Chinese manufacturer puts hardware backdoor onto Supermicro server boards.

[Benta]

Wow, so many conspiracy hypotheses here. The one thing that surprises me is, that from all the knowledgeable people here, not one has stumbled on the most plausible explanation.

It has been mentioned a couple of times that it is a very small, low pin count device.

That screams to me: PCB-RFID tag.

This is nothing unusual, a lot of companies place RFID tags on their PCBs and have done so for years as a replacement for bar codes.

It's for production tracking, inventory control, warranty tracking, product authenticity etc. Upside compared to bar codes is, you can read the tag without opening the box.

Here's an example: https://www.mouser.com/pdfdocs/magicstrap_application_guide.PDF

It's got nothing to do with backdoors or spying.

[bd139]

RFID tag needs an antenna and those aren’t particularly small or easy to hide in a multi layer board. Go have a look at some example of PCB rfid tag antennas.

[Benta]

I know exactly what an RFID antenna looks like, and it's nothing more than a slot in a ground plane. You go look.

Edit: See here: https://www.nxp.com/docs/en/application-note/AN171530.pdf
Go to chapter 5 (page 28).

[chris_leyson]

Murata "Magicstrap" is one example and they do tags with an integrated antenna 1.25 x 1.25 x 0.55mm package 10mm range. https://www.murata.com/en-eu/products/rfid/rfid/uhf. Nothing new here.

[Cerebus]

Wow, so many conspiracy hypotheses here. The one thing that surprises me is, that from all the knowledgeable people here, not one has stumbled on the most plausible explanation.

It has been mentioned a couple of times that it is a very small, low pin count device.

That screams to me: PCB-RFID tag.

This is nothing unusual, a lot of companies place RFID tags on their PCBs and have done so for years as a replacement for bar codes.

It's for production tracking, inventory control, warranty tracking, product authenticity etc. Upside compared to bar codes is, you can read the tag without opening the box.

Here's an example: https://www.mouser.com/pdfdocs/magicstrap_application_guide.PDF

It's got nothing to do with backdoors or spying.

Bit of a red herring frankly. The context is not one where someone has pointed at a component on a board that they, but not an expert, are incapable of identifying. The allegation claims a years long investigation by, among others, the FBI, who are quite capable of popping into MIT or Stanford or Intel or On Semi and saying "tell us what this component is and what it does". I don't think Bloomberg are going to turn around and go "Aw shucks! Is that what it was? If only we'd asked some random bloke on the eevblog forum what it was instead of going off half cocked".

[Benta]

Sorry, but "half cocked" is what the Bloomberg article is. Allegations, allegations and not one hard fact. The article shows pictures of a miniscule 6-pin device, which is completely in line with an RFID chip and a ground plane slot antenna. It could even have been embedded during PCB manufacturing before assembly. This is in line with manufacturing tracking.
A 6-pin device as "back door"? No way, José.

[MT]

China go full fascistic according to ABC Australia

[wraper]

A 6-pin device as "back door"? No way, José.

2 power pins and 2-3 data pins are more than enough to compromise the system.

[JimRemington]

https://arstechnica.com/tech-policy/2018/10/bloomberg-stands-by-chinese-chip-story-as-apple-amazon-ratchet-up-denials/

Luckily, we're likely to know the answer one way or the other in the coming days. If the Bloomberg story is true, there are thousands of compromised motherboards out there, and companies will be scouring their data centers for them. People have already identified the specific circuit board featured in the graphic at the top of the Bloomberg article, though it's not clear if this is a real photograph or a Bloomberg-made mockup. If the story is accurate, sooner or later someone will produce a compromised board and do a public teardown.

Sounds like a great job for Dave!

[Cerebus]

Sorry, but "half cocked" is what the Bloomberg article is. Allegations, allegations and not one hard fact. The article shows pictures of a miniscule 6-pin device, which is completely in line with an RFID chip and a ground plane slot antenna. It could even have been embedded during PCB manufacturing before assembly. This is in line with manufacturing tracking.
A 6-pin device as "back door"? No way, José.

No dispute that it's half-cocked, I'm just disputing that you've found the magic that everybody else missed.

This is not about the ability to recognise a component from first instance, this is about politics, propaganda, misinformation tactics and possibly share price manipulation. The very length and depth of the Bloomberg article's claims make it clear that this is more than mere "tech ignorant journo makes a cock up". That scale suggests deliberation, a very real conspiracy to mislead (even if that misleading is only about the various sources ability and accuracy), or (improbably) the most perfect synchronicity of journalistic and official incompetence that has ever been produced by happenstance.

