Apple Tells Congress 'Nothing Was Ever Found' to Suggest Alleged Supply Chain-Based Hack

[AnthonyG6]

Someone once made up a story about a man that can walk on water. 2000 years later, in this day and age people still believe he was the Son of God.

Some people will still believe what they want to believe even if all the evidence and logic are contrary to that belief.

 

[AdonisSMU]

Or 1 person with 17 email addresses.

I encourage everyone who thinks this happened to PLEASE read the full article that Bloomberg wrote. First of all they say that Apple found the problem and discovered the chips. So all you posting about Apple not looking hard enough, they not knowing about it, etc, are arguing that Bloomberg's story is wrong in huge critical areas. Bloomberg says in the story that Apple replaced all 7000 Supermicro servers with this issue, so all of you the theories that the government is using them to trap the hackers are wrong according to Bloomberg. The story says that Apple contacted the FBI about the problem. So everyone arguing that the FBI is running this thing are arguing that Bloomberg is wrong, (which is true, but for whole other reasons, ie the story is made up). Also anyone with any serious knowledge of hardware knows that a 6 pin chip plugged "secretly" into the board and a best guess attached to the RMC isnt going to be able to do most/any of the things Bloomberg says it is doing. On the software side, Apple and Amazon (and the other 28 companies) all run hugely different packages from each other, how does one chip get the data from all the different OS/App combinations?

Right now Apple and Amazon have said categorically that it didn't happen, they say they have had huge meetings about it trying to discover how the theory even got started. They are in violation of so many SEC laws if it really did happen. that the officers and members of the Board of directors would be removed. 50 million Facebook accounts got hacked the other day, and everyone has gone on by today. Bad motherboards from Supermicro in servers at Apple that have already replaced wouldn't make it above the fold. If you look at what has been affected, it really looks like someone was shorting Supermicro, as they closed Wednesday night at 21.40 a share and hit a 52 week low of 8.50 a share shortly after the story came out. That is over a 60% drop, on a story that isn't accurate on so many points technically that I and any other engineer who read it, would have drawn all over it with red pen before it was published.
-Tig

I believe this.

 

[Tigger11]

Santa Claus is a fairytale we tell our children. Why would 17 people say something so specific about an operating system?

They didn't say anything about an operating system that is actually part of the problem. The Bloomberg story in short is that a part was added to a Supermicro motherboard by one of their alternate contract manufacturers in china, and eventually they ended up at Amazon, Apple and 20+ other companies. The chip in question hijacks reads from the memory system going to the processor and gathers data and then phones home, and sends data it acquired, all this without having any idea what OS or apps going to be running on the motherboard. Does that sound like something you think can actually happen with the 6 pin part they are implying does the job? Both Apple and Amazon, completely load everything on a server themselves, yet someone this Magic Chip (TM), works identically on both, does the same thing on both systems oh and somehow though they were only made at this one alternate overflow manufacturer who is no longer in business (because if they suggested it was Foxconn or one of the other big boys, those gentlemen would sue Bloomberg out of existence), 7000 servers from that alternate were sent to Apple. Apple discovers the problem because they are phoning home, finds the chip, calls the FBI, replaces 7000 servers all at no cost and with noone at any of the datacenters ever telling a funny story about replacing that many the computers over 3 weeks to anyone. Still think it happened like Bloomberg said?
-Tig

 

[jtara]

Someone is making alot shorting Supermicro now that they drove it down so low, and it may get bought out

As stated in the Bloomberg article (which I suggest people actually READ!), Supermicro was already delisted from NASDAQ (as of August 23) prior to the publication of the article, due to their missing several report filing deadlines.

https://www.marketscreener.com/SUPE...tisfy-a-Continued-Listing-Rule-or-S-27145410/

https://www.marketwatch.com/story/s...ted-as-filing-deadline-wont-be-met-2018-08-22

https://www.theregister.co.uk/2018/08/22/supermicro_facing_nasdaq_delisting/

Supermicro had ALREADY missed previous deadlines, and had agreed with NASDAQ to become current with their reports by August 24. On August 21, the company informed NASDAQ that they would not be able to meet the extended agreed-upon deadline.

"As previously disclosed, by decision dated May 9, 2018, the Panel granted the Company's request to continue its listing on Nasdaq's Global Select Market through August 24, 2018, subject to the condition that the Company become current with its SEC filings by that date and informs the Panel the Company is current with such filings. While the Company has made significant progress toward completing the necessary accounting review processes, it has determined that the Delinquent Reports will not be filed with the SEC by August 24, 2018. As a result of the updated timing, the Company expects that its common stock will soon be suspended from trading on Nasdaq's Global Select Market and the Panel will begin delisting proceedings."

Anyone still defending this fine company, which would never lie, because of the threat of the SEC bringing the hammer down?

 

[ChrisA]

Under the GDPR, Apple would face a fine of $4.5 billion for failing to disclose this issue to customers. Do you really think they'd risk keeping it secret? That would wipe out nearly half their annual profit. Also it'd be a major PR disaster to face the largest fine in the history of the world — far better to admit you were compromised and discovered the issue (they've happily made such admissions in the past).

