EmbeddedRelated.com
Forums
   Forums    More Forums    comp.arch.embedded  

Supermicro server motherboards with hardware backdoor?

Started by Clifford Heath October 4, 2018
Reply by Clifford Heath October 6, 20182018-10-06
On 06/10/18 13:12, Jeff Liebermann wrote:

> On 05 Oct 2018 16:28:21 +0100 (BST), Theo Markettos
> <theom+news@chiark.greenend.org.uk> wrote:
>> In comp.arch.embedded Clifford Heath <no.spam@please.net> wrote:
>>> Whether it turns out to be true or not, this will be the biggest
>>> security blockbuster of the decade.
>>>
>>> <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>
> 
>> This is my analysis:
>> https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
>> Theo
> 
> Thanks.  Nicely thought out blog article.  I agree that putting the
> chip on the SPI bus would be the ideal location.  I might add that is
> would be possible to add microcode instructions to the CPU via the SPI
> bus (depending on how the added chip is wired into the system).
> 
> Some deficiencies and unanswered questions in the original Bloomberg
> article:
> 
> 1.  Since Bloomberg apparently has possession of several of these
> mystery chips


They don't claim that, and we don't know it. The motherboard
photos could have been sent by their inside source. It would
have been much more risky to provide a whole MB to Bloomberg.
The chip photos are probably something off Digikey.

If they don't have the board or chips, the rest of your questions
don't matter.

Clifford Heath.
Reply by Jeff Liebermann October 6, 20182018-10-06
On Sat, 6 Oct 2018 13:42:59 +1000, Clifford Heath <no.spam@please.net>
wrote:


>On 06/10/18 13:12, Jeff Liebermann wrote:
>> On 05 Oct 2018 16:28:21 +0100 (BST), Theo Markettos
>> <theom+news@chiark.greenend.org.uk> wrote:
>>> In comp.arch.embedded Clifford Heath <no.spam@please.net> wrote:
>>>> Whether it turns out to be true or not, this will be the biggest
>>>> security blockbuster of the decade.
>>>>
>>>> <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>
>> 
>>> This is my analysis:
>>> https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
>>> Theo
>> 
>> Thanks.  Nicely thought out blog article.  I agree that putting the
>> chip on the SPI bus would be the ideal location.  I might add that is
>> would be possible to add microcode instructions to the CPU via the SPI
>> bus (depending on how the added chip is wired into the system).
>> 
>> Some deficiencies and unanswered questions in the original Bloomberg
>> article:
>> 
>> 1.  Since Bloomberg apparently has possession of several of these
>> mystery chips



>They don't claim that, and we don't know it. The motherboard
>photos could have been sent by their inside source. It would
>have been much more risky to provide a whole MB to Bloomberg.
>The chip photos are probably something off Digikey.
>
>If they don't have the board or chips, the rest of your questions
>don't matter.
>
>Clifford Heath.


Good point.  If they don't have physical possession of a working chip
and/or motherboard, then that's the end of the physical evidence
making literally everything written so far no better than speculation.

Incidentally, the photo of the chip and the finger look edited:
<https://assets.bwbx.io/images/users/iqjWHBFdfxIU/i9VdsjZLS_Pk/v1/600x-1.jpg>
At that level of magnifications, the ridges of the finger and the nail
show substantial levels of dirt, cuts, and irregularities.  Most
peoples palm and back of the hand are different colors.  To produce a
perfectly rounded edge view, clean nails, clean ridges, an uniform
color requires considerable photo editing.  Since the chip seems to be
back lighted, while the finger is lighted most from the right side, I
would guess that the chip was added to the finger photo.  Looking
again at the solder plate on the chip, I'm sure it's never been
attached to a PCB.

Fake news?  I think so.


