Chinese Government Allegedly Used Supermicro Motherboards to Spy on US Enterprises

[Xzibit]

Ouch..

I can only imagine how innovative they got if this was just 1st and 2nd gen stuff.

the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached

 

[StrayKAT]

I'm calling BS somewhere in that bloomberg article.

Probable that some of it is true, but the part of it claiming that a chip the size of a SMD has a full CPU and network stack, capable of modifying modern 32-bit OS cores? Lol, no. It's piggybacking off something else, probably the IPMI. It makes me wonder how much else is lost in translation..

I'm a bit more ignorant than you....I wasn't sure what to think. Thanks for the heads up.

Just wrote SM asking about their consumer boards. I doubt it's tampered with, but gave them some friendly advice anyhow. Tried not to be a jerk (just so they'll listen and not close my email immediately).

 

[R-T-B]

Ouch..

I can only imagine how innovative they got if this was just 1st and 2nd gen stuff.

See? Stuff like that makes me doubt this was even real, because if it really was that small, there would be pretty much no way to reverse engineer it at the level of complexity they are talking. And how the heck did they even ID them in the first place if they are literally inside the hardware?

Either China has made 20 years of tech advances past us and has not told anyone, or something is being lost in translation. Or it's outright fake.

I want to see a guide on how to find these chips... I'm growing more skeptical by the minute.

 

[StrayKAT]

Part of the reason I liked SM was so many of it's employees (and some components... say.. like TI) were based in the US. Oh, the irony.

See? Stuff like that makes me doubt this was even real, because if it really was that small, there would be pretty much no way to reverse engineer it at the level of complexity they are talking. And how the heck did they even ID them in the first place if they are literally inside the hardware?

Either China has made 20 years of tech advances past us and has not told anyone, or something is being lost in translation. Or it's outright fake.

I want to see a guide on how to find these chips... I'm growing more skeptical by the minute.

Well, it's real enough to plummet their stock. If it's fake, someone is playing some serious games on them.

 

[R-T-B]

Part of the reason I liked SM was so many of it's employees (and some components... say.. like TI) were based in the US. Oh, the irony.

You know, far be it for me to praise the tariff plan, but if this is real, we need to get the frick away from China and I'd say forget about tariffs. Lets talk an electronics embargo...

The scarriest answer to me here is that this is 100% true, because if so, holy shit did we miss something. This is like the Oslo Report all over again...

 

[StrayKAT]

You know, far be it for me to praise the tariff plan, but if this is real, we need to get the frick away from China and I'd say forget about Tariffs. Lets talk an electronics embargo...

That was quick. The same guy who has walked me through some technical issues before wrote back. But he just redirected me to a press release refuting the Bloomberg article. lol

https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm

 

[R-T-B]

That was quick. The same guy who has walked me through some technical issues before wrote back. But he just redirected me to a press release refuting the Bloomberg article. lol

https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm

He's just doing what he's told I am sure lol.

 

[StrayKAT]

He's just doing what he's told I am sure lol.

Unfortunately true. That said, I believe the founder (especially) and majority of employees are OK.. but they still could have been duped.

 

[R-T-B]

Unfortunately true. That said, I believe the founder (especially) and majority of employees are OK.. but they still could have been duped.

Sounds like a few PRC officers came in at point of assembly and told them "install this, it's just a resistor" or something such and they knew better than to question it. Or report it.

That's assuming I understand it 100%. Still a ton of questions.

 

[Xzibit]

See? Stuff like that makes me doubt this was even real, because if it really was that small, there would be pretty much no way to reverse engineer it at the level of complexity they are talking. And how the heck did they even ID them in the first place if they are literally inside the hardware?

Either China has made 20 years of tech advances past us and has not told anyone, or something is being lost in translation. Or it's outright fake.

I want to see a guide on how to find these chips... I'm growing more skeptical by the minute.

Thats alot of sources that feed them false info if its false. Outlets are citing Bloomberg had 17 separate sources on this, inside the companies and in government.

Looks like some reports are pointing the finger at Sub-contractors.

Lawsuits are coming

Super Micro (SMCI) Investigated by Block & Leviton LLP For Violations of Federal Securities Laws

Recover Losses: Ademi & O'Reilly, LLP Investigates Possible Securities Fraud of Super Micro Computer, Inc.

INVESTOR ALERT: Law Offices of Howard G. Smith Announces Investigation on Behalf of Super Micro Computer, Inc. Investors (SMCI)

Just a handful in the last two hours

 

[NdMk2o1o]

That was quick. The same guy who has walked me through some technical issues before wrote back. But he just redirected me to a press release refuting the Bloomberg article. lol

https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm

So after hours of this breaking news, fake or not, you send a support email/contact us email and their tech support guy who is definitely not on a need to know basis flat out denies it... I mean, if they are going to lie to the US gov't and major global powerhouse brands like amazon and apple, why in the hell did you think they would outright admit it to you? Though you mention their stock dropping, could well be manipulation?

