Chinese military spy chips reportedly found in server motherboards used by Apple, Amazon, etc

GasBandit

Staff member
Reactions
3,273 769 14
#1
Reactions
1,337 348 14
#2
It's not impossible, but of course without actual evidence it's harder to make the assertion.
There are some who are wondering if this hasn't been conflated with cases of Supermicro boards coming with malware-infested firmware installed, rather than actual embedded spy hardware.
I've been waiting for someone to start the "How can we trust boards manufactured by our enemies?" train rolling, maybe this will be it.
...assuming this isn't just propaganda to get everyone all riled up over Chinese manufacturing, that is.

You know who's really going to suffer for this? Supermicro.

--Patrick
 
Reactions
416 219 1
#3
This isn't another smokescreen to cover up the announcement that there's yet another un-announced capability in Intel's Management Engine Enabled chips which can allow outside access to your CPU, is it? Because I haven't seen anything in mainstream media yet about "manufacturing mode," but it's starting to leak out that Apple shipped at least some of their laptops with MM enabled, and concerns that there's no way to disable it once the device makes it to the end-user.
 
Reactions
1,337 348 14
#5
This isn't another smokescreen to cover up the announcement that there's yet another un-announced capability in Intel's Management Engine Enabled chips which can allow outside access to your CPU, is it?
No, the assertion is that actual spy ICs were substituted/added/embedded on boards during the actual manufacturing process, not after they left the factory (which suggests state-level involvement).
it's starting to leak out that Apple shipped at least some of their laptops with MM enabled, and concerns that there's no way to disable it once the device makes it to the end-user.
Huh, didn't even know about this. Looks like it was one of the things patched in 10.13.5, though (released June 2018).

--Patrick
 
Reactions
416 219 1
#6
No, the assertion is that actual spy ICs were substituted/added/embedded on boards during the actual manufacturing process, not after they left the factory (which suggests state-level involvement).

--Patrick
I know, I read Bloomberg fear piece - I was more talking about how whenever either Meltdown or Spectre was announced, immediately someone else struck back with "but what about these 6 vulnerabilities in AMD chips?"
 
Reactions
1,337 348 14
#7
...five of which require admin access to implement. Yeah, I remember.

--Patrick
 
Reactions
1,337 348 14
#8
Bloomberg: Unnamed US Telecom company also victim of hacked Supermicro motherboards
Bloomberg didn't name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren't the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenter
(Quote source)

Bloomberg: “We can’t name which one it is and we’re the only ones talking about this but trust us, it’s real.”

...did someone at Bloomberg short Supermicro stock hard, or what?

—Patrick
 
Last edited:
Reactions
1,337 348 14
#10
Reactions
416 219 1
#11
Some of the Internet's heaviest hitters have gone on record:

Amazon, Apple call for retraction of Bloomberg motherboard hacking story
Patrick Kennedy (of ServeTheHome.com) EXHAUSTIVELY demonstrates how implausible their claims are
Mike Masnick (of TechDirt.com) adds his two cents to Patrick's "detailed and thorough debunking" of the story

At this point, it's more likely the headline should read "Servers at Bloomberg.com infiltrated, hackers planted several fake stories," sheesh.

--Patrick
And this is why I remain highly sceptical whenever claims like this come out. Every time it's debunked, and (almost) every time it (seems to?) come(s) down to someone wanting to manipulate someone else' stock price.
 
Reactions
1,337 348 14
#12
Supermicro’s CEO, CCO, and CPO release letter (and video!) detailing the results of their 2-month long, 3rd-party validated audit. Spoiler alert! They found no evidence of tampered product, no evidence that anyone had tried to tamper with the product, and no reports from any customers comfirming the existence of any tampered product installed in the wild. Their stock value is still down 23% from what it was the day before the story broke, but that’s still better than the 41% it lost the day the article was released.

Now I guess the question is whether the SEC goes after Bloomberg for manipulation, Supermicro sues Bloomberg for damages due to defamation/libel, or...both?

—Patrick
 
Top