upvote

points

by throwa3562625 hours ago |
comments
upvoteby alephnerd5 hours ago|
[-]
Nope. Bloomberg doubled down on it and even Bruce Schneider accepted it despite initially being a skeptic.
reply
upvoteby WillPostForFood2 hours ago|
parent|
next
[-]
What was the last thing Schneier wrote on it? I thought it was this:

I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

https://www.schneier.com/blog/archives/2018/11/that_bloomber...

reply
upvoteby alephnerd2 hours ago|
parent|
[-]
https://www.schneier.com/blog/archives/2021/02/chinese-suppl...

HNers are acting reflexively skeptical (which isn't always a bad thing), but targeted supply chain based attacks conducted by a nation statein the manner described are actually doable, and back when I was still a line-level SWE this was when we started putting significant engineering effort into hardware tampering protections back in the 2015-17 period.

The hardware supply chain incident itself most likely happened in the late 2000s to early 2010s when hardware supply chain security wasn't top of mind as an attack surface.

Modchips targeting contemporaneous gaming systems like the PS1 and PS2 use a similar approach to the SuperMicro incident.

reply
upvoteby unsnap_biceps5 hours ago|
parent|
prev|
next
[-]
I don't believe that there was ever extra chips being added to the boards, but what I could believe is that they shipped with firmware on specific chips that enabled data exfiltration for specific customers and due to a game of telephone with non technical people it turned into "they're adding chips inside the pcb layers!"
reply
upvoteby monocasa2 hours ago|
parent|
[-]
I thought the point was an extra chip in the place of a pull up resistor or something that would edit the firmware image as it made its way across the bus, so you wouldn't see the modifications even if you pulled the flash chip and read it out manually, and would also be persistent across flash updates.
reply
upvoteby protimewaster5 hours ago|
parent|
prev|
next
[-]
There also was a CEO of a hardware security company that came out and said that his firm had found an implanted chip during an audit. IIRC, he was convinced that it was very unlikely to be limited to Supermicro hardware.
reply
upvoteby alephnerd5 hours ago|
parent|
[-]
> he was convinced that it was very unlikely to be limited to Supermicro hardware

Yep. This was why there was a significant movement around mandating Hardware BOMs in both US and EU procurement in the early 2020s.

Also, the time period that the Bloomberg story took place was the late 2000s and early 2010s, when hardware supply chain security was much less mature.

reply
upvoteby greedo5 hours ago|
parent|
prev|
next
[-]
Schneier was simply taking at face value the contents of the Bloomberg article, especially the statement by Mike Quinn who claimed he was told by the Air Force not to include any Supermicro gear in a bid.
reply
upvoteby tumult5 hours ago|
parent|
prev|
[-]
No evidence was ever presented and nobody ever found anything, as far as I can tell?
reply
upvoteby protimewaster5 hours ago|
parent|
[-]
There was a security auditing firm that came out a few days later claiming they'd found a chip, similar to the one Bloomberg described, during a security audit.

It's still nothing concrete, though. Their CEO basically said that they'd found one and that they couldn't say much more about it due to an NDA.

reply