iTnews
  • Home
  • News
  • Technology
  • Hardware

'Malicious chips' turn spotlight on supply chain security

By Ry Crozier on Oct 5, 2018 11:27AM
'Malicious chips' turn spotlight on supply chain security

Testing the technical feasibility.

The security spotlight has been firmly thrust on the potential for - and technical feasibility of - supply chain attacks after Bloomberg claimed tiny “malicious chips” were added to server motherboards during manufacturing to alter their normal operation.

Bloomberg’s Businessweek last night reported more than 30 US companies were targeted in the attack where “a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design” was inserted by contract manufacturers.

The boards were allegedly supplied to the US-based server motherboard company Supermicro, and ended up in enterprise customers’ servers, Bloomberg reported.

Supermicro - and a selection of current and former large customers - have all denied ever finding “malicious chips” that had been incorporated into the motherboard during manufacture.

“Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found,” the company said in a statement.

Apple similarly said that it “has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”

“As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections,” Apple said.

“We did not uncover any unusual vulnerabilities in the servers we purchased from Supermicro when we updated the firmware and software according to our standard procedures.”

Likewise, Amazon said it had “never found modified hardware or malicious chips in servers in any of our data centres.”

Even if the so-called “malicious chips” had not been identified and “found” to date, there will likely be extensive efforts made over coming weeks to make sure they don’t - or didn’t - exist.

But there is also a wider question now of whether they could exist, and if so, how they would technically function.

Hardware security pentester Joe Fitz is one of the first domain experts to attempt to unpack the feasibility of the reported Supermicro compromise.

Fitz applied “a technical and feasibility lens” to the claims and said he was “confident there’s some truth to the story.”

He said that while hardware implants could be performed during manufacture, they were “rare”, in part because there are “plenty of software vectors” available that are less complex and that did not leave behind a physical item that could be discovered - but could achieve a similar result.

It has since emerged that the same attackers behind the alleged hardware compromise may also have used software-based vectors.

Fitz was also unclear about how the malicious chip communicated back to the nation state that allegedly planted it - a topic other security researchers have also speculated on.

“Every board has it, but we probably only care about one targeted customer of the board. This is where it gets complicated. If 10 million backdoored motherboards all ping the same home server, everyone will notice. I don’t have a solution here,” he said.

Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute, published his own detailed take on the alleged attack.

“The attack described in the article is actually plausible,” Weaver said.

“I expect we will see independent confirmation of this attack within a few weeks.”

Weaver said that as “modern circuit boards are filled with small support chips ... the backdoor chip would appear to be just another faceless component to all but the most detailed examination.”

He theorised that the attack could be aided by the “serial EEPROM chip or a serial FLASH chip, which is used to store program and other instructions used during the startup process”.

White hat lcamtuf tweeted caution at the Bloomberg report, though he noted that on a broader level, it is “still prudent to worry about hardware supply chains.”

Other infosec researchers reserved judgment pending the expected release of more data that would either confirm or deny the existence of the “malicious chips”.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
attackbloombergbusinessweekchipcompromisehardwaremaliciousmotherboardnation statesecurity

Partner Content

Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Ry Crozier
Oct 5 2018
11:27AM
0 Comments

Related Articles

  • RBA pushes first IaaS workload into Azure
  • Cyber security pros reminded of self-care importance
  • Clean Energy Regulator swaps Fujitsu for Digital61
  • Cisco next to turn up Spring4Shell-vulnerable products
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Australian court finds insurer not liable for ransomware clean-up costs

Australian court finds insurer not liable for ransomware clean-up costs

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

Telstra deregisters 900MHz sites “hindering” Optus 5G rollout

ADHA extends Accenture's My Health Record support deal for $100m

ADHA extends Accenture's My Health Record support deal for $100m

Digital Nation

Domino’s invests in observability for zero contact delivery
Domino’s invests in observability for zero contact delivery
Metaverses on the agenda for Dominello, Husic ministerial meeting
Metaverses on the agenda for Dominello, Husic ministerial meeting
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Criteo to fork out $94.7m for consent breaches
Criteo to fork out $94.7m for consent breaches
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.