Hardware Supplier Exploit

GoNeFast_01

GoNeFast_01

So I was reading some interesting articles recently I believe others might find insightful... One of my entities intends to be one of the few companies assembling HPCs (High Performing Computers) in the USA and this is giving me vertically integration vibes for board manufacturing and assembling plants here in USA.

SuperMicro Exploits by China

The above Bloomberg article gives details on how China uses country suppliers / OEM contractors to get an advantage/exploits through obfuscated chips via Chinese manufacturers over companies and countries alike. It wouldn't surprise me in the future to find similar issues with other OEMs like HP, Lenovo, or Dell computer manufacturers in China. I think it will be too risky to do it in consumer electronics like Apple (I could be wrong), that's why I think the focus might be enterprise equipment users aka big companies & countries alike.

After reading the article for sure it proves (at least to me) that Huawei cannot be trusted, question to all which other OEMs you guys speculate could be facing the same country exploits?

Any articles you find on the subject please share it on this thread would like to read as much as possible on the subject of Supplier Exploits from countries.
 
I never got a clear answer as to whether the Supermicro incident was additional chips or modified firmware (assuming it is true in the first place).

What I read lacks technical specifics.
 
cracauer@ said:
What I read lacks technical specifics.
Click to expand...
Agree: The news that is circulated in written form does not include technical detail of what happens at Supermicro. The Bloomberg report quoted above gets reasonably close to summarizing things.

Obviously, here in Silicon Valley, the problems with SuperMicro hardware were discussed intensively, but always in a hushed way, and without much paperwork. Here's how I would summarize my impression: Since about 2006 or 2007, it has been clear that Supermicro is not serious about creating trusted hardware, and that the firm's connections to mainland China are quite tight (the company itself is dominated by Taiwanese, many located here in Silicon Valley). Since about 2010 or 2012, we have known that Supermicro hardware intentionally leaks information to mainland China. Yes, you can see that on packet tracing. Whether the company Supermicro itself is complicit in this (actively working with China) or whether they are the innocent (or negligent?) victim of Chinese espionage is not clear. Nor does it matter much: it doesn't change the obvious conclusion that Supermicro gear should not be used for any purposes that involve national security of western countries.

Now, getting to the OP: Huawei is even less trustworthy than Supermicro. The same is true for Baidu, and its subsidiaries (for example Apollo). You can safely assume that they work closely with Chinese government agencies.

But that leaves a giant open question: How about gear that is assembled in China (or using Chinese-made components), by western companies? The OP mentions HP, Dell, Lenovo and Apple, and one should add Supermicro to that category. I think here the answer has to be differentiated. Apple for example demonstrates that one can build systems (cell phones, laptops) that are very high quality and tightly controlled in assembly plants located in China (much of Apple's gear is assembled by Foxconn). The way Apple does that is with a culture of deep checks on the manufacturing and engineering process, and paranoid audits and controls on everything. Supermicro is an example on the other extreme, showing that even a nominally western company (they are technically headquartered in a building that's right along highway 880 on the eastern edge if Silicon Valley) can have a laissez-faire culture towards trust and regulation, leading to being subverted by the Chinese security apparatus. In the middle between these extremes, other OEMs have different cultures.

If the OP really wants to build HPC hardware (which is mostly consumed by government entities), they will need deep integration, and they'll have to learn to work closely with western governments. That's something typically outside the scope of smaller companies; established players (like Cray and IBM) are good at this.
 
ralphbsz said:
Since about 2010 or 2012, we have known that Supermicro hardware intentionally leaks information to mainland China. Yes, you can see that on packet tracing
Click to expand...
Do you have some examples of this that you can share - especially more recent examples?

My impression of the Bloomberg article was that it was never proven (but not entirely discredited either) so I’m curious if there’s any recent evidence of the supply chain issues.
 
a former Navy SEAL who co-founded
Click to expand...
I would never trust a word an ex-SEAL says. You think politicians lie then this is a whole different spectrum.

I have one question. If the article is true then how many implements have been discovered?