And they say it was detected - Bloomberg cited "someone" in Apple claiming the company discovered the issue in 2015 and reported it to the FBI. Nobody is claiming this attack was impossible to detect.

Clearly somebody is lying here. It could be Bloomberg (unlikely), it could be all 13 of their sources (even more unlikely given there are so many of them), or it could be every major tech company in the U.S. (almost impossible). It's sad, because Bloomberg has published some good articles over the years, but I'm afraid I don't trust them after this.

THey only have to report an actual security problem. According to the news story, this was discovered before the servers went into actual use. It would not be reportable.

My guess is that it was reported and some counterintelligence people took the servers. And told Apple "if anyone asks, this never happened."

What do you do when you find your phone is bugged? The best thing is to pretend you don't know it's bugged and give the person who bugged it some bogus information.

counterintelligence people were happy to have these bugged servers and were using them t understand the Chinese up until this story broke.

So the news story was correct and there were bugged servers and Apple is correct that no bugged servers were put to use. Apple also said they never dealt with the FBI they are correct too because they have a contact in the NSA for this kind of work.

Everyone is actually telling the truth in the narrow sense.

 

[jtara]

Apple discovers the problem because they are phoning home, finds the chip, calls the FBI, replaces 7000 servers all at no cost and with noone at any of the datacenters ever telling a funny story about replacing that many the computers over 3 weeks to anyone. Still think it happened like Bloomberg said?

Yes.

Perhaps Apple got their money back, and that's one of the reasons SuperMicro is having such difficulty filing it's way overdue reports - coming up with some plausible explanations for the sudden downturn of their business as several large (undisclosed) customers switched suppliers. (They have admitted to that without naming names.)

It's notable that InQTel - investment arm of the CIA - had invested in Elemental Systems, the company that bought SuperMicro boards to make servers that Amazon was buying. Amazon subsequently bought Elemental (apparently, they were interested in some video distribution software) and then spun-off the server arm to a Chinese company.

Unrelated, I love this understated quote from the Bloomberg article. Somebody has a dry wit:

"Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent, according to a former adviser to the company. Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not."

 

[ChrisA]

They didn't say anything about an operating system that is actually part of the problem. The Bloomberg story in short is that a part was added to a Supermicro motherboard by one of their alternate contract manufacturers in china, and eventually they ended up at Amazon, Apple and 20+ other companies. The chip in question hijacks reads from the memory system going to the processor and gathers data and then phones home, and sends data it acquired, all this without having any idea what OS or apps going to be running on the motherboard. Does that sound like something you think can actually happen with the 6 pin part they are implying does the job? Both Apple and Amazon, completely load everything on a server themselves, yet someone this Magic Chip (TM), works identically on both, does the same thing on both systems oh and somehow though they were only made at this one alternate overflow manufacturer who is no longer in business (because if they suggested it was Foxconn or one of the other big boys, those gentlemen would sue Bloomberg out of existence), 7000 servers from that alternate were sent to Apple. Apple discovers the problem because they are phoning home, finds the chip, calls the FBI, replaces 7000 servers all at no cost and with noone at any of the datacenters ever telling a funny story about replacing that many the computers over 3 weeks to anyone. Still think it happened like Bloomberg said?
-Tig

Never say it can't be done because YOU can't figure out how to do it. "That's impossible because I could not make such a chip". But you know what? I could. The small chip has few pins because the data going from memory, in this case, uses a serial interface called I2C. All they need to do is cut one trace can make four connections.

When they say "memory" it is not the kind of RAM end users can buy as sticks. The is serial eeprom. The chip was likely not custom made. More then likely a custom programmed 8-bit micro controller like the AVR ATiny-4 or the 8 or the 11. All this cost under a buck and are truly tiny if you buy the "CS" (chip scale) package. Technically this is not rocket science, some work, yes but they did not need to advance the state of the art. It's not that hard to figure out how this could have been done. The little chip does NOT send data. In injects, code that uses the normal server hardware to send data

 

[jtara]

And from a quick glance, it looks like the illustrations depict china hacking our pencils!

For anybody who might think otherwise, that animation showing a server blade emerging from the center of a pencil is a fake - I'd guess a meme making the rounds - (OP is welcome to take credit if they created it...) and not from Bloomberg.

Reported to MacRumors - which chose not to take action - and to Bloomberg.

I point this out because it DID fool me briefly, having me thinking "what was the illustrator thinking"?

Cute, funny, haha, but incorrectly and unfairly portrays Bloomberg as incompetent.

And EXACTLY the real definition of "fake news".

 

[raghu8912]

This is one reason I use a different cloud provider, even though my use case is not particularly sensitive. I do not want to be using what "everybody" is using.

The thing is, even if Bloomberg is true, Apple, Amazon, will deny this allegation in public, their whole business is at stake, in closed door meeting with government they might agree that this is true & they have fixed the issue, but what is the confidence that other cloud providers don't have same issue ?

 

[AngerDanger]

For anybody who might think otherwise, that animation showing a server blade emerging from the center of a pencil is a fake - I'd guess a meme making the rounds - (OP is welcome to take credit if they created it...) and not from Bloomberg.