On topic, wouldn't surprise me if true as the Chinese government has a lot more control over their top tech companies than western countries do, though as a non-governmental employee and an average joe, do I care more about China having my data than the US, UK and every other western super power monitoring it's subjects straight out of Orwell's 1984? no, not really. As it has already been mentioned, our own governments are up to far more sinister things than this on their own people, god know's what kind of tactics they employ to a foreign adversary government if that's how we as "citizens" are monitored.

 

[R-T-B]

Thats alot of sources that feed them false info if its false. Outlets are citing Bloomberg had 17 separate sources on this, inside the companies and in government.

Looks like some reports are pointing the finger at Sub-contractors.

Lawsuits are coming

Super Micro (SMCI) Investigated by Block & Leviton LLP For Violations of Federal Securities Laws

Recover Losses: Ademi & O'Reilly, LLP Investigates Possible Securities Fraud of Super Micro Computer, Inc.

INVESTOR ALERT: Law Offices of Howard G. Smith Announces Investigation on Behalf of Super Micro Computer, Inc. Investors (SMCI)

Just a handful in the last two hours

I know. And I don't say that lightly... but it breaks down my understanding of everything that is possible in computing. Which is why I assume bloomberg just failed in dumbing it down. As I said, the most likely scenario is it NOT running it's own processor as they claim, but piggybacking off the IPMI chip (which, convieniently has a netstack). Irrelevant to their audience maybe, but details like that drive me nuts, and make me wonder what else they missed.

If what they actually said is true it scares me to my core, because that should not be physically possible with present processes (let alone thermal issues). It would be like getting the Oslo report prior to WW2: Hard to believe. Doesn't make it false though.

 

[StrayKAT]

So after hours of this breaking news, fake or not, you send a support email/contact us email and their tech support guy who is definitely not on a need to know basis flat out denies it... I mean, if they are going to lie to the US gov't and major global powerhouse brands like amazon and apple, why in the hell did you think they would outright admit it to you? Though you mention their stock dropping, could well be manipulation?

On topic, wouldn't surprise me if true as the Chinese government has a lot more control over their top tech companies than western countries do, though as a non-governmental employee and an average joe, do I care more about China having my data than the US, UK and every other western super power monitoring it's subjects straight out of Orwell's 1984? no, not really. As it has already been mentioned, our own governments are up to far more sinister things than this on their own people, god know's what kind of tactics they employ to a foreign adversary government if that's how we as "citizens" are monitored.

It was partly just to politely criticize.. but I spoke to the guy before, so I was hoping he had some insight. Worth a chance at least, but I'm not surprised.

It's true about our government... although what if I said even our own agencies work against each other and try to block or infiltrate each other's systems?

I trust Army/military intelligence however. That's about it.

 

[btarunr]

Super Micro (SMCI) Investigated by Block & Leviton LLP For Violations of Federal Securities Laws

Recover Losses: Ademi & O'Reilly, LLP Investigates Possible Securities Fraud of Super Micro Computer, Inc.

INVESTOR ALERT: Law Offices of Howard G. Smith Announces Investigation on Behalf of Super Micro Computer, Inc. Investors (SMCI)

Just a handful in the last two hours

I'm sure when those lawyers launch discovery, they'll find zilch. Big customers like AWS buy directly from hardware manufacturers, with no importer, distributor or retailer in the middle. It's entirely possible that someone at Supermicro's ODM in China, or a stateside Supermicro employee working for Chinese intelligence, was aware that a batch of motherboards is headed to AWS and only that batch should have embedded spyware. The only way a law firm can get its hands on a compromised board is if AWS or Apple hands them one (which they won't, because as others said, they'd be burned at the stake for using compromised hardware). If pushed, they'll just give them uncompromised boards.

 

[TheGuruStud]

Meanwhile I am pretty sure NSA has been spying on everyone using the now known CPU exploits. Pot calling kettle black.

NSA is/was intercepting cisco routers in transit and flashing them with backdoors. There’s no need to bother with those exploits. They’ll just physically get a hold of it and install their own.

 

[TheoneandonlyMrK]

I'm calling BS somewhere in that bloomberg article... big time. Some of the things they are claiming just aren't feasible (unless China has a secret 2nm node or something)...