This article has crossed HackerNews several times in the past.
While not technically impossible this is probably not ordinary manufacturing but a special clients office.
Just like our TAO. I would be willing to bet Cisco has special devices shipping.
Is the manufacturer cooperating? What choice do they have? National security law dictates.

Look at those counterfeit products on ebay. Some are not counterfeit because they come off the same line.
A run by third shift it is often called. No warranty applies.

All a user can do is run the Intel microcode updater and hope for the best.
 
richardtoohey2 said:
Do you have some examples of this that you can share
Click to expand...
You have to look at press articles for things that can be shared. But the fact that around that time frame, US government agencies were ordered to stop buying any Supermicro hardware (in spite of the fact that it is good quality, performs well, and is priced right) tells you a lot already.

Also look for reports about Seagate disk firmware. And Huawei cell phone routers being used in Europe.
 
Phishfry said:
Just like our TAO. I would be willing to bet Cisco has special devices shipping.
Is the manufacturer cooperating? What choice do they have? National security law dictates.
Click to expand...
Some more reads for those interested in hardware exploits.

Huawei Trade Secret Theft source code Cisco

Cisco rejects Falun Gong 'China online spying' lawsuit

China Russian Backdoor Juniper Kit


Here is some of the Implements from NSA on hardware.

Juniper Backdoor

Congress ask NSA of Juniper Backdoor

Equation: The Death Star of Malware <= hard-drive exploits including Seagate, Western Digital, Toshiba, Maxtor and IBM most of these brands manufacture in China

NSA Hard Drive Hack first demonstrated

Again to not assume that China (manufacturing all of this equipment) does not do such things (backdoor), is naive to say the least... I would say that NSA is required to countermeasure China (finding, creating and using some of the backdoors) as CCP could implement from the source more easily than NSA could create and/or find the exploits.

National security law could be used by both countries as a submission for compliance with manufacturers in China having the worst leverage of the options. USA/EU is the big market but China is where the manufacturing takes place...
One is greed (USA/EU want to sell in our market or get this fat $$ contract? I need X), and other option (coming from Communist China) is existential for these OEMs.

(Morpheus: Blue or Red Pill Neo).:-/
 
cracauer@ said:
Still nothing remotely technical on the supposed Supermicro hack.
Click to expand...
Supermicro bloomberg Spying v2

and here is some nice information of counterfeit Cisco equipment discussed from FBI with some technical pictures

FBI Fears Chinese Hackers Have Back Door Into US Government

I doubt you will find technical information on the Supermicro calling China; having said that, Supermicro moved operation to Taiwan as a result just to remedy the bad publicity.


Stay curious.... ;)
 
The Bloomberg article is trash. The physical evidence should exist, but it doesn't, and it would be huge news if anybody had it, but it doesn't exist.
 
The fact that Bloomberg (or you) don't have access to the physical evidence does mean that it does not exist, nor does it mean that SuperMicro gear is guaranteed free from Chinese spyware. For an amateur who does not have access to insider information, all one can do is to be careful, and guard your network connections.
 
What if they're transmitting the data on a radio frequency! Oh man, don't forget to do a spectrum analysis!

There's no proof. It's just made up. There's no reason for anybody outside China to hide the proof, unless you're a spook or something, and if you were, you'd want to gather up all the evidence, which means if they succeeded there would be no evidence, so it wouldn't be an issue for anyone.

But yeah, sure, do egress checks. You would do that ANYWAY if you're being careful.
 
It would be interesting to see who had large shorts on the stock around the time the article was published.
It does make for a tantalizing read though.
 
I don't own any SuperMicro (so I am biased/agnostic to their hardware)....

To add more nuance and conspiracy tangents, Michael Bloomberg does appear to have a high level security clearance... Maybe one of his buddies in DOD gave him a tip ;). Anyways this is the type of story you don't provide information as any evidence could open up a can of worms, and at the end Supermicro last time I check is indeed a USA tech darling down in the Valley (I see the story as a warning shot to the exec)...
 
Last edited:
My guess is SuperMicro pissed off the intelligence community by probably not helping and they got payback.
CounterPuff piece courtesy of Bloomy.
Like I said everything feasible. But notice 30 possible boards infected. BIOS engineering team owned.
That was Tailored Operations. Its what they do. Snowden told us 11 years ago. Surely other countries do it too.
 