Reported to MacRumors - which chose not to take action - and to Bloomberg.

I point this out because it DID fool me briefly, having me thinking "what was the illustrator thinking"?

Cute, funny, haha, but incorrectly and unfairly portrays Bloomberg as incompetent.

And EXACTLY the real definition of "fake news".

I'm honestly amazed you think anybody would take such an obvious joke seriously, but I supposed you yourself have managed to.

The first five words of my OP are "From a quick glance," so I don't know why you expected what followed to be my lasting impression of the illustration. The whole illustration's text get's radially wiped away, the animation plays, and then the text CHINA HACKED PENCILS is wiped back in place of the original text. How would that illustration/text make any sense in the context of a legitimate article? Why would the article explicitly detail a hack, only to remove half of their explanation and say something contradictory?

I feel like I've made a knock-knock joke, and you've replied by explaining that many people actually have doorbells and that the name "Orange" is fairly uncommon. Feel free to keep this chain of missing-the-point going, but I'm opting out. Have a wonderful day.

 

[Tigger11]

As stated in the Bloomberg article (which I suggest people actually READ!), Supermicro was already delisted from NASDAQ (as of August 23) prior to the publication of the article, due to their missing several report filing deadlines.

Anyone still defending this fine company, which would never lie, because of the threat of the SEC bringing the hammer down?

If you actually read the article then you must realize its not possible to do what they are claiming, so why care about whether Supermicro is being delisted or not. Noone is defending Supermicro, the story CLAIMS that Apple and Amazon discovered the issue and both companies then contacted the FBI who has been investigating it. Both Apple and Amazon say thats not true, as several including me have pointed out, their language if it were true would leave Apple and Amazon exposed to 100s of millions in SEC fines. Why do you think Amazon and Apple are willing to wrack up a billion in fines and Jeff Bezos and Tim Cook lose their jobs over some company that may soon be delisted from Nasdaq?
-Tig

 

[jtara]

If you actually read the article then you must realize its not possible to do what they are claiming,

On what basis? Because you say so? You've not addressed any specific claims that you feel are not achievable nor the reasons.

You've also consistently misquoted the article. For example stating that it involved only one contract manufacturer, when the article clearly states it was several, and even went into the methods that were used to coerce management at multiple companies.

Based on my 45+ years of experience as a software engineer, including some hardware design including some circuit design and board layout, and considerable firmware work, working with digital and analog hardware engineers to debug new designs (e.g. wrote the test routines to enable hardware test, etc.), working with the I2C protocol, what they are claiming seems easily achievable. Not just achievable with some exotic technology, but easily achievable.

These boards were NOT designed by Apple or Amazon, they chose from available features. They had no reason to finely inspect boards at the physical level to insure that they corresponded to designs that they themselves did not create. The article makes it clear that this is a general unexpected weakness in our supply chain that has now been exposed.

This is not going to wrack up a billion in fines, if they were ordered to shush. The appropriate agencies would get the word to the SEC if it ever came up. Any anyway, there is likely nothing here that would require disclosure by Apple or Amazon. It's quite possible no actual damage ever occurred. It's also possible/likely there was little or no financial damage to either company, as it's likely payment was either never made or refunded, or made up by - ahem - some third party.

The fact that SuperMicro is bleeding and unable to offer an explanation to the point where they would let their NASDAQ listing lapse corroborates that they likely were never paid for these servers or had to return payments. They could well be between a rock and a hard place, having to choose between breaking securities laws and breaking national security laws. For now, their NASDAQ listing has lapsed. If they continue to not produce the required filings, they will likely face federal prosecution. (But, given the special circumstances, I'll bet it will just be somehow "forgotten about").

Whether or not the position they've been put in is extralegal is not my call. IMO it happens.

If you were the security agencies, who would you throw under the bus? Apple and Amazon, or SuperMicro?

Apple and Amazon are "too big to fail" and "too important to fail". It is IMO a matter of national security that they not be damaged to the point of failure. (Not that this would be likely to do that.)

I'll leave you with another juicy quote from the article:

"Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

The company’s pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. The majority of its workforce in San Jose is Taiwanese or Chinese, and Mandarin is the preferred language, with hanzi filling the whiteboards, according to six former employees. Chinese pastries are delivered every week, and many routine calls are done twice, once for English-only workers and again in Mandarin. The latter are more productive, according to people who’ve been on both. These overseas ties, especially the widespread use of Mandarin, would have made it easier for China to gain an understanding of Supermicro’s operations and potentially to infiltrate the company. (A U.S. official says the government’s probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack.)"

BTW, it would not be easy to short a delisted company. Those with shorts in place prior to the delisting, though, are probably in the cat-bird's seat. They can likely ride it to zero.

 

[Tigger11]

Never say it can't be done because YOU can't figure out how to do it. "That's impossible because I could not make such a chip". But you know what? I could. The small chip has few pins because the data going from memory, in this case, uses a serial interface called I2C. All they need to do is cut one trace can make four connections.