Probable that some of it is true, but the part of it claiming that a chip the size of a SMD has a full CPU and network stack, capable of modifying modern 32-bit OS cores? Lol, no. It's piggybacking off something else, probably the IPMI. It makes me wonder how much else is lost in translation..

these things are( based )(right im going bed) best weighed through reasonable eyes, there is possibly some truth to some of it but its likely the chinese whispered version were now getting.

 

[R-T-B]

NSA is/was intercepting cisco routers in transit and flashing them with backdoors. There’s no need to bother with those exploits. They’ll just physically get a hold of it and install their own.

They make the hardware, we make the software. Different tools, same goal.

 

[StrayKAT]

FYI: Not to downplay the NSA, but they're analysts and eggheads. They get too much attention. The ones you should really worry about are the CIA.. making use of NSA data and directing the same crap at Home that they've long been doing elsewhere (then again, they've been doing that anyways. Some well known stuff now is Operation Mockingbird.. where the CIA has planted itself inside and directed the media. They said they stopped. Heh).

 

[TheGuruStud]

FYI: Not to downplay the NSA, but they're analysts and eggheads. They get too much attention. The ones you should really worry about are the CIA.. making use of NSA data and directing the same crap at Home that they've long been doing elsewhere (then again, they've been doing that anyways. Some well known stuff now is Operation Mockingbird.. where the CIA has planted itself inside and directed the media. They said they stopped. Heh).

CIA is the largest terrorist organization in the world (scope and power). They directly arm ISIS and whatever flavor of the day, overthrow govts, transport/sell drugs, and on and on.

So, yep. FBI is criminal enough, but CIA is insane.

 

[R-T-B]

I'm not sure I buy into that level of criminal conspiracy. But then again, I don't really know what to think anymore. I just know I like my findings with a side of supporting evidence, which often times is lacking once you go down the rabbit hole.

 

[btarunr]

Probable that some of it is true, but the part of it claiming that a chip the size of a SMD has a full CPU and network stack, capable of modifying modern 32-bit OS cores? Lol, no. It's piggybacking off something else, probably the IPMI.

That chip is small enough to be a 7-pin SPI flash fabbed on a sub-30nm node with just enough space for 32 MB (looking at 20 nm-class planar flash densities). Your smartphone's EFI ROM is probably stored on a chip that size. The IPMI chip probably reads that flash first and in its absence, reads the bigger more visible flash chip located near the chip. I agree, the best guess is a compromised IPMI chip that's reading custom firmware off a very tiny SPI chip.

 

[R0H1T]

I'm sure when those lawyers launch discovery, they'll find zilch. Big customers like AWS buy directly from hardware manufacturers, with no importer, distributor or retailer in the middle. It's entirely possible that someone at Supermicro's ODM in China, or a stateside Supermicro employee working for Chinese intelligence, was aware that a batch of motherboards is headed to AWS and only that batch should have embedded spyware. The only way a law firm can get its hands on a compromised board is if AWS or Apple hands them one (which they won't, because as others said, they'd be burned at the stake for using compromised hardware). If pushed, they'll just give them uncompromised boards.

Which makes it even more alarming, I wonder if Google/FB or MS are also in the line of fire.

 

[TheLostSwede]

Just a comment in terms of the size of the chip, it's clearly not impossible, considering things like this has been developed https://news.umich.edu/u-m-researchers-create-worlds-smallest-computer/
That's a full-on Cortex-M0+ with additional components at 0.3mm...
Obviously this is cutting edge research stuff, but that's much smaller than the part claimed to be used here.

 

[Vayra86]

A likely response, don't you think?

Likely doesn't mean untrue.

Its always nice to see 'who benefits the most' in these kinds of things.

And the US benefits the most from this. Its no coincidence this information gets out at the moment it does, there is a flood of anti-China sentiment in all media the past few months. Boy I wonder why.

It would be wise to question everything at this point - from every angle - and take it with a bucketload of salt.

 

[R-T-B]

Just a comment in terms of the size of the chip, it's clearly not impossible, considering things like this has been developed https://news.umich.edu/u-m-researchers-create-worlds-smallest-computer/
That's a full-on Cortex-M0+ with additional components at 0.3mm...
Obviously this is cutting edge research stuff, but that's much smaller than the part claimed to be used here.

I’m speaking in terms of the fabs China has quiet, likely native access to. Of what is known, this greatly limits them.

That chip is small enough to be a 7-pin SPI flash fabbed on a sub-30nm node with just enough space for 32 MB (looking at 20 nm-class planar flash densities). Your smartphone's EFI ROM is probably stored on a chip that size. The IPMI chip probably reads that flash first and in its absence, reads the bigger more visible flash chip located near the chip. I agree, the best guess is a compromised IPMI chip that's reading custom firmware off a very tiny SPI chip.

That’s plausible, but not what was reported.