Wednesday, October 4th 2017

Chinese Government Allegedly Used Supermicro Motherboards to Spy on US Enterprises

In a development that underlines the national security necessity of moving electronics manufacturing out of China, server motherboards made by Supermicro in China, have been found to carry a "spy chip." This startling development is the result of a secret 2015 US Government investigation unearthed by Bloomberg. The Chinese government has allegedly been using hardware-based spyware in Supermicro motherboards that are manufactured in China; to spy on major American enterprises, including (but not limited to) Amazon Web Services and Apple, among others, who use Supermicro motherboards in their data-centers. The level of surveillance includes attempts to steal trade-secrets and intellectual property.

Fearing loss in business, affected cloud-computing providers, including AWS and Apple, have each posted strong denials that their hardware infrastructure is vulnerable to foreign government surveillance. Apple stated: "We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."
Amazon Web Services (AWS) stated: "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.‎" The entity in the middle of the storm, the Chinese Government, posted a more restrained and cryptic denial. "China is a resolute defender of cybersecurity," said a Chinese Foreign Ministry spokesperson. Sources: CNBC, Bloomberg
Add your own comment

73 Comments on Chinese Government Allegedly Used Supermicro Motherboards to Spy on US Enterprises

#1
eidairaman1
The Exiled Airman
Well Supermicro will now be banned from the U.S.

What about Tyan?
Posted on Reply
#2
R-T-B
Damn, I was starting to like Supermicro. I am curious what the actual chip is. If this is true, that should be easy to admit, and silence critics.
Posted on Reply
#3
btarunr
Editor & Senior Moderator
R-T-B said:
Damn, I was starting to like Supermicro. I am curious what the actual chip is. If this is true, that should be easy to admit, and silence critics.
I'd point my finger at the IPMI chip.

Imagine the fountain of possibilities spouted by a compromised IPMI + iKVM + VGA chip with its own network interface.
Posted on Reply
#4
R-T-B
btarunr said:
I'd point my finger at the IPMI chip.
I'd bet on that too but would prefer an official statement.
Posted on Reply
#5
PerfectWave
wasnt china scare to be spyed by us when importing server from usa?
Posted on Reply
#6
xkm1948
Meanwhile I am pretty sure NSA has been spying on everyone using the now known CPU exploits. Pot calling kettle black.
Posted on Reply
#7
Divide Overflow
My company won't touch networking, computer or telecommunications equipment manufactured in China.
While savings matter, your security is on the line.
Posted on Reply
#8
R-T-B
xkm1948 said:
Meanwhile I am pretty sure NSA has been spying on everyone using the now known CPU exploits. Pot calling kettle black.
No, that's a tinfoil hat theory if you really understand the exploits. Spectre really isn't suitable for that unless you have about 10 years to acquire 10MBs.
Posted on Reply
#9
theoneandonlymrk
R-T-B said:
No, that's a tinfoil hat theory if you really understand the exploits. Spectre really isn't suitable for that unless you have about 10 years to acquire 10MBs.
That's a bit missguided in a way, they don't need 10MB , just a few K's worth of key data and their on legit but i get and agree it's not a very workable initial intrusion.
Posted on Reply
#10
R-T-B
theoneandonlymrk said:
That's a bit missguided in a way, they don't need 10MB , just a few K's worth of key data and their on legit but i get and agree it's not a very workable initial intrusion.
I mean that was just an example. Getting ANY data from a chosen point is fiendishly difficult.
Posted on Reply
#11
BumbleBee
Chinese make really good food.... I'm just sayin'
Posted on Reply
#12
the54thvoid
xkm1948 said:
Meanwhile I am pretty sure NSA has been spying on everyone using the now known CPU exploits. Pot calling kettle black.
Yup.