When they say "memory" it is not the kind of RAM end users can buy as sticks. The is serial eeprom. The chip was likely not custom made. More then likely a custom programmed 8-bit micro controller like the AVR ATiny-4 or the 8 or the 11. All this cost under a buck and are truly tiny if you buy the "CS" (chip scale) package. Technically this is not rocket science, some work, yes but they did not need to advance the state of the art. It's not that hard to figure out how this could have been done. The little chip does NOT send data. In injects, code that uses the normal server hardware to send data

I am willing to wager 10K you can't do it. Last fool that bet me like this bought my pool for me, not sure what I am going to do with your money, but it will be fun. Before taking the bet, you need to read the entire article on Bloomberg and understand all the "magic" the chip "did", I have yet to have anyone read the whole article, understand it and then think it was possible. I have myself and 49 other very good engineers here with a combined history of over 1000 years of experience, and not one of us think that this is even close to a doable thing, and we have done lots of crazy things over the years.

Here is part of the problem, from the article

"This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects."

You aren't doing that over an I2C bus on a server running a random OS/Application/Client mix you have no idea about when the server is shipped.

And also this:

"Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off."

You can't do that all from the BMC, it literally says the chip is connected to the BMC, so anything it says the chip is doing which you can't do talking through the BMC, can't happen. That is hardware 101.
-Tig
[doublepost=1539033475][/doublepost]

On what basis? Because you say so? You've not addressed any specific claims that you feel are not achievable nor the reasons.

You've also consistently misquoted the article. For example stating that it involved only one contract manufacturer, when the article clearly states it was several, and even went into the methods that were used to coerce management at multiple companies.

Based on my 45+ years of experience as a software engineer, including some hardware design including some circuit design and board layout, and considerable firmware work, working with digital and analog hardware engineers to debug new designs (e.g. wrote the test routines to enable hardware test, etc.), working with the I2C protocol, what they are claiming seems easily achievable. Not just achievable with some exotic technology, but easily achievable.

These boards were NOT designed by Apple or Amazon, they chose from available features. They had no reason to finely inspect boards at the physical level to insure that they corresponded to designs that they themselves did not create. The article makes it clear that this is a general unexpected weakness in our supply chain that has now been exposed.

This is not going to wrack up a billion in fines, if they were ordered to shush. The appropriate agencies would get the word to the SEC if it ever came up. Any anyway, there is likely nothing here that would require disclosure by Apple or Amazon. It's quite possible no actual damage ever occurred. It's also possible/likely there was little or no financial damage to either company, as it's likely payment was either never made or refunded, or made up by - ahem - some third party.

The fact that SuperMicro is bleeding and unable to offer an explanation to the point where they would let their NASDAQ listing lapse corroborates that they likely were never paid for these servers or had to return payments. They could well be between a rock and a hard place, having to choose between breaking securities laws and breaking national security laws. For now, their NASDAQ listing has lapsed. If they continue to not produce the required filings, they will likely face federal prosecution. (But, given the special circumstances, I'll bet it will just be somehow "forgotten about").

Whether or not the position they've been put in is extralegal is not my call. IMO it happens.

If you were the security agencies, who would you throw under the bus? Apple and Amazon, or SuperMicro?

Apple and Amazon are "too big to fail" and "too important to fail". It is IMO a matter of national security that they not be damaged to the point of failure. (Not that this would be likely to do that.)

I'll leave you with another juicy quote from the article:

"Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

The company’s pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. The majority of its workforce in San Jose is Taiwanese or Chinese, and Mandarin is the preferred language, with hanzi filling the whiteboards, according to six former employees. Chinese pastries are delivered every week, and many routine calls are done twice, once for English-only workers and again in Mandarin. The latter are more productive, according to people who’ve been on both. These overseas ties, especially the widespread use of Mandarin, would have made it easier for China to gain an understanding of Supermicro’s operations and potentially to infiltrate the company. (A U.S. official says the government’s probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack.)"

BTW, it would not be easy to short a delisted company. Those with shorts in place prior to the delisting, though, are probably in the cat-bird's seat. They can likely ride it to zero.

[doublepost=1539034906][/doublepost]

You've also consistently misquoted the article. For example stating that it involved only one contract manufacturer, when the article clearly states it was several, and even went into the methods that were used to coerce management at multiple companies.

You are correct that it says there were 4 sources for the boards, but it also quite clearly points out that it is not the 3 main manufacturers of Supermicro (Foxconn and Friends).

Based on my 45+ years of experience as a software engineer, including some hardware design including some circuit design and board layout, and considerable firmware work, working with digital and analog hardware engineers to debug new designs (e.g. wrote the test routines to enable hardware test, etc.), working with the I2C protocol, what they are claiming seems easily achievable. Not just achievable with some exotic technology, but easily achievable.

No its not. Something hooked by I2C to a the BMC cannot do what they are saying. If you disagree tell me how. I got me 49 others here that strongly disagree with you.

These boards were NOT designed by Apple or Amazon, they chose from available features. They had no reason to finely inspect boards at the physical level to insure that they corresponded to designs that they themselves did not create. The article makes it clear that this is a general unexpected weakness in our supply chain that has now been exposed.

