin'

You mean this stuff?

On topic, I'd suggest reading the source article - https://www.bloomberg.com/news/feat...ny-chip-to-infiltrate-america-s-top-companies
They have some interesting graphics showing where on the boards the chip was found and some additional details about it.
It just doesn't sound that plausible, there must be more to it, as the size of the chip suggests it can't do much, but maybe it doesn't need to?

 

[The Terrible Puddle]

So Amazon and Apple are quick to come out and defend China

 

[R0H1T]

So Amazon and Apple are quick to come out and defend China

No they're defending themselves because if god forbid they knew about this, then they could be sued into oblivion & not just in the US, not to mention their brands would forever be tarnished.

 

[R-T-B]

Yup.

Every major power spies on every other one. The US was caught at it with its Western allies a few years ago (wikileaks?). Our own GCHQ is no Saint either.
Also, the companies concerned have stated it's not quite like Bloomberg says.

I agree, just not with the idea that Spectre was being used. I am certain something was though.

 

[Frick]

I'd point my finger at the IPMI chip.

Imagine the fountain of possibilities spouted by a compromised IPMI + iKVM + VGA chip with its own network interface.

That's the consensus.

It just doesn't sound that plausible, there must be more to it, as the size of the chip suggests it can't do much, but maybe it doesn't need to?

If all it does is giving them control over the BMC ... that is quite enough for many things to be done.

 

[TheoneandonlyMrK]

That's the consensus.



If all it does is giving them control over the BMC ... that is quite enough for many things to be done.

Kind of like dells server issues atm.

 

[Frick]

Kind of like dells server issues atm.

What issues are those?

 

[TheoneandonlyMrK]

What issues are those?

Said that they have older generation dmc (?i think that's what their called but network admin pc in the backend)hacked firmware issues

 

[StrayKAT]

lol.. damn. X299 Supermicro owner here. Hopefully it isn't affected. It may be Taiwan made.

edit: Reading more about it just pisses me off. Even as a customer, I hope they get crushed and China isolated even more as well.

Apple also deserves a beating.

"Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons."

https://www.bloomberg.com/news/feat...ny-chip-to-infiltrate-america-s-top-companies


edit: Maybe this is a wakeup call to manufacture more in US..... or at least with it's ALLIES. Ugh. If SM decides to do that, I may not remain pissed.

 

[R-T-B]

I'm calling BS somewhere in that bloomberg article... big time. Some of the things they are claiming just aren't feasible (unless China has a secret 2nm node or something)...

Probable that some of it is true, but the part of it claiming that a chip the size of a SMD has a full CPU and network stack, capable of modifying modern 32-bit OS cores? Lol, no. It's piggybacking off something else, probably the IPMI. It makes me wonder how much else is lost in translation..