What did the Chinese military bring to the Supermicro motherboard the spy chip at the manufacturing stage brought by the astronomical report?

When Bloomberg reports the shocking information that "Supermicro motherboard used by Apple and Amazon was sticking out spy hardware that steals data during the manufacturing process", the parties of Apple, Amazon, Supermicro Issued a statement of complete denial that "it is not a fact" all at once. Dr. Theodore Maquetos of the Department of Computer Science, Cambridge University studies whether cyber attacks of spying out spy hardware on the motherboard for servers are possible.

Making sense of the Supermicro motherboard attack | Light Blue Touchpaper
https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

According to Dr. Marketos, concerning the allegation that the " Trojan horse " -like hardware surrounding the Supermicro motherboard this time was charged, technical details on Bloomberg article are scarce and it is technically possible in the first place It is not clear from the point of whether it is. However, Dr. Marketus believes that "baseboard management controller (BMC)" is a problem from photographs of animated GIF published by Bloomberg, as well as many other experts' ideas is.

The problematic chip is 1 mm × 2 mm and contains a 6-pin type silicon chip in the ceramic case, it is said to be a type used in common capacitors and passive components.

Analyzing from the image, the place where the spy chip is embedded in Supermicro's " B1DRi (MBI - 6128R - T2) " is the area between the BMC chip and the SPI flash chip storing the BMC firmware. According to Dr. Marketos, SPI is a flash memory using a general format, it is a relatively simple and slow interface that uses only four signal lines. Quad SPI (QSPI) which can operate at higher speed and uses six signal lines is also installed in B1DRi, but it is just a space of SPI chip thought that spy chip was installed.

According to the manual of the MBI - 6128R - T2 server, you can see that "AST 2400" was adopted for the BMC of the motherboard in question. The SPI flash chip stores the OS of this BMC. AST 2400 was an ARM chip widely adopted in mobile phones from the mid 2000's, its firmware will be introduced via SPI.

Dr. Marketus downloaded and analyzed BMC firmware for B1DRi from the Supermicro website and found that it is running on Linux and supports PCI-Express, USB, etc. In addition, I also found that the AST 2400 uses the U - Boot boot loader to start its own Linux and also has an option to boot via TFTP or NFS - based network.

It is possible to alter the OS of the main system by using BMC OS, and it is known how to insert malicious code via PCI option ROM at startup. However, it is said that such a vulnerability has already been addressed. On the other hand, in another BMC hacking, there is a simple way to read and write main memory when the machine starts up. Since the BMC has a PCI - Express interconnect for attaching a basic graphics card, it can potentially access the majority of the system memory and the BMC can also access the network, so theoretically Dr. Marketus says that it is possible to steal data stored on the server.

Therefore, "How well the BMC firmware is protected" is a decisive problem. The BMC firmware in question contains raw ARM code and is 32 MiB in size. Although 32 MiB is a common size for SBI flash chip, it suggests that the firmware image is written directly to SBI flash without adding another process. In addition, Dr. Marketus is also confirming that code signing and verification work is not required to install OpenBMC on the AST 2400 using the open source project "OpenBMC" supporting AST 2400.

After all, in this case of "spy chip injection on Supermicro motherboard" incident, there are few "facts" that can be confirmed, and there are many "assumptions" only. However, "If a spy chip was inserted at motherboard manufacture and succeeded in changing the board design and component installation process, it would be possible to intercept the SPI line between the flash memory and the BMC controller, and the spy chip Dr. Marketus believes that assuming that the firmware will be brought in through the network, even if it is not highly refined is not impossible.

In any case, it is unclear as to whether "Cyber ​​attacks aimed at shedding spy chips and targeting data leakage were done?" Is not clear, but at least the spy chip injection incident reported by Bloomberg attracts people's attention It is certain that he passed "sniff test", "The system they are using is more complicated than I imagined, and there is a possibility that surprising vulnerability may be hidden in its complexity" Dr. Marketus thinks that it was no doubt that we made the facts publicly known.