[radioactive]

I think the image of the part in that article looks like a common RF balun.  Would have to see proof otherwise to believe anything else.

[chris_leyson]

@Benta. Sorry, should have read your post, the Magicstrap RFID chips are pretty cool but nothing to do with the Bloomberg article. Smallest microprocessor I can buy is ATtiny in 2x2x0.6mm package and there is no reason why you can't embed that either. The die size probably limits the packaging but you've got a fair amount of metal to plate onto so an ATtiny would be one example of something relatively easy to embed into a PCB.

[bd139]

Has anyone read the eSPI manual from Intel?

https://www.intel.com/content/dam/support/us/en/documents/software/chipset-software/327432-004_espi_base_specification_rev1.0_cb.pdf

Each device is bussed with clock, io, independent chip select. Also it’s not multi master and is fanned out over the board so to modify the protocol you’d need to intercept rather than tap. That means twice as many pins as a tap. Also it’s a channeled protocol. On top of that the slaves can initiate transactions so you’d have to be aware of the state of the system to stop bus collisions.

This seems a whole load of faff when there’s a whole bunch of firmware floating around on the boards you can futz with.

And as I have said before the entire thing would leave tangible evidence on the board which is quite frankly fucking stupid as you can probably through comparison trace the encapsulation and/or the silicon back to the originating country.

[apis]

Would have thought it would be easy enough to re-encapsulate chips with added components or make custom versions of chips already on the board. You could then just replace the original parts with your modified parts, would be much harder to discover. But hey, whatever works works.

[IanMacdonald]

There is a product called Computrace LoJack which is in the BIOS, but injects DLLs into the system32 folder of any installed copy of Windows when run. Ostensibly this is so a stolen computer can be traced. It's done like this because the DLLs can do a lot more things than the limited BIOS code. Like, phone home. I wouldn't be surprised if the supermicro bug worked the same way. So yes, this is certainly feasible.

People have been hammered with propaganda to the effect that HTTPS protects them whilst on the Internet. In fact, the protection it provides is minimal. The problem is that this kind of hard-sell of one rather limited security product creates a false sense of security, which leads to other more prevalent threats being overlooked.

https://iwrconsultancy.co.uk/blog/https

[bd139]

I disagree. HTTPS, more correctly HTTP over TLS, is just one part of the security model. At each end you have vendors providing software that have an interest in making sure they don’t look like shit. HTTPS protects you between those security boundaries.

That’s unrelated to this discussion entirely however.

The biggest threat is the competence of the programmers at each end and the user doing something stupid.

[floobydust]

We don't know the truth yet. It's kind of simmering, like when a big turd is going to hit the fan. Somebody is grossly wrong and the Internet is divided.

No comment from the FBI, CIA and NSA. Amazon and Apple deny it.

Bloomberg claims 17 people are confirming the H/W mods:
"The companies’ denials are countered by six current and former senior national security officials who... detailed the discovery of the chips... One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

I think the problem is these servers are heavily used, beyond the early clients Amazon and Apple.
So other big companies would be compromised, perhaps Facebook (again), Google, banks, DoD etc.

Second, why not add the back door to cellphones? I have to wonder if the iPhone didn't get "the treatment", hence Apple's denial.

[BravoV]

versus

 

[BravoV]

Bloomberg claims .....

What Bloomberg trying to say is actually pretty simple..

 "Trust us on what we claimed, ask no more, just trust us ... "

[Mr. Scram]

What Bloomberg trying to say is actually pretty simple..

 "Trust us on what we claimed, ask no more, just trust us ... "

While true, it's historically been a rather reputable source. That's why many people take the stories quite seriously.

[T3sl4co1l]

The amount of denial in this thread is... concerning.

Why do so many people find this unbelievable?  Many have given reasons, but none of them hold water.

Just because you can't imagine it's possible, doesn't mean it's impossible.

Alternate motives?  Maybe.  Just because that is also possible, doesn't mean it's probable, let alone guaranteed.

The reluctance to confirm sources is also obvious.  It would perhaps be nice if they collaborated with a few other journalists to better check the sources against each other and confirm things.  But even between very well trusted papers, that's a very dangerous thing to do.  More likely, we will see independent confirmation, and yes, teardowns including analysis of the chip in question will be very interesting indeed to see.

So instead of jumping to conclusions, why don't you chill out, and think on it for a moment, and realize that multiple things are possible, not just knee-jerk reactions?...