-- 
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558
Reply by October 6, 20182018-10-06
Clifford Heath wrote:

>On 06/10/18 13:12, Jeff Liebermann wrote:
>> On 05 Oct 2018 16:28:21 +0100 (BST), Theo Markettos
>> <theom+news@chiark.greenend.org.uk> wrote:
>>> In comp.arch.embedded Clifford Heath <no.spam@please.net> wrote:
>>>> Whether it turns out to be true or not, this will be the biggest
>>>> security blockbuster of the decade.
>>>>
>>>>
>>>> <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>
>> 
>>> This is my analysis:
>>> https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
>>> Theo
>> 
>> Thanks.  Nicely thought out blog article.  I agree that putting the
>> chip on the SPI bus would be the ideal location.  I might add that is
>> would be possible to add microcode instructions to the CPU via the SPI
>> bus (depending on how the added chip is wired into the system).
>> 
>> Some deficiencies and unanswered questions in the original Bloomberg
>> article:
>> 
>> 1.  Since Bloomberg apparently has possession of several of these
>> mystery chips
>
>They don't claim that, and we don't know it. The motherboard
>photos could have been sent by their inside source. It would
>have been much more risky to provide a whole MB to Bloomberg.
>The chip photos are probably something off Digikey.
>
>If they don't have the board or chips, the rest of your questions
>don't matter.


He has a good analysis IMNSHO.
Sure hand anything to the press, especially the biased press, and it will publish that.
The whole issue here is to get the reality show manager re-elected, mid-terms are knocking on the door,
keep republicans in power, create a common enemy, standard stuff.
Truth and 'tronics has little to do with it.

Any kid can make up this story.

Maybe that 'chip dot' is just flee poop, like the rest of what the reality lost show manager does.
And as significant as that.

At the same time companies like Apple may hand all user data to China, they only have to ask for it..
Money, sales, profit is the law. Snake oil is the trade.
:-)
Oh well...
remember in the last cold war how Russia was accused of spying on every one...
Now US does it as one bigger number.

And there is nothing to know really, of value, that China does not already have, or can do better.
That includes running a country.
Reply by October 6, 20182018-10-06
Jeff Liebermann <jeffl@cruzio.com> wrote in 
news:n07grdlc3jdr2ssnej54fakvilrdka07u1@4ax.com:


> 1.  Since Bloomberg apparently has possession of several of these
> mystery chips, why haven't anyone done an autopsy or xray analysis on
> what's inside?


  Did you even read the article?  Did you not see the picture of what the 
chip contained?

  And I am quite sure that the DoD's investigation into it was much more 
comprehensive than a news agency's most elite hardware nerd.
Reply by October 6, 20182018-10-06
Jeff Liebermann <jeffl@cruzio.com> wrote in 
news:n07grdlc3jdr2ssnej54fakvilrdka07u1@4ax.com:


> Microsoft's October 2018 Windoze 10 update destroying customer data.


Bullshit.  Operator error.  Always backup first for one thing, and I still 
think you did something to cause the loss.  And you do not have an 
instantaneous mirror on another machine for their data?

  Sounds like something Trump would say.
Reply by October 6, 20182018-10-06
On Friday, October 5, 2018 at 11:12:30 PM UTC-4, Jeff Liebermann wrote:

> On 05 Oct 2018 16:28:21 +0100 (BST), Theo Markettos
> <theom+news@chiark.greenend.org.uk> wrote:
> 
> >In comp.arch.embedded Clifford Heath <no.spam@please.net> wrote:
> >> Whether it turns out to be true or not, this will be the biggest 
> >> security blockbuster of the decade.
> >> 
> >> <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>
> 
> >This is my analysis:
> >https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
> >Theo
> 
> Thanks.  Nicely thought out blog article.  I agree that putting the
> chip on the SPI bus would be the ideal location.  I might add that is
> would be possible to add microcode instructions to the CPU via the SPI
> bus (depending on how the added chip is wired into the system). 
> 
> Some deficiencies and unanswered questions in the original Bloomberg
> article:
> 
> 1.  Since Bloomberg apparently has possession of several of these
> mystery chips, why haven't anyone done an autopsy or xray analysis on
> what's inside?  From the few photos, it looks like a resistor network.
> <https://www.siricomindia.com/wp-content/uploads/2016/08/Chip-Resistor-array-300x300.jpg>


Actually it looks very little like those types of parts.  The article mentioned that it looks like a specific type of device.  I'm confident they made this look exactly like some specific device. 



> 2.  If I wanted to compromise a server, it would much easier to add a
> few more undocumented instructions to an existing chip, such as a bus
> controller (which sees the entire data bus), than to add a new device
> that might be detected by the production equipment that uses optical
> comparators to detect missing, backwards, and misaligned components. A
> white alumina or porcelain chip, among the usual brown ceramic chips,
> would be easily visible.


