What was Supermicro's spy-chip coverage?



In October 2018, 'Supermicro motherboards contain chips that steal data,' Bloomberg reported. In response to Bloomberg's report, there were protests from the named company saying that they were 'rootless' and many of the engineers questioned the content of the report, but the Bloomberg side And Supermicro's claim did not reveal which was correct.

Hackaday, which handles security-related information, looks back on Supermicro issues in May 2019, more than half a year after it was widely reported.

What Happened With Supermicro? | Hackaday
https://hackaday.com/2019/05/14/what-happened-with-supermicro/

The start of the matter is that Bloomberg reported on October 4th, 2018 that 'Apple and Amazon have been equipped with chips that steal data on their servers' motherboards.' Based on evidence obtained from credible sources, Bloomberg's Supermicro motherboard used by Amazon and Apple servers has a special chip embedded by Chinese People's Liberation Army operatives. It was used by the Chinese authorities to launch large-scale supply chain attacks against US companies. However, the parties Apple, Amazon and Supermicro have denied coverage of Bloomberg, and engineers have also questioned the coverage of Bloomberg.

Bloomberg reports that Apple & Amazon servers have been stealing data to the Chinese People's Liberation Army working force, Bloomberg reports, Apple · Amazon completely denies-GIGAZINE



However, Dr. Theodore Marketos, Department of Computer Science, University of Cambridge, said, 'If a spy chip was inserted during motherboard manufacture and you succeeded in changing the board design and component installation process, the SPI between flash memory and BMC It is possible to intercept the line, and even if the spy chip is not highly sophisticated, the firmware can be brought in through the network, 'said the fact that it is technically possible although the fact is not clear.

What did astounding news that the Chinese military put spy chips on Supermicro motherboards at the manufacturing stage? -GIGAZINE



However, another server expert described it as 'technically impossible, and credibility is highly questionable' from the description in the article and the technical aspect of BMC.

Server experts comment on why the 'Chinese spy chip suspected cyber attack' article is wrong-GIGAZINE



After being told that the Supermicro motherboard has spy chips, a lot of media and experts have conducted a survey to see its authenticity. But in the end no one could get any new information about Bloomberg's reported spy chips. Apple and Amazon named in the press deny the facts, and Supermicro, who is suspected of having spy chips, is wrong in the content of the report, and is asking Bloomberg to withdraw the article . Supermicro also audits third parties and has officially issued a statement that it could not find something like a spy chip on the motherboard.

The topic is included in the Chaos Communication Congress (CCC), where security-related workshops will be held, and in the talk the programmer Trammell Hudson talks about his own research. According to Hudson, although Supermicro's production process is probably strict, it is possible for Chinese officials to intercept the cargo, open the hardware, load the spy tip, reseal it and ship it And pointed out. However, it is unclear whether such acts are being carried out in China or in the United States. Others have stated that it is possible that the supply chain may be compromised before production and fake chips may be sent to the manufacturer, and it is 'possible' to modify the Supermicro motherboard in any way.

In addition, Hudson has succeeded in hacking BMC with a single component that can replace the resistance on the motherboard, for a proof of concept of a spy chip that can do what Bloomberg reports. Is also successful. In other words, the spy chip that Bloomberg reports is 'technically feasible.'



So how much was the economic damage? Supermicro, reportedly 'spy chipped,' dropped sharply after Bloomberg's coverage, but as of May 2019, the stock has recovered almost to its pre-report level. However, Supermicro reports sales of $ 915 million (about 100.3 billion yen) in the fourth quarter of 2018, which is about 40 more than $ 952 million (about 10.44 billion yen) in the previous quarter. Hackberg reported that Bloomberg's coverage caused major damage to Supermicro as it was less than 100 million yen, but 'it wasn't deadly.'

In fact, Supermicro is building a new 800,000 square foot factory in Taiwan, costing $ 65 million, and expanding the Silicon Valley headquarters. Furthermore, these reasons are reported to have been promoted by some clients from China due to security issues from Bloomberg reports. In addition, it is rumored that high tariffs are also related to the withdrawal from China.



There was no significant impact on Bloomberg, who reported on spytips, against Supermicro, which was critically influenced by performance and manufacturing processes. However, Hackaday said, 'I may not know at first glance, but Bloomberg may have lost a little bit of credibility.' The reason is, even though there was a voice that questioned the contents of the news series, In the end, we did not disclose information that provided the technical details of the spy chips or backed up their content.

Furthermore, Bloomberg's 'Spy chips are loaded on the Supermicro's motherboard' article and the

follow-up were written by journalists Jordan Robertson and Michael Riley. However, they say that they have not published an article in Bloomberg since October 2018.

It is not only Supermicro that has been pointed out security issues. Bloomberg reports that the back door is equipped with the Huawei equipment in May 2019. It is extremely difficult to actually do the hardware hacking that Bloomberg reports, but it is theoretically possible that many people agree. Because it is 'a nightmare' to manage complex supply chains and vendors that exist both at home and abroad well, and it is because it is not uncommon for vendors to get rid of suspicious components.

However, 'embedding components into vendors' is not an easy thing. That's because it's easy and so many organizations are testing and validating. Adding new components is very difficult, but replacing existing components with similar malicious ones is relatively easy and detecting them is very difficult.


by ColiN00B

After all, the details about Bloomberg's 'Spy chips loaded on the Supermicro motherboard' are not clear, and some experts have questioned them, but they say 'technically possible.' Certainly, Bloomberg is still posting articles, even though Apple and Supermicro have asked for article withdrawals.

Supermicro is building a plant in Taiwan to escape the 'security risk' of Chinese manufacturers, but Huawei, who is in the process of writing at the time of writing, is whether the company is a villain at the moment or a sacrifice It is very difficult to identify it. So, 'must pay attention to safe communication skills, firewall regulations, and supply chain monitoring if the story turns out to be right,' Hackaday concludes.

in Hardware,   Security, Posted by logu_ii