I know all about that they were not designed by Apple and Amazon, not the point. The issue is you can't use the BMC to do what Bloomberg is claiming, thus their claim that you can, is incorrect. I'll officially say its not an unexpected weakness its something that is checked for all the time, but not for Magic chips, but for board quality, solder quality, part quality (which is probably what started this entire mess), Bloomberg is just too stupid to know what a counterfeit part it.

This is not going to wrack up a billion in fines, if they were ordered to shush. The appropriate agencies would get the word to the SEC if it ever came up. Any anyway, there is likely nothing here that would require disclosure by Apple or Amazon. It's quite possible no actual damage ever occurred. It's also possible/likely there was little or no financial damage to either company, as it's likely payment was either never made or refunded, or made up by - ahem - some third party.

Sorry, they can't be ordered to lie by congress or anyone. No Comment, we are investigating the situation, those are press comments if they are asked to be quiet about it. If saying IT DID NOT HAPPEN is a direct lie that is a huge SEC fine, that is the easiest reason to understand that this did not happen.

BTW, it would not be easy to short a delisted company. Those with shorts in place prior to the delisting, though, are probably in the cat-bird's seat. They can likely ride it to zero.

Supermicro in trading today it closed up 19.75% at 14.75, its off Nasdaq that doesnt mean you can't buy it or its not trading.
-Tig

 

[techwhiz]

The whole things seems improbable to me.

1. A chip the size of a sharpened pencil tip.
Where is a sample?
Intel's 10nm process is 100 million transistors per mm^2.
I doubt they are using 10nm but for arguments sake we'll say they are.
100 million/6 transistors pr gate mean 16 Million gates.
But 1mm square is bigger than the tip of a pencil and that's the whole package and not just the die.
So the chip must be much smaller.
So they can have maybe 1/10 of that, but 1.6 million gates is pretty good and can do a lot of things, oh but they also said memory. So let's say they have a simple micro and compiled ROM and some RAM.
What about the connections? A chip that small will have a limited number of pins.

Le't assume for a minute they use a ring oscillator because you will need a clock.
You also need at least two pins for the power supply.
You are going to need to sniff data and be able to insert data and communicate with the outside world; so where do you put this chip?

2. Inserted at the factory.
So they modified the schematics and the fabrication for the motherboards?
They would have had to, otherwise, how do you connect this chip?
If they didn't modify the actual schematic and the automated pick and placed used in manufacturing, then it wouldn't be feasible. If they did this, a lot of logistics need to change just to get the part on the board.

You still need connections to subsystems on the computer and also a way to interface through the outside world. If it's as small as they say, how did it communicate? If it's to inject code into the OS, you need to have an understanding of which kernel is running so you can inject the code into memory space. You can't just patch the kernel without knowing what kernel is running and where to inject the code. You are more likely to crash the machine than to snoop.

If you do that, why not bury code in the BIOS? That would be a lot easier than this method and cost a lot less.

3. Modified MB goes into server. Okay, let's assume they modified the MB.

4. Sold to multiple companies. Normally you install the OS before it gets to the data center so you can do burn in testing.
Nobody detects the traffic that is being generated to an IP address over an interface that should not be active during burn in?

5. When turned on, the the OS was modified? How?
The bootstrap is in the BIOS.
I just don't see the plausibility of a separate chip inserted on the motherboard unless you bury underneath or next to the flash chip for the BIOS. Too many connections necessary for it to work and you also need to know not only what OS, but what version of the OS.

If you say the BIOS is patched when loaded into memory, then how do you guarantee the patched code stays resident?
Once again, it would be easier just to hack the BIOS.

If you say it's on the service processor and it's dialing home, you would be able to see the network traffic and be able to sniff packets.

This sounds like a bunch of non-technical people speculating and don't fully understand the complexity involved in what they speculate.

So to summarize:
A chip that cannot be detected was inserted on the the motherboard of a computer where the schematics were modified along with the automated pick and pull to manufacture the MB. The chip had enough smarts programmed to modify *ANY* OS or BIOS and insert spy code that also would not be detected; that would also phone home so that nefarious individuals could further compromise the systems.

Okay.
But if you just told me the BIOS was compromised it would be easier to do and a lot more believable.

 

[jtara]

You aren't doing that over an I2C bus on a server running a random OS/Application/Client mix you have no idea about when the server is shipped.

The article doesn't state that.

Injection would be at boot time, no OS at that time. And anyway, the OS would almost certainly be some flavor of Linux, as if that mattered.
[doublepost=1539035989][/doublepost]

Supermicro in trading today it closed up 19.75% at 14.75, its off Nasdaq that doesnt mean you can't buy it or its not trading.

Shorting isn't buying. It's selling what you don't have. But you have to borrow what you don't have. When it's unlisted, it's difficult. Most brokers won't do it.

And anyway, the short interest is small. You can look it up.

http://shortsqueeze.com/?symbol=smci&submit=Short+Quote
[doublepost=1539036174][/doublepost]

What about the connections? A chip that small will have a limited number of pins.

I maintain you need ZERO pins. Two makes it easier. Three makes it easier. Four makes it really easy. Both power and signal can be done inductively. If zero pins, power would have to be "stolen" from signal transitions and stored somehow - capacitor or battery. But from the description, not that exotic.

