Hacking with Hidden Hardware: What’s the real story on SuperMicro?
On October 4th, Bloomberg released a stunning report called The Big Hack. Authors Jordan Robertson and Michael Riley claimed that Super Micro Computer Inc., whose products were used by Amazon, Apple, and major financial institutions, had installed secret chips “not much bigger than a grain of rice.” What is more, the authors alleged, China was behind it all. The impressively lengthy expose, filled with eye-catching graphics, quickly made waves in the industry.
But is it true?
Apple quickly issued a denial in the strongest terms through their newsroom: “Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident.” Careful readers will note that Bloomberg did not claim that Apple found malicious chips, but a “third-party security company” in Ontario did on their behalf. Ben Lovejoy of the blog 9To5Mac notes that an expert consulted by Robertson and Riley felt misrepresented by Bloomberg, and that the doubts he expressed were systematically downplayed. “Are you sure there is actually an additional hardware component? The attack you describe could easily be implemented in BMC firmware [which would] be just as stealthy and far less costly to design and implement. If they were really implants, are you sure they were malicious?” he told Robertson.
Amazon’s denials were no less vociferous: “there are so many inaccuracies in this article as it relates to Amazon that they’re hard to count… we never found modified hardware or malicious chips in servers in any of our data centers,” said CISO Steve Schmidt.
Robertson and Riley nevertheless doubled down on their allegations in an article dated October 9th, claiming “new evidence” supported their claims. Specifically, they cited former Israeli Army Intelligence Corps analyst Yossi Appelboum as stating that “a major U.S. telecommunications company” likewise found manipulated hardware from SuperMicro, albeit of a slightly different form. Which major company? Appelboum’s non-disclosure agreement prohibits him from telling.
If you’re feeling confused and unsure who to trust — American reporters and military officials with an interest in sensational stories about China, or less-than-transparent companies like Amazon and Apple with an equal interest in deflecting negative press — you’re not alone. The information being disseminated is far from impartial, and often second-hand at best.
That doesn’t mean we shouldn’t take this opportunity to think carefully about the often neglected area of hardware security.
While massive companies like Apple and Amazon possess the capacity to have their acquisitions reviewed by a team of electrical engineers, most businesses would never know if there were a malicious component surreptitiously added to their motherboard. Even if you could, how confident are you that the firmware on all of your components — say, your Network Interface Cards — hadn’t been compromised to include an SSH rootkit?
As hardware components grow smaller and more devices are added to our networks, constant monitoring of network devices and traffic patterns, along with strong enforcement of privileged account management (PAM) become that much more important. You may never be able to trust all of your hardware — or even the reporters and companies talking about it. At least through greater infrastructure visibility through CyberSana, you’ve got a fighting chance.