AOI (Automated Optical Inspection) works by being trained on a known good board.  It looks at and for expected chips.  I'm pretty sure they don't have built in any capability of looking for extraneous parts although I'm sure they are adding that now. 



> 3.  The photos of the mystery chip seems a little odd:
> <https://assets.bwbx.io/images/users/iqjWHBFdfxIU/i9VdsjZLS_Pk/v1/-1x-1.jpg>
> The solder pads on the sides of the chip look slightly oxidized and do
> not look like anything that has been unsoldered by a hot air SMT
> desoldering station, where the solder would be shiny and tends to
> collect near the PCB side of the chip.


Most units are built to RoHS standards and the solder is definitely not very shiny.  It typically is very grainy just as in the photo.  



> 4.  What is a "signal conditioning coupler"? 
> <http://www.samsungsem.com/global/product/passive-component/chip-resistor/array/index.jsp>
> <https://hexus.net/media/uploaded/2018/10/eb42add4-0827-4831-b6c7-8409fb539eb1.jpg>


I believe they are talking about EMI filters.  Notice the similarity to the device on this page. 

https://www.murata.com/en-us/products/emiconfun/emc/2014/04/24/en-20140424-p1



> 5.  With a PCB and chip in Bloomberg's possession, it would be fairly
> easy to determine how it was connected into the server.  This should
> have been done before announcing to the world that they had discovered
> a spy chip, rather than discovering a capacitor or termination
> resistor.


I don't think Bloomburg was doing any of the work and I seriously doubt they have possession of any spy chips.  More likely is that every device you see in the pictures are the commercial chips the spy chip was designed to look like.  



> 6.  There seems to be nearly zero demonstratable information on how
> the chip could actually do something useful.  Plenty of theoretical
> possibilities, but nothing that an SPI or serial bus analyzer couldn't
> handle.
> 
> etc...
> 
> Not currently having the answers to these questions doesn't bother me.
> The lack of anyone close to the source actually bothering to answer
> them does bother me.


Maybe that's because it is spy stuff and they don't wish to reveal every detail of what they know.  



> Sorry to be so vague but I've had a rotten day dealing with
> Microsoft's October 2018 Windoze 10 update destroying customer data.
> This has not been a good day.
> <https://www.google.com/search?q=windows+10+update+erase+user+files&tbs=qdr:w>


Yeah, I've been reading a bit about that.  Don't they back up data before performing updates? 

Rick C.
Reply by October 6, 20182018-10-06
On Saturday, October 6, 2018 at 12:02:36 AM UTC-4, Jeff Liebermann wrote:

> On Sat, 6 Oct 2018 13:42:59 +1000, Clifford Heath <no.spam@please.net>
> wrote:
> 
> >On 06/10/18 13:12, Jeff Liebermann wrote:
> >> On 05 Oct 2018 16:28:21 +0100 (BST), Theo Markettos
> >> <theom+news@chiark.greenend.org.uk> wrote:
> >>> In comp.arch.embedded Clifford Heath <no.spam@please.net> wrote:
> >>>> Whether it turns out to be true or not, this will be the biggest
> >>>> security blockbuster of the decade.
> >>>>
> >>>> <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>
> >> 
> >>> This is my analysis:
> >>> https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
> >>> Theo
> >> 
> >> Thanks.  Nicely thought out blog article.  I agree that putting the
> >> chip on the SPI bus would be the ideal location.  I might add that is
> >> would be possible to add microcode instructions to the CPU via the SPI
> >> bus (depending on how the added chip is wired into the system).
> >> 
> >> Some deficiencies and unanswered questions in the original Bloomberg
> >> article:
> >> 
> >> 1.  Since Bloomberg apparently has possession of several of these
> >> mystery chips
> 
> >They don't claim that, and we don't know it. The motherboard
> >photos could have been sent by their inside source. It would
> >have been much more risky to provide a whole MB to Bloomberg.
> >The chip photos are probably something off Digikey.
> >
> >If they don't have the board or chips, the rest of your questions
> >don't matter.
> >
> >Clifford Heath.
> 
> Good point.  If they don't have physical possession of a working chip
> and/or motherboard, then that's the end of the physical evidence
> making literally everything written so far no better than speculation.


What?  Bloomburg is not an analysis lab.  They are reporting news.  The fact that Bloomburg doesn't have the engineering data or devices doesn't mean they don't have the info. 



> Incidentally, the photo of the chip and the finger look edited:
> <https://assets.bwbx.io/images/users/iqjWHBFdfxIU/i9VdsjZLS_Pk/v1/600x-1.jpg>


Duh! 


> At that level of magnifications, the ridges of the finger and the nail
> show substantial levels of dirt, cuts, and irregularities.  Most
> peoples palm and back of the hand are different colors.  To produce a
> perfectly rounded edge view, clean nails, clean ridges, an uniform
> color requires considerable photo editing.  Since the chip seems to be
> back lighted, while the finger is lighted most from the right side, I
> would guess that the chip was added to the finger photo.  Looking
> again at the solder plate on the chip, I'm sure it's never been
> attached to a PCB.


This is called, presentation.  Most likely the finger is from a more than perfectly manicured hand model.  In fact, I was pretty amazed by how perfect it is.  This guy must wear gloves all day and a manicurist is at the photo shoot!  



> Fake news?  I think so.


Huh?  You need to get out more.  Not fake news, just a very well written and well illustrated article in a web publication.  If JL hand draws a graph or schematic in one of his doodles, does that make it a fake design? 

Rick C.
Reply by October 6, 20182018-10-06
On Saturday, October 6, 2018 at 2:03:28 AM UTC-4, 69883925...@nospam.org wrote:

> Clifford Heath wrote:
> >On 06/10/18 13:12, Jeff Liebermann wrote:
> >> On 05 Oct 2018 16:28:21 +0100 (BST), Theo Markettos
> >> <theom+news@chiark.greenend.org.uk> wrote:
> >>> In comp.arch.embedded Clifford Heath <no.spam@please.net> wrote:
> >>>> Whether it turns out to be true or not, this will be the biggest
> >>>> security blockbuster of the decade.
> >>>>
> >>>>
> >>>> <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>
> >> 
> >>> This is my analysis:
> >>> https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
> >>> Theo
> >> 
> >> Thanks.  Nicely thought out blog article.  I agree that putting the
> >> chip on the SPI bus would be the ideal location.  I might add that is
> >> would be possible to add microcode instructions to the CPU via the SPI
> >> bus (depending on how the added chip is wired into the system).
> >> 
> >> Some deficiencies and unanswered questions in the original Bloomberg
> >> article:
> >> 
> >> 1.  Since Bloomberg apparently has possession of several of these
> >> mystery chips
> >
> >They don't claim that, and we don't know it. The motherboard
> >photos could have been sent by their inside source. It would
> >have been much more risky to provide a whole MB to Bloomberg.
> >The chip photos are probably something off Digikey.
> >
> >If they don't have the board or chips, the rest of your questions
> >don't matter.
> 
> He has a good analysis IMNSHO.


YAIV



> Sure hand anything to the press, especially the biased press, and it will publish that.


Much better if they don't publish anything that isn't so verified that it is common knowledge. 



> The whole issue here is to get the reality show manager re-elected, mid-terms are knocking on the door,


How is this helping anyone currently in power.  I thought the article made it clear that this exploit took a long time to enact across multiple administrations. 



> keep republicans in power, create a common enemy, standard stuff.
> Truth and 'tronics has little to do with it.
> 
> Any kid can make up this story.
> 
> Maybe that 'chip dot' is just flee poop, like the rest of what the reality lost show manager does.
> And as significant as that.


So you are suggesting the entire story is fake? 



> At the same time companies like Apple may hand all user data to China, they only have to ask for it..


Now that is fake news! 



> Money, sales, profit is the law. Snake oil is the trade.
> :-)
> Oh well...
> remember in the last cold war how Russia was accused of spying on every one...
> Now US does it as one bigger number.
> 
> And there is nothing to know really, of value, that China does not already have, or can do better.
> That includes running a country.


lol

Rick C.
Reply by Jeff Liebermann October 6, 20182018-10-06
On Sat, 6 Oct 2018 08:45:28 +0000 (UTC),
DecadentLinuxUserNumeroUno@decadence.org wrote:


>Jeff Liebermann <jeffl@cruzio.com> wrote in 
>news:n07grdlc3jdr2ssnej54fakvilrdka07u1@4ax.com:
>
>> 1.  Since Bloomberg apparently has possession of several of these
>> mystery chips, why haven't anyone done an autopsy or xray analysis on
>> what's inside?



>  Did you even read the article?


Yes.


>Did you not see the picture of what the 
>chip contained?


Do you mean this rubbish?
<https://www.bloomberg.com/toaster/v2/charts/85c4e100b7ab4a8bbffe7ce2a3e137c1.html>

You have a good imagination.  Perhaps you might know what a "signal
conditioner coupler" mentioned in the first paragraph might be?  While
you're working on that, perhaps you can also explain what an operating
system core might be as in "...the microchip altered the operating
system&#4294967295;s core so it could accept modifications".  Duz Supermicro use
core memory?


>  And I am quite sure that the DoD's investigation into it was much more 
>comprehensive than a news agency's most elite hardware nerd.


Certainly they'll investigate.  So will every other government agency
and publicity hungry entity will conduct their own independent
investigation.  This was discovered by Amazon's outside security
contractor something like 2 years ago.  One might suspect that there
are now a fair number of these chips floating around and that they
have been rather thoroughly analyzed over the last 2 years.  Oddly, I
don't see any reports, photos, or info leaks.  However, I'm sure
they'll take their time releasing any real results, when they discover
it's an SMD resistor network.


On Sat, 6 Oct 2018 08:50:02 +0000 (UTC),
DecadentLinuxUserNumeroUno@decadence.org wrote:


>Jeff Liebermann <jeffl@cruzio.com> wrote in 
>news:n07grdlc3jdr2ssnej54fakvilrdka07u1@4ax.com:
>
>> Microsoft's October 2018 Windoze 10 update destroying customer data.
>
>Bullshit.  Operator error.


Is that like blame the victim?  I would think that the average user
might assume that an operating system update wouldn't erase all their
data.  Actually, that begs the question of what was Microsoft doing
digging around in the users files anyway?  Were they building a
catalog of "interesting" files for the NSA?  Why was this update so
big when it only added a few new features:
<https://www.cnet.com/how-to/windows-10-october-2018-update-the-7-best-new-features/>
New spyware, err... telemetry perhaps?

Incidentally, MS has suspended the update and is investigating the
problem.
<https://www.cnet.com/how-to/windows-10-october-2018-update-the-7-best-new-features/>
Pulling the plug 5 days after a huge number of rather serious
complaints is what is now called "decisive action".


>Always backup first for one thing, and I still 
>think you did something to cause the loss.


The first step to solving a problem really is to blame someone, but
never blame the person in charge of fixing the problem.  They might
get angry and do nothing.

I have a simple method of dealing with such complainers.  I construct
a clone of their computer.  I then push pins and needles into the
motherboard until it exhibits erratic behavior.  By sympathetic voodoo
and quantum entanglement, your identical PC will exhibit identical
problems.


>And you do not have an 
>instantaneous mirror on another machine for their data?


For my former medical office customers, that was standard procedure. I
also didn't install updates of any kind until after a suitable waiting
period.  However, for the typical small business and home user, I
prefer image backups, which allows me to quickly restore literally
everything.  For backups between image backups, I just copy or rsync a
few directories that I consider important to a local NAS (network
attached storage) drive.


>  Sounds like something Trump would say.


Trump doesn't say anything.  He tweets.


-- 
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558
Reply by October 6, 20182018-10-06
Jeff Liebermann <jeffl@cruzio.com> wrote in 
news:gskhrdtud3u1jf0fi8un1si04cja0t9382@4ax.com:


>>Always backup first for one thing, and I still 
>>think you did something to cause the loss.
> 
> The first step to solving a problem really is to blame someone, but
> never blame the person in charge of fixing the problem.  They might
> get angry and do nothing.
> 


Especially when the FIRST thing they are ALWAYS supposed to do is perform a 
backup.  Yeah...  you might get angry and...  start blaming Microsoft for 
your missteps.
You might also like... (promoted content)
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
Upcoming Course - Python Applications for Digital Design and Signal Processing
Upcoming Course - Python Applications for Digital Design and Signal Processing
Upcoming Course - Python Applications for Digital Design and Signal Processing