One version, according to the article, was embedded between the layers of the circuit board.
[doublepost=1539036435][/doublepost]

If it's to inject code into the OS, you need to have an understanding of which kernel is running

Not rocket science. It will be a version of Linux or BSD. But probably Linux.
[doublepost=1539036614][/doublepost]

I just don't see the plausibility of a separate chip inserted on the motherboard unless you bury underneath or next to the flash chip for the BIOS. Too many connections necessary for it to work

Flogging the horse.

Everything programmable is programmable over the I2C serial bus. TWO lines. (Sorry, yes, I said one...) You just need to get at the I2C bus. Which runs all over the place.

http://www.ti.com/lit/an/slva704/slva704.pdf
[doublepost=1539036790][/doublepost]

Normally you install the OS before it gets to the data center so you can do burn in testing.

It would be rather foolish for it to reveal itself during burn-in. Do you think they are that stupid?
[doublepost=1539036856][/doublepost]

A chip that cannot be detected

It's a chip that WAS detected. That's a major premise of the article.
[doublepost=1539036956][/doublepost]

The chip had enough smarts programmed to modify *ANY* OS or BIOS and insert spy code that also would not be detected;

Who said that? Not I. Nor the article.

BTW, I doubt these boards have a BIOS. That's a blast from the past. But I will grant that by BIOS your probably mean EFI, right?
----
I'll grant one bit of skepticism. If it was able to communicate with external systems over a separate management port, then Apple/Amazon/whoever was REALLY sloppy. It was mentioned, though, that the discovery occurred in a development environment, and some sloppiness is to be expected there, because "it's not production".

We don't know if they went to the trouble of putting management ports on a separate switch, or even on a separate VLAN. And we don't know if they also had Chinese switches.

There were simplifications made for the article, and the writer admits such. I think any exfiltration or command (and I'm not convinced that was necessarily the goal) would more likely have been done by the infected firmware, whether that might be BIOS/EFI, processor, or other. (Could even be a hard drive controller that would store or deliver modified data.)

 

[supercoolmanchu]

You aren't lying if you were never informed. That's part of the point of the "need to know" here.

I'll start holding more credence to the denials if Katherine Adams makes a statement.

If there is / was a national security interest, the feds have zero ****s to give if Apple accidentally lies by denying. As long as they don't confirm, they're good.

It's as if people have forgotten about the Patriot Act, and how it's entire basis for circumventing the Constitution is "national security."

You do realize that if Apple doesn’t know about this, then Bloomberg’s claim that several Apple people knew about this, is instant debunked right?

But sure... maybe there’s some massive yet to be undiscovered conspiracy...

But I’m wondering why you keep trying to steer people away from the real obvious smoking gun here? What’s your real agenda? Likely the coverup after Roswell and the captured extraterrestrial tech being deployed by shadowy government agencies and led by Bigfoot. But we’re going to keep loooking until we find him, because we’ve all seen the mold made of a partial footprint. Excelsior!
[doublepost=1539038828][/doublepost]

The problem is a technical English issue "Nothing was ever found" well it might be there but perhaps you didn't look hard enough?

Yep, that’s exactly how big government coverups and black ops programs work, hidden right between word definitions and nuances in corporate press releases.

I guess it’s kool aid time, but nobody gave me a cup.

 

[DanBig]

No, that's not the way an EEPROM is program today. Good lord, we did that in the 80s!

Look up I2C. It's been around since 1982. It's a serial bus. It's how you "program" just about anything on a chip today. It has a lot of other uses, BTW. For example, used during manufacturing test.

[doublepost=1539014004][/doublepost]

No. There's no need to 18 ~34 lines. One. Line. It's a serial bus.

It's never been stated that the chip has access to the processor bus, which would require more pins than 18-34 anyway.

Not in these servers! You’re thinking PC not Xenon based systems based on tech 5 years ago. Remember when this was to have happened.

Today’s serial I/O is two or four lines
[doublepost=1539047386][/doublepost]

The whole things seems improbable to me.

1. A chip the size of a sharpened pencil tip.
Where is a sample?
Intel's 10nm process is 100 million transistors per mm^2.
I doubt they are using 10nm but for arguments sake we'll say they are.
100 million/6 transistors pr gate mean 16 Million gates.
But 1mm square is bigger than the tip of a pencil and that's the whole package and not just the die.
So the chip must be much smaller.
So they can have maybe 1/10 of that, but 1.6 million gates is pretty good and can do a lot of things, oh but they also said memory. So let's say they have a simple micro and compiled ROM and some RAM.
What about the connections? A chip that small will have a limited number of pins.

Le't assume for a minute they use a ring oscillator because you will need a clock.
You also need at least two pins for the power supply.
You are going to need to sniff data and be able to insert data and communicate with the outside world; so where do you put this chip?

2. Inserted at the factory.
So they modified the schematics and the fabrication for the motherboards?
They would have had to, otherwise, how do you connect this chip?
If they didn't modify the actual schematic and the automated pick and placed used in manufacturing, then it wouldn't be feasible. If they did this, a lot of logistics need to change just to get the part on the board.