Every major power spies on every other one. The US was caught at it with its Western allies a few years ago (wikileaks?). Our own GCHQ is no Saint either.
Also, the companies concerned have stated it's not quite like Bloomberg says.
Posted on Reply
#13
hat
Enthusiast
the54thvoid said:

Also, the companies concerned have stated it's not quite like Bloomberg says.
A likely response, don't you think?
Posted on Reply
#14
R0H1T
PerfectWave said:
wasnt china scare to be spyed by us when importing server from usa?
The Chinese, mainly CCP, are lying hypocrites ~ news @11 :laugh:
R-T-B said:
No, that's a tinfoil hat theory if you really understand the exploits. Spectre really isn't suitable for that unless you have about 10 years to acquire 10MBs.
Depends on the exploit, there's also meltdown & a few others like SGX & possibly another huge one that'll be revealed later this year :confused:
Posted on Reply
#15
TheLostSwede
BumbleBee said:
Chinese make really good food.... I'm just sayin'
You mean this stuff?
<div class="youtube-embed" data-id="GIwNhSISjj0"><img src="https://i.ytimg.com/vi/GIwNhSISjj0/hqdefault.jpg" /><div class="youtube-play"></div><a href="https://www.youtube.com/watch?v=GIwNhSISjj0" target="_blank" class="youtube-title"></a></div>

On topic, I'd suggest reading the source article - https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
They have some interesting graphics showing where on the boards the chip was found and some additional details about it.
It just doesn't sound that plausible, there must be more to it, as the size of the chip suggests it can't do much, but maybe it doesn't need to?
Posted on Reply
#17
R0H1T
The Terrible Puddle said:
So Amazon and Apple are quick to come out and defend China
No they're defending themselves because if god forbid they knew about this, then they could be sued into oblivion & not just in the US, not to mention their brands would forever be tarnished.
Posted on Reply
#18
R-T-B
the54thvoid said:
Yup.

Every major power spies on every other one. The US was caught at it with its Western allies a few years ago (wikileaks?). Our own GCHQ is no Saint either.
Also, the companies concerned have stated it's not quite like Bloomberg says.
I agree, just not with the idea that Spectre was being used. I am certain something was though.
Posted on Reply
#19
Frick
Fishfaced Nincompoop
btarunr said:
I'd point my finger at the IPMI chip.

Imagine the fountain of possibilities spouted by a compromised IPMI + iKVM + VGA chip with its own network interface.
That's the consensus.

TheLostSwede said:

It just doesn't sound that plausible, there must be more to it, as the size of the chip suggests it can't do much, but maybe it doesn't need to?
If all it does is giving them control over the BMC ... that is quite enough for many things to be done.
Posted on Reply
#20
theoneandonlymrk
Frick said:
That's the consensus.



If all it does is giving them control over the BMC ... that is quite enough for many things to be done.
Kind of like dells server issues atm.
Posted on Reply
#21
Frick
Fishfaced Nincompoop
theoneandonlymrk said:
Kind of like dells server issues atm.
What issues are those?
Posted on Reply
#22
theoneandonlymrk
Frick said:
What issues are those?
Said that they have older generation dmc (?i think that's what their called but network admin pc in the backend)hacked firmware issues
Posted on Reply
#23
StrayKAT
lol.. damn. X299 Supermicro owner here. Hopefully it isn't affected. It may be Taiwan made.

edit: Reading more about it just pisses me off. Even as a customer, I hope they get crushed and China isolated even more as well.

Apple also deserves a beating.

"Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons."

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies


edit: Maybe this is a wakeup call to manufacture more in US..... or at least with it's ALLIES. Ugh. If SM decides to do that, I may not remain pissed.
Posted on Reply
#24
R-T-B
I'm calling BS somewhere in that bloomberg article... big time. Some of the things they are claiming just aren't feasible (unless China has a secret 2nm node or something)...

Probable that some of it is true, but the part of it claiming that a chip the size of a SMD has a full CPU and network stack, capable of modifying modern 32-bit OS cores? Lol, no. It's piggybacking off something else, probably the IPMI. It makes me wonder how much else is lost in translation..
Posted on Reply
#25
Xzibit
Ouch..

I can only imagine how innovative they got if this was just 1st and 2nd gen stuff.
the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached
Posted on Reply
Add your own comment