0
A security researcher cited in a recent Bloomberg report on the alleged compromise of Supermicro hardware for the purposes of cyberespionage has cast doubt on the validity of the story.
Last Thursday, Bloomberg reported that Supermicro server hardware, used in supply chains worldwide, had been compromised through hardware implants designed to create backdoors into enterprise systems.
The publication said that 30 companies in total may have been affected, including Amazon, Apple, and a major bank.
The news sent Supermicro shares plummeting and was quickly followed with denials from the named companies.
AWS completely refuted the report and Steve Schmidt, Chief Information Security Officer, added that “there are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.”
Apple said the company has “never found malicious chips, hardware manipulations or vulnerabilities purposely planted in any server.”
Supermicro also denied the claims of the investigation, saying, “we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard.”
See also: Apple, Amazon deny claims Chinese spies implanted backdoor chips in company hardware: report
The enterprise players were then followed by the US Department of Homeland Security (DHS) and the UK National Cyber Security Centre (NCSC) from the Government Communications Headquarters (GCHQ) in denying the results of the investigation.
Now, a named source has also cast doubt on the validity of the report, which also contains 17 anonymous sources.
Joe FitzPatrick, the founder of Hardware Security Resources LLC, is one of the few named sources in the story and was asked to contribute due to his expertise in hardware.
However, in a podcast with Risky Business, the hardware security expert said the hardware backdoor described in the article described “didn’t make sense.”
When asked about how such hardware implants work, FitzPatrick is quoted as saying, “the hardware opens whatever door it wants.”
In terms of his own attributed quote, the researcher said it was “factually accurate in some contexts,” adding:
“Hardware is a stepping stone. You put hardware in a device to help you persist the software, the malware.
You don’t put hardware in a device to do the whole attack, you put hardware in the device to unlock the keys, to elevate the privileges on the shell, to open the network port and then you take a software or network/remote approach to do the rest of the work.”
Speaking to the publication, FitzPatrick said he has been in contact with Bloomberg since last year but he was not given any concrete details on the story until last month.
CNET: Google can’t be sued over mass iPhone data collection, court rules
“What really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at Black Hat two years ago worked,” the researcher said.
FitzPatrick said he felt “uneasy” reading the report, commenting:
“I am just Joe. I do this stuff solo, I am building hardware implants for fun to show off at conferences, I’m not a professional at building hardware implants. […]
I feel like I have a good grasp of what is possible, what’s available, and how to do it, just from my practice — but it was surprising to me that in a scenario in which I would describe these things, and then he [Bloomberg] would go and confirm these things, 100 percent of what I described was confirmed by his sources.
Either I have excellent foresight or something else is going on.”
TechRepublic: 5 tips to secure your supply chain from cyberattacks
There are easier ways to conduct such attacks on a supply chain, including various hardware, software, and firmware approaches.
As an example, as described by FitzPatrick in an email exchange with a Bloomberg journalist, targeting baseboard management controllers (BMCs) with outdated firmware could be “just as stealthy and could be far less costly to design and implement.”
The theoretical approach discussed with Bloomberg is not “scalable or logical,” according to the hardware expert. When FitzPatrick queried the possibility and accuracy of an attack of such scale, in an emailed response, the journalist confirmed that it sounded “crazy,” but pointed out that “lots of sources” had corroborated the findings.
“I couldn’t rationalize in my head that this is the approach that anyone could take,” the researcher added.
FitzPatrick remains skeptical. Overall, FitzPatrick says that the publication’s technical details are “jumbled” — “not outright wrong, but they are theoretical.”
“I have my doubts on this one,” the researcher added.
At the time of writing, the Supermicro share price appears to be stabilizing and has climbed 19 percent to $14.75 since yesterday’s market close.
Previous and related coverage
DHS and GCHQ join Amazon and Apple in denying Bloomberg chip hack story ‘Hacky hack hack’: Teen arrested for breaking into Apple’s network Vodafone: You used 1234 as your password and were hacked? You cover the cost
Related Topics:
Security TV
Data Management
CXO
Data Centers
0