There is a simple solution to the problem. We could start manufacturing in the United States again.
Make tariffs hurt. I shouldn't compete for wages with a 13 year kid in Vietnam.
The US shouldn't have to bribe TMSC to build in Arizona. It should be an economic decision.
 
When Asus copies Supermicro boards, do they also copy the Chinese spyware? Asus is Taiwanese afaik.

(I'm happily running Asus and use only the documentation from Supermicro, as Asus has none.)
 
PMc said:
When Asus copies Supermicro boards, do they also copy the Chinese spyware? Asus is Taiwanese afaik.
Click to expand...
Indeed, Asus is a Taiwanese company, with relatively few operations in the US. Supermicro is nominally a US company (headquartered in Silicon Valley), but with a lot of operations in Taiwan.

To your question whether Asus "copies Chinese spyware", the answer has to be multi-faceted. To begin with, the big publicly known Supermicro exploit was about Supermicro motherboards and servers that had been physically modified during manufacturing, to contain extra silicon that was carefully hidden. This is not something that would be easily "copied", unless Asus had access to sources of similar clandestine chips, had contact with the same Chinese spy agencies, and knew how to implement (or deliberately ignore) those modifications. It is certainly possible that Chinese agencies were targeting many, most or all Taiwanese motherboard/systems builders.

But then look at it from a RoI perspective. Supermicro builds mostly motherboards and systems, and they are very big supplier to intermediate data-center scale customers (not to the hyperscalers like the FAANG, who build all their own hardware, nor to the big computer companies like IBM/Oracle/HP/..., who also do). On the other hand, ASUS is mostly a vendor of handhelds, laptops and desktops; their motherboard and rackmount systems business is comparatively small. Tyan is even smaller. For a spy agency, it is definitely worthwhile to penetrate Supermicro products, as they will be regularly used in critical business and government functions. With Asus and Tyan, that's much less true, and much of their component products (motherboards and rackmounts) end up with amateurs and small companies, which are just not very interesting to espionage. That makes it somewhat less likely that they were direct targets of high-value / high-investment cracks, such as the one done with Supermicro.
 
ralphbsz said:
On the other hand, ASUS is mostly a vendor of handhelds, laptops and desktops; their motherboard and rackmount systems business is comparatively small. Tyan is even smaller. For a spy agency, it is definitely worthwhile to penetrate Supermicro products, as they will be regularly used in critical business and government functions. With Asus and Tyan, that's much less true, and much of their component products (motherboards and rackmounts) end up with amateurs and small companies, which are just not very interesting to espionage. That makes it somewhat less likely that they were direct targets of high-value / high-investment cracks, such as the one done with Supermicro.
Click to expand...

So then that's the way to deal with the issue: just stay out of the fireline. ;)
 
Trying this with Asus is not something they'd likely do. For every item shipped there is a risk of discovery. Asus boards are just not ending up in important enough places to warrant that kind of exposure. For all you know a curious overclocker finds you little chip. Supermicro boards are usually used for important things.

All joking aside, this is why the big companies make their own mainboards. Which is bad for us, because if Goggle spent resources on investigating Supermicro products we would be much safer with the boards we could actually buy.

I don't want to end up in a situation where all the hardware I can buy to run myself is potentially infected either in firmware or with additional chips and to be more secure I *have* to be in the cloud.
 
cracauer@ said:
All joking aside, this is why the big companies make their own mainboards. Which is bad for us, because if Goggle spent resources on investigating Supermicro products we would be much safer with the boards we could actually buy.
Click to expand...
It depends on who is "us". I'm not bothered. I'm not buying in to the respective hate weeks ordered by one government or the other, anyway, and I just let these guys have fun doing whetever they consider fun:

And, btw, don't tell me there is "danger to society" because "the enemy" might subvert vital functions of the network. I occasionally have a look into the sources, and I find so much lousy code piled upon another that I would not be surprized if things fail on occasion without the need for any agency to subvert things.
 
You must log in or register to reply here.
Back
Top