The lack of (publicly available) evidence is annoying, since there are a lot of people who'd love to check their own servers. As this is an attack directed at high profile targets it's unlikely the average size company will have ended up with one of those, but it's still a fun exercise IMO.
It would also be great to know what the attribution is based on. Just the fact that they're manufactured in China? Who else might get their hands on these devices in the shipping chain? What kind of traffic did they monitor? I guess just observing it's talking to a Chinese address doesn't tell much. I mean, just take an S3 bucket and dump your stuff in there. Setting up your own server in your home country pretty much screams "we're here!"
> I'm now wondering if someone found an NSA implant and misreported it as Chinese. We're going to end up in the stupid situation where people are afraid to report foreign intelligence attacks because it's illegal to report an attack by US intelligence agencies, aren't we?
That's pretty tinfoily, but it'd be a cool way to still report on it. "Whoopsie, I totally thought it wasn't you guys, sorry for disclosing"
"Who else might get their hands on these devices in the shipping chain?"
From the original Businessweek article:
"Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China."
"Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China."
That's interesting. As someone who has bought hundreds of thousands of dollars of gear from Supermicro (and has been a huge fan of their products and designs) I always thought their chassis were their core product.
Recently SM started to go down the "you can't buy our JBOD chassis without buying them full of our qualified drives" ... I knew that was the end of the golden age (of SM).
Luckily this coincided with the introduction of the 60bay HGST JBOD chassis. We haven't looked back.
> Luckily this coincided with the introduction of the 60bay HGST JBOD chassis. We haven't looked back.
Yes, these units are stellar and anyone buying Supermicro JBOD units should be looking into these as much better replacements. If you have volume they can be even more competitive than Supermicro if you push.
One very, very small gripe is that the HGST JBODs have no power switch. You power them on and off by inserting or yanking the power cables. Not my favorite SOP ...
Is that a real thing? Holy cow, I'm shocked (bad pun intended). What about adding an inline switch in the cord? Unless they expect everyone to be using a managed power system where each plug can be turned on/off, this just seems very odd decision to make.
As someone that flipped the power switch on a rack mounted machine by accident before, I could see how a power button or switch would be consitered a liability more than a benefit, especially when the solution (pull the power cable) is simple, foolproof, and doesn't happen that often to warrant optimizing!
I have to assume we'll start to see a rise in American high tech manufacturing for security purposes alone. Some of these companies may want to manufacturer these critical components themselves, maybe even hand deliver them from their US factory to their customers in the US too.
I know that some refineries do direct delivery for some of their large customers, especially industrial lubricants and other by-products. If the order is big enough, or someone wants to pay the premium, then direct delivery could be very feasible for tech too.
It's
odd to me to assume that people should trust US-based supply chains. We
know that the NSA has done supply chain attacks in the past[1], while in
this case we only have allegations of China doing the same (don't get
me wrong, I wouldn't be surprised if China did this, I'm just saying we
have more evidence for the NSA doing it).
Personally, as someone outside the US, I would gladly trust alleged
Chinese malware over known NSA malware. Or even better, literally any
other country outside the 5-eyes.
Is there any way to solve this problem without needing a "trusted manufacturer"?
I know it won't probably won't apply to general purpose motherboards or devices, but is there a way to design or build some components or devices in a way that you can verify that they can perform their purpose and nothing more?
If we start with that concept, and slowly build up "verifiably secure" components, they can be the islands of security that we can build off of without having to worry if the manufacturing plant left their door open one day and some random person was able to sneak in.
What happens when your attacker knows how your safeguards work and can route around your door though the windows?
For a motivated and well funded attacker who has an ability to manufacture a replacement chip with an additional coprocessor that can siphon or modify data from the main processors, network cards, and baseband modems, short of decapping every chip and component that comes through your assembly line your resources would be better spent on establishing trust mechanisms with your suppliers and the transportation couriers touching your devices before the end user acquires it.
My thought was it would be something that would get more secure the more knew about it, similar to math proofs or cryptography code.
A way to verify a chip is working as expected in a way that it can't be gamed without breaking multiple fundamental proofs, so that you won't need to worry as much about who makes it, just that it "passes the tests". (and you'd probably need a system to validate the validators, but splitting up the people involved means it is significantly harder to hack multiple products to all have them falsely verify each other)
Obviously I have no idea what I'm talking about and am just kind of musing at the idea, but trying to secure the whole supply chain from digging materials out of the ground all the way until it is in the hands of the consumer seems like an exercise in futility. You'll never be able to secure it in all cases, and like you said a truly motivated attacker is going to be able to break the chain (even if it means threatening a handful of people with death so you can get 5 minutes alone with a board).
It would also be great to know what the attribution is based on. Just the fact that they're manufactured in China? Who else might get their hands on these devices in the shipping chain? What kind of traffic did they monitor? I guess just observing it's talking to a Chinese address doesn't tell much. I mean, just take an S3 bucket and dump your stuff in there. Setting up your own server in your home country pretty much screams "we're here!"
> I'm now wondering if someone found an NSA implant and misreported it as Chinese. We're going to end up in the stupid situation where people are afraid to report foreign intelligence attacks because it's illegal to report an attack by US intelligence agencies, aren't we?
That's pretty tinfoily, but it'd be a cool way to still report on it. "Whoopsie, I totally thought it wasn't you guys, sorry for disclosing"