One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 830749 |
| Date de publication | 2018-10-04 16:36:51 (vue: 2018-10-04 23:02:24) |
| Titre | Notes on the Bloomberg Supermicro supply chain hack story |
| Texte | Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.The story is based on anonymous sources, and not even good anonymous sources. An example is this attribution:a person briefed on evidence gathered during the probe saysThat means somebody not even involved, but somebody who heard a rumor. It also doesn't the person even had sufficient expertise to understand what they were being briefed about.The technical detail that's missing from the story is that the supply chain is already messed up with fake chips rather than malicious chips. Reputable vendors spend a lot of time ensuring quality, reliability, tolerances, ability to withstand harsh environments, and so on. Even the simplest of chips can command a price premium when they are well made.What happens is that other companies make clones that are cheaper and lower quality. They are just good enough to pass testing, but fail in the real world. They may not even be completely fake chips. They may be bad chips the original manufacturer discarded, or chips the night shift at the factory secretly ran through on the equipment -- but with less quality control.The supply chain description in the Bloomberg story is accurate, except that in fails to discuss how these cheap, bad chips frequently replace the more expensive chips, with contract manufacturers or managers skimming off the profits. Replacement chips are real, but whether they are for malicious hacking or just theft is the sticking point.For example, consider this listing for a USB-to-serial converter using the well-known FTDI chip. The word "genuine" is in the title, because fake FTDI chips are common within the supply chain. As you can see form the $11 price, the amount of money you can make with fake chips is low -- these contract manufacturers hope to make it up in volume. The story implies that Apple is lying in its denials of malicious hacking, and deliberately avoids this other supply chain issue. It's perfectly reasonable for Apple to have rejected Supermicro servers because of bad chips that have nothing to do with hacking.If there's hacking going on, it may not even be Chinese intelligence -- the manufacturing process is so lax that any intelligence agency could be responsible. Just because most manufacturing of server motherboards happen in China doesn't point the finger to Chinese intelligence as being the ones responsible.Finally, I want to point out the sensationalism of the story. It spends much effort focusing on the invisible nature of small chips, as evidence that somebody is trying to hide something. That the chips are so small means nothing: except for the major chips, all the chips on a motherboard are small. It's hard to have large chips, except for the big things like the CPU and DRAM. Serial ROMs containing firmware are never going to be big, because they just don't hold that much information.A fake serial ROM is the focus here not so much because that's the chip they found by accident, but that's the chip they'd look for. The chips contain the firmware for other hardware devices on the motherboard. Thus, instead of designing complex hardware to do malicious things, a hacker simply has to make simple changes t |
| Envoyé | Oui |
| Condensat | $11 ability about accident accurate address agency all allegations already also amazon america amount anonymous any appear apple apple/amazon are article/ aspects attribution:a avoids background bad based because being big bloomberg bound briefed businessweek businessweeks but can case cases chain changes cheap cheaper china chinese chip chips citing clones com/blogs/security/setting com/newsroom/2018/10/what command common companies completely complex confirm confirmed confirming consider contain containing contract control converter could couple course cpu deliberately denials description designing detail devices direct directly discarded discuss doesn don done dram during effort engineer enough ensuring environments equipment erroneous even evidence example except expensive expertise factory fail fails fake fake chips finally find finger firmware first focus focusing following form found frequently from ftdi gathered genuine going good got hack hacker hacking had happen happened happens hard hardware harsh has have heard here hide hold hope how however https://www implies information inserted instead intelligence investigators invisible involved issue issues its just known large lax less like likewise listing look lot low lower lying made major make malicious malicious chips maliciousness manager managers manufactured manufacturer manufacturers manufacturing many may means messed missing money more most motherboard motherboards much nature never night not notes nothing nothing: off one ones organization original other out pass per perfectly person point premium price probable probably probe process profits pull quality question quoting ran rather real reasonable record refutation refutes rejected reliability rely replace replacement reporting reports reputable responsible reverse rom roms rumor saysthat secret secretly see sensationalism sensationalistic serial server servers shift simple simplest simply single skim skimming small software some somebody something somewhere sources spend spends sticking story story:https://aws straight sufficient supermicro supply technical testing than that theft then theory there these they things those through thus time title tolerances tried true trying ufos unconfirmed understand update: apple upon usb using vendors verify very volume want wanted weight well what when whether who within withstand word world worried wrong |
| Tags | Hack |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.