You still need connections to subsystems on the computer and also a way to interface through the outside world. If it's as small as they say, how did it communicate? If it's to inject code into the OS, you need to have an understanding of which kernel is running so you can inject the code into memory space. You can't just patch the kernel without knowing what kernel is running and where to inject the code. You are more likely to crash the machine than to snoop.

If you do that, why not bury code in the BIOS? That would be a lot easier than this method and cost a lot less.

3. Modified MB goes into server. Okay, let's assume they modified the MB.

4. Sold to multiple companies. Normally you install the OS before it gets to the data center so you can do burn in testing.
Nobody detects the traffic that is being generated to an IP address over an interface that should not be active during burn in?

5. When turned on, the the OS was modified? How?
The bootstrap is in the BIOS.
I just don't see the plausibility of a separate chip inserted on the motherboard unless you bury underneath or next to the flash chip for the BIOS. Too many connections necessary for it to work and you also need to know not only what OS, but what version of the OS.

If you say the BIOS is patched when loaded into memory, then how do you guarantee the patched code stays resident?
Once again, it would be easier just to hack the BIOS.

If you say it's on the service processor and it's dialing home, you would be able to see the network traffic and be able to sniff packets.

This sounds like a bunch of non-technical people speculating and don't fully understand the complexity involved in what they speculate.

So to summarize:
A chip that cannot be detected was inserted on the the motherboard of a computer where the schematics were modified along with the automated pick and pull to manufacture the MB. The chip had enough smarts programmed to modify *ANY* OS or BIOS and insert spy code that also would not be detected; that would also phone home so that nefarious individuals could further compromise the systems.

Okay.
But if you just told me the BIOS was compromised it would be easier to do and a lot more believable.

Bottom Line - It’s Pure Fiction!!

If I was Apple I wound send Bloomberg a ton of invites to the next product announcement and escort them to a separate room and embarrass the hell out of them by walking them on the stage to chastise them!

 

[RogueWarrior65]

This would be easy to check. I highly doubt that Apple gave a Chinese company a schematic instead of a PCB layout. Just do a component count to start then inspect the board. Unless, of course, multi-layer boards can have components embedded in the layers. Even then, you reflow the board to remove all the surface components and x-ray the thing.

 

[Flight Plan]

Bloomberg just wanna pull a CNN / Washington Post

Bloomberg is fake news; I'm telling you all. You need to pay attention to them.

And WHATEVER you do, always double-check what they're telling you before you take any investment advice from them! Please, oh please, do your homework, or you'll be singing a tale of woe.
[doublepost=1539050180][/doublepost]

Bloomberg, fire your liar and the world will be quiet again!
Shame Bloomberg. Investigative journalism is not your strength.

Neither "investigative" nor "journalism" correctly describe Bloomberg.

Just saying.... SuperMicro sells how many motherboards? And there's not even some back office blurry cell phone photo of a "compromised motherboard" with top secret Chinese "microchip" (if that's even it's real name) that changes how the host operating system works.

C'mon Bloomer.

Well put.

Ahhh... let's continue to categorize everything that we don't fully understand or opposes our views as "Fake News" after all everyone's doing it!!

You don't understand what we mean by "fake news".

When a reporter or news organization takes one major thing out of context so as to completely paint a different picture in the whole article, that is Fake News.

When a news organization does what CNN did after the Parkland, Florida shooting, how they let the sheriff lie on live TV and how they let the sheriff and the audience treat Dana Loesch...THAT is an example of Fake News. They KNEW the truth. They KNEW that the sheriff knew the truth. Yet they let misrepresentation rule the day in that town hall.

I'm sorry folks, but that is Fake News. It has nothing to do with "don't understand it". No, any time a news organization tries to obfuscate, misrepresent, or outright LIE about the facts in order to push their agenda or their "template", that's what Fake News is.

Learn this. Times have changed, and more and more of us won't put up with it anymore. We're leaving television and radio in DROVES. We're not going to movies. Some of us are even avoiding concerts. Artists, keep your urge to diss America under control, or risk losing more and more paying customers.

So it’s Bloomberg against multiple companies and government agencies (from different countries to boot). Bloomberg is probably just going to ride this until people forgets about it. I mean they have succeeded in inserting the narrative. Now people will have that chip in their mind, no matter what. That’s the point. Just like many other “news”. The point is to get in first with a bang and put certain imagery into people’s minds. It works well with the “wars” etc.

You have a point. They have succeeded in inserting the narrative. But people like me will constantly remind others that Bloomberg is beholden to an ideology so far, that they can't help but put out Fake News. It will happen more and more now from Bloomberg, especially if they start thinking that they're going to get away with it.

So pay attention, and play the home game with me. You'll see!

Holy crap! Everything being hand scribed in the offices of Apple and Amazon is being relayed back to the motherland!

LOL, that's hilarious!

There is a big flaw in Bloomberg’s report...

So calm down and put away your certificates.

Hehe, you almost made me spit my Diet Mountain Dew all over my screen.

