Last Updated: 2018-10-04 20:52:17 UTC
by Johannes Ullrich (Version: 1)
[Update: Supermicro is denying this report, and issued a statement . Without any additional evidence, it is difficult to decide who is right. Information about a problem like this would likely be highly guarded at Supermicro and only known to a small group within the company. We will have to see what evidence will emerge about this moving forward]
Bloomberg today released an article with details regarding an operation by the Chinese military to insert hardware backdoors in motherboards. These backdoors were apparently discovered by Amazon, a large customer of Supermicro, the company implicated in providing affected motherboards. While the report mostly refers to unnamed sources, it is plausible and in my opinion credible. It does match up with other reports and ongoing suspicions that operations like this are ongoing. Edward Snowden famously leaked how US intelligence services are intercepting shipments to implant backdoors. However, these interceptions are more targeted, and backdoors are usually installed in the form of an altered firmware according to the Snowden leaks.
The compromise of a motherboard manufacturing line could affect customers well beyond targeted communities like government or high tech companies.
The real question now is: Does it affect me, and what can I do about it?
First of all, you are unlikely going to spot the additional component on your own. Amazon apparently was able to do so after comparing drawings of a motherboard to what was actually built. The component is described as "grain of rice sized" and easily mistaken for a signal conditioner common on motherboards. Even experts often rely on the markings of components to identify them. And markings or physical appearance is easily changed.
Should you stop buying Supermicro motherboards? The real question is: What are the alternatives. If you find a motherboard from a different manufacturer, it will likely come from a manufacturing line in China down the road from Supermicro, and it will be as vulnerable to the attack. In some ways, I would think that Supermicro at least found the issue, and may now be more aware and careful.
What could a component like this do? Likely, the component will just wait for an external signal to spring into action. It is most likely silent until then. The component could be connected to the PCI bus, or directly to a network card that is part of the motherboard, to wait and listen for a signal. Most likely, the component will not do "much", but act as a backdoor to initiate other malicious actions. For example:
- Denial of Service: Shut down the system, or even physically destroy it. Some of this could be more subtle, for example by introducing errors in signals that cause spurious failures.
- The component could be used to download and install malicious firmware.
- It could forward network traffic or "blind" the network card to specific traffic.
The options are endless. These are just some features that come into mind. Given the size, it is unlikely that the component is running a complete "shadow system" but it is more likely built to perform simple actions that can be leveraged to provide an attacker with additional access.
So what should you do?
Defense in depth is still a valid strategy. The component will likely communicate across the network. A network firewall, and Intrusion Detection System (IDS) are still valid layers. Let's just hope they don't include the same component.
In the end, the only thing that will really protect you is information sharing. The Bloomberg article is an important piece of information that I am happy got released. I would hope the information would have been released sooner by the entitites who found the problem, and in coordination with manufacturers like Supermicro to allow them to explain how they are preventing a recurrence of the issue. I do not "blame" Supermicro. These issues are bound to happen but it is important to learn from them and share the lessons. I hope we will soon learn more technical details to find out how to detect the malicious component and to learn more about its function.
While government agencies are certainly worried and are conducting audits of hardware they use, their mission is usually not to protect consumers from such implants. There is no government agency that would proactively screen hardware entering the country to look for backdoors. Instead, supply chain security is the responsibility of the end user. Relationships with trusted suppliers, who themselves use due diligence / best practices in manufacturing are key. As a consumer / small company, there is little you can do to achieve this and it is mostly up to large companies like Apple, Dell, Amazon and such to ensure they are selling safe products to the public. But considering how difficult it appears for Amazon to even police simple stuff like fake Apple lightning port cables, the security of its cloud systems and other infrastructure may suffer as well.