Evidence of the presence of spyware chips in Supermicro servers.
Where is a smart man hiding a leaf? In the woods. Where does he hide the spy chip? On the server
Just yesterday, an article was published on Habré stating that there is no evidence of the presence of spyware in Supermicro’s hardware. Well, today they have appeared . I found them in the equipment of one of the largest telecommunications companies in the US network security expert Yossi Applebaum.
The expert is one of the leaders of Sepio Systems, which specializes in the security of hardware solutions. Relatively recently, she fulfilled the order of one of the clients (whom exactly - Applebaum refused to say, since he was bound by the NDA), who decided to check her equipment for vulnerabilities or installed bugs.
Sepio Systems specialists relatively quickly discovered the problem element due to unusual network traffic. This element turned out to be an “implant”, a server connector embedded in the Ethernet. Interestingly, according to Applebaum, he was not the first to encounter spyware modules embedded in the Ethernet port, and they were noticed not only in the Super Micro equipment, but also in the products of other companies - Chinese hardware manufacturers.
The expert, based on the study of the “implant”, concluded that it had been implemented in production, most likely the factory, where the company's servers are assembled. Supermicro's industrial facilities are located in Guangzhou, a little over a hundred kilometers from Shenzhen, which is called "Silicon Valley hardware".
Unfortunately, the experts were not able to fully understand what kind of data the infected hardware is transmitting or processing. It is also unknown whether the telecommunications company that hired Applebaum contacted the FBI. It’s hard to understand what kind of company it was. At the request of Bloomberg journalists, AT & T and Verizon representatives provided comments. Both comments are negative - companies claim that they were not satisfied with any checks. The same answer was given by Sprint, they said that the equipment from Supermicro is not purchased.
By the way, the method of introducing a spy implant is similar to that used by the NSA. About the methods of the agency were repeatedly told both on Habré and on other resources. Applebaum even called the module “an old acquaintance”, since such a system of module introduction is found in equipment coming from China quite often.
Applebaum said that he was interested in colleagues, whether they faced similar modules, and they confirmed the problem, stating that it is quite common. It is worth noting that it is very difficult to notice modifications in the hardware, which is what intelligence agencies in many countries use. In fact, billions of dollars are invested in the hardware backdoor industry. The United States has a secret program for the development of similar systems, as Snowden has already mentioned, so why shouldn't the intelligence agencies of other countries develop any kind of spyware?
China is one of the countries that are actively engaged in the development of their own cyber security forces and “cyber attacks”, so to speak.
Three information security specialists described how they tested the work of Applebaum and determined how Sepio software was able to localize the hardware backdoor. One way is to analyze low-level traffic. This means studying not only digital data transmissions, but also the detection of analog signals — for example, the power consumption of devices. If the consumption is greater, even for a fraction, than it should be, then this is a reason to think.
The Sepio method made it possible to determine that not one device, but a server, is connected to the network. The server transmitted data in a certain way, and the chip did it a little differently. Incoming traffic came from a trusted source, which made it possible to bypass the protection system filters.
Visually, the location of the chip was determined (later, after its existence became known) by examining the Ethernet ports. The spy connector had metal edges, not plastic. The metal was needed in order to dissipate the thermal energy generated by the chip inside, which acted as an independent computing unit. According to Applebaum, the module does not arouse any suspicion, if you do not know exactly what it is, you will not be able to suspect anything.
The fact that the hardware backdoors are “more than real” is said by many cyber security experts. With the development of technology, the miniaturization of spyware modules has improved so much that now you can add “spy” to practically any equipment, which is simply impossible to detect using conventional methods; you need special software, knowledge and experience in this area. Most often, modules are replaced by components that have their own power, which is enough for a “spy” to work with.
It should be noted that hardware backdoors themselves are not new, many companies, both large and small, are struggling with this problem, not always talking about what is happening. But most often, systems of this type are used to obtain information about government secrets of various states. User data in this regard is the tenth point.
By the way, a year around $ 100 billion globally is spent on business in the fight against cyber threats. And only a small fraction of these funds is spent on the threat mentioned above.