Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Hardware

Super Micro Says Review Found No Malicious Chips in Motherboards (reuters.com) 95

Computer hardware maker Super Micro Computer told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards. From a report: In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.
This discussion has been archived. No new comments can be posted.

Super Micro Says Review Found No Malicious Chips in Motherboards

Comments Filter:
  • by lkcl ( 517947 ) <lkcl@lkcl.net> on Tuesday December 11, 2018 @09:28AM (#57785606) Homepage

    i fully expect the next news report to be, "Supermicro computers discovered in second audit to have been compromised by auditing company. The first audit company, itself secretly compromised by {insert government-of-paranoia-choice-here}, was found to have tampered with the master copies of the bootloader firmware, during its on-site privileged access to Supermicro's Headquarters".

    quis custodiet custodiens?

  • by david.emery ( 127135 ) on Tuesday December 11, 2018 @09:30AM (#57785620)

    On this story, and the previous stories on this topic, a lot of posters have doubted the denials from Super Micro, Apple, Facebook and the various government agencies. I suspect this independent audit won't convince them, either.

    So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen? Or is this one of those things where you won't accept any explanation from "the deep state"/"vested interests"/etc?

    This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.

    • by _bug_ ( 112702 ) on Tuesday December 11, 2018 @09:54AM (#57785756) Journal

      There's no proving a negative. Burden of proof is on Bloomberg and they don't have it. People who believe the Bloomberg story aren't going to be convinced of anything otherwise. It's like trying to argue a person's religious belief is 'not true'.

      • by timholman ( 71886 ) on Tuesday December 11, 2018 @10:04AM (#57785796)

        There's no proving a negative. Burden of proof is on Bloomberg and they don't have it.

        Exactly. Supposedly thousands of motherboards were compromised, and sold to multiple customers. The failure of Bloomberg (or anyone else) to produce a single compromised piece of hardware, or even a die photo of the supposed spy chip, says it all. There's no evidence to be found because it doesn't exist.

        Conspiracy believers aren't going to change their minds. But for everyone else in the industry, it has become blatantly clear that Bloomberg screwed up royally with this story.

        • by freeze128 ( 544774 ) on Tuesday December 11, 2018 @11:48AM (#57786488)
          I seem to remember a news story from almost a decade ago about a surreptitious monitoring chip installed in a laptop, connected to the laptop's keyboard. This may have been a targeted attack, and not an infiltration of the supply line. Personally, I believe the unknown keyboard chip wasn't any kind of listening device, but rather some compatibility device to make the keyboard work.

          I have some doubts about how a tiny "grain of rice sized chip" can both send and receive data on the wired ethernet port (differential signals) without actually BREAKING the lines and inserting itself into the path. Also, it wouldn't magically have FULL CONTROL of the PC, but would be able to only retransmit the data that was coming in/going out of the ethernet port to another ip address.
          • by lkcl ( 517947 )

            I have some doubts about how a tiny "grain of rice sized chip" can both send and receive data

            an RFID device uses the remote transmitter's power to charge up a capacitor sufficient