CNN and Washington Post are reputable news sources that statistically get it right a lot more often than Fox News does, which frequently outright lies and significantly distorts things.

I'm sorry, but CNN and WaPo have liberal agendas. You can see CNN's bias on plain display at White House press conferences, and at the Parkland town hall I mentioned above. I hope you'll start reading more critically.

If I was Apple I wound send Bloomberg a ton of invites to the next product announcement and escort them to a separate room and embarrass the hell out of them by walking them on the stage chastise them!

No, just don't invite them. Like with trolls, embarrassing them would just feed them. Instead, I'd put them on the "excrement list", which means they wouldn't be allowed to attend events. They could attend press conferences, but would be disallowed from asking questions at press conferences. Then tell them how long they'll be in the penalty box. I suggest 6 months for first offense, 2 years for second offense or for blatant "Fake News" violations.

 

[jtara]

Bloomberg is fake news; I'm telling you all.

Ad hoc, ergo proptor hoc.
[doublepost=1539052042][/doublepost]

I highly doubt that Apple gave a Chinese company a schematic instead of a PCB layout.

Apple did neither. They selected from a catalog of product features.

SUBSEQUENTLY, Apple - like Google - has embarked on a mission to better control their supply chain by starting to design their own servers. This incident predates that initiative.

These, from 2016.

https://www.zdnet.com/article/apple-designing-its-own-icloud-servers-to-avoid-surveillance/

"A report by The Information (paywalled) said that the iPhone and iPad maker has "long suspected" that servers it orders from the traditional supply chain were intercepted while they were in the mail. That's where "unknown third parties" would add chips and modify firmware to "make them vulnerable to interception."

It became so much of a concern that the company would assign people to "take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there," the report said.

Building its own servers in-house on motherboards it designed and manufactured would be a "surefire way" to prevent such interception."

----
This is PROBABLY referring to interdiction by US intelligence agencies, however.

In any case, the SuperMicro servers were not designed by Apple. No schematic. No PCB layout. Catalog shopping. From a sophisticated catalog. "Custom built" to be sure, but that the Chinese Menu (haha) level. I'll have one from column A and 2 from column B. Because SuperMicro would be foolish to actually stock all of the variations they offer on their products. In fact, there are probably enough combinations to make that impossible.

 

[Tech198]

There is no doubt that the Chinese government could put some chips into some server hardware. There is _huge_ doubt that this could happen without companies like Apple or Amazon detecting it very quickly. And by now, it is 100% safe to say that Apple and Amazon would have found these chips. There is also huge doubt that Apple and Amazon would be lying about it.

Two sides to every coin. Unfortunately, one may also cheat.

 

[IG88]

You do realize that if Apple doesn’t know about this, then Bloomberg’s claim that several Apple people knew about this, is instant debunked right?

I don't know if it's true. I'm just providing some background for the "it's possible" argument.

Apple is a ginormous company. You can't make a statement like "Apple doesn't know" in a scenario like this.

Apple has historically been a super secretive company, project teams are not supposed to talk to other project teams unless specifically authorized, etc etc.

So assuming someone did discover something funky with a server mobo, that information wouldn't have gotten far.

So we're talking theoretically about the few or so people that would have been involved with the discovery + lead counsel that would know / be gagged by a national security letter.

Everyone else could deny deny deny because they were never informed.

 

[ChrisCW11]

Well, the conspiracy theorist in me screams this was a republican hoax to try and destabilize the tech industry Trump is jealous of and try and prove that you can't source parts from China and justify Trump's tariffs as a homeland security issue.

But then the other conspiracy theorist in me feels that Apple is hiding the truth and their servers were hacked and don't want their stock prices to fall in the same quarter they just released an iPhone update.

All I know is that the truth is no longer out there...

 

[jtara]

Another shoe (not "the other shoe" as I suspect we will shortly have a whole shoe store...) just dropped this morning:

https://www.bloomberg.com/news/arti...ro-hardware-found-in-u-s-telecom?srnd=premium

MO is a bit different, this one was a modified network interface with a processor chip added. One visible difference is that metal was added to the sides of the Ethernet port to act as a heatsink. (And would plausibly be ignored on the assumption it was acting as RF shielding).

This one was found in a telecom company which was not named. However, the security researcher and security company that found it were. They came forward after the initial Bloomberg BusinessWeek report.

"AT&T Inc. spokesman Fletcher Cook said, “These devices are not part of our network, and we are not affected.” A Verizon Communications Inc. spokesman said “we’re not affected.” T-Mobile U.S. Inc. and Sprint Corp. didn’t respond to requests for comment. "

Also, the article above notes the first governmental security agency to come forward:

"In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been "aware of an issue" connected to Supermicro products since June. It couldn’t confirm the details of Bloomberg's reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue."

The article reinforces what I had suspected, which is that there has been little scrutiny of hardware modifications by companies - it's just not something they routinely look for. They will be now, and I suspect a LOT of these hacks will now come out of the woodwork. And many more that will be successfully suppressed by the embarrassed victims.

 

[macfacts]

Evidence:
https://www.bloomberg.com/news/arti...cked-supermicro-hardware-found-in-u-s-telecom