Blog

Interview: the Super Micro Computer Inc. chip

Tracy Reed

Tracy Reed

CTO @ Detexian. Ethical hacker. 20 years sysadmin & security engineering.
San Diego State University

After the controversial story from Bloomberg, Tracy Reed answers some questions regarding the hardware attack.

Detexian:
Bloomberg published an article at the beginning of this month regarding an attack by Chinese spies which reached roughly 30 companies in the US, apparently including Amazon and Apple. What exactly happened?

Tracy Reed:
The attack entailed compromising the supply chain, so they believe it was a unit of the Chinese military, working of course for the Chinese government, who bribed and coerced the appropriate people to get the design secretly changed to include that little chip. This chip can be communicated with and can communicate out to hosts on the internet and presumably allow control of the server or to copy data out to the attackers. It was placed on the motherboard, or according to the Bloomberg article, they discovered versions of it where it was actually imbedded in the motherboard between the layers of fibreglass.

Detexian:
How did they discover the chips?

Tracy Reed:
There was an audit conducted of the motherboard and during these audits they look at every piece and make sure that it’s all there for a good reason, and that it does what it’s supposed to do and nothing more. They found this little chip which they could not account for, and they extracted it and looked at it and found that it was basically a back door, also known as a Trojan Horse, that could be communicated with from outside and allow control and exfiltration of information on that server.

Detexian:
Has this happened before?

Tracy Reed:
Similar things have happened before in terms of firmware embedded in the motherboard. I’m not sure, I don’t have any good examples right now.

Detexian:
Why are we only hearing about this now?

Tracy Reed:
We’re only hearing about this now because it’s been top secret for the last few years while they were investigating, and they wanted to find out who did it. If they released the fact that they had discovered it, the people who did it would immediately start covering tracks. According to the Bloomberg article, they were able to investigate the companies and employees and figure out who was responsible.

Detexian:
Why would someone carry out a hardware attack?

Tracy Reed:
A hardware attack is very difficult to trace, very difficult to detect, very expensive to detect if you’re going to put a machine to this kind of audit. Amazon really got lucky in this case in that they happened to choose to audit this hardware. I’m sure they invested a lot of money in it, and in this case, it paid off for them.

Detexian:
What was stolen?

Tracy Reed:
We don’t know what exactly was stolen. The problem is we can never prove that nothing was stolen. It seems unlikely that anything was stolen, but there’s no way to prove that these servers were not successfully communicating out on the internet and being commanded and sending data.

Detexian:
Are hardware attacks something that we will see a lot of in the future?

Tracy Reed:
I don’t know about ‘a lot of’, because they’re expensive and difficult to carry out, but they have always been a possibility. In fact it almost seems like that there may have been hardware attacks in the past that went undetected, and there will certainly be more such hardware attacks in the future.

Detexian:
What are some potential solutions to detecting similar hardware attacks?

Tracy Reed:
Aside from actually physically auditing the motherboards, which is not guaranteed to turn up the problem, you need to monitor the network and servers. Something like Detexian can be used to do that, to see if they’re doing anything unusual. One of the examples in the Bloomberg article was to subvert the password verification routine, so if you’re coming from a particular IP address, maybe it would accept anything for a password, or maybe it would accept a particular password which the attackers know. If you detect a login from an unusual IP such as Detexian is capable of doing, you could raise a flag that something unusual is going on. You could also monitor the network, because supposedly these things were communicating out to command and control IPs on the internet. If you see anything outside of that norm or outside of that baseline, then you can raise an alert there also, so if you’re collecting something like net flow data or some other network monitoring data, you can detect the unusual activity that way, and the Detexian software can do that.

Close Menu