Anyway, "our boys" have had these kinds of attacks for decades.  As have our allies and enemies, to varying degrees of capability, at various times.  It is completely normal and possible, even moreso with modern technology (like the Management Engine attack vector).  The only thing distinctive about this is probably the scale at which it has been done (potentially millions of compromised units).

Tim

[FrankBuss]

So anyone who wants to buy a  Supermicro server boards and search the chip? Looks like they are getting cheaper at the moment at eBay

[Cerebus]

Tim, I don't think anybody is disputing the technical possibility just the quality and/or accuracy of the reporting.

What is in question is the lousy reporting which contains nothing more than handwaving on the level of technical evidence - if we'd seen one decapsulated chip with some decent microphotographs and an analysis from someone technically competent we might be somewhere else. In fact the nearest we have to evidence is "our sources tell us" with no way to corroborate this and most of the places where those sources work denying the story in pretty unambiguous terms, terms devoid of the phrasing normally associated with lawyer drafted statements that are technically true while being in fact a pack of lies.

Never before have I seen as significant a news report as this one that is as thin on evidence where a significant part of the evidence is of the kind that could be easily documented. They appear to have boards and chips, at least they have reproduced photographs that purport to be the parts and they've been running the investigation for a long time - so why no proper analysis. Add the strange political climate at the moment and the realpolitik that might go with a planted anti-china story and it would be remiss to be anything but sceptical on all fronts.

[T3sl4co1l]

Equally easily explained -- they are a business publication.  If they have the technical details, it wouldn't do most of their readers any good.  Just insult them and make them feel dumb for not understanding things.  (If, say, Ars were breaking this story, I would expect them to share some technical info, and be suspicious if they didn't.)

This is very normal for, say, academic journalism.  The technical aspects have to be simplified for a less technical reader.  They often get it wrong, of course...  So, that leaves it to us (as technical readers) to read between the lines and guess what they're actually talking about.  Which is just as unreliable.  It would be so much nicer to just have the info straight, but alas...

And yes, that includes the possibility that there's nothing at all about it.  It could be that their sources didn't provide such details -- whether for the same reason (the journalists probably wouldn't know what to do with it), or because they don't have any at all.

Oh, one thing by the way, if this were unsupported -- if there were no actual facts here -- this would be defamation, and they'd be sued pretty damn quick for all the millions of dollars this is worth.  Bloomberg knows this as well as Supermicro and everyone else.  You can bet your ass they're denying publicly, and investigating internally, until they figure out some possible strategy that doesn't leave them completely destitute!

Tim

[Cerebus]

Equally easily explained -- they are a business publication.  If they have the technical details, it wouldn't do most of their readers any good.  Just insult them and make them feel dumb for not understanding things.  (If, say, Ars were breaking this story, I would expect them to share some technical info, and be suspicious if they didn't.)

Back in the days of print journalism, this is exactly where the editor would have put:

    [sidebar from Dr. Expert goes here "What we found under the microscope"]

A sidebar lets you provide detail that the general reader will want to skip, but that allows you to "show your workings" so that people know you're not handwaving or hoodwinking them. This is especially necessary in this case given the gravity of the accusations. Moreover, business readers aren't insulted by being presented technical details in a sidebar - business people don't expect to understand all the technical details, they have people for that "John, read this article and tell me if the technical side makes sense to you". 

Here I'm speaking as an ex-section editor of a business computer magazine. I wouldn't have put a story one tenth as volatile as this on the page without putting enough in print to make my case lawyer proof. Providing all the facts, as far as you can, may make a difference between a case for slander of goods* and no case to answer. In fact in defamation cases sometimes the most damaging thing you can do is to make accusations without producing your proof at the same time. At the very least it leads to legal bills and court appearances where, if you'd made a good case in print already, the plaintiff's lawyers would have said "don't bother".

...
Oh, one thing by the way, if this were unsupported -- if there were no actual facts here -- this would be defamation, and they'd be sued pretty damn quick for all the millions of dollars this is worth. 

Yes, and on the case made publicly so far by Bloomberg I expect that some of the accused companies' shareholder's lawyers have been quite busy this weekend. Moreover, if this gets to court on any defamation actions Bloomberg can be ordered to reveal their sources if that is the nub of their claims. That will irreparably damage their trustworthiness to future possible sources and could have been avoided if they'd made out a better, more plausible case in print.

*Trust me, I've been threatened with this plenty of times. Never had to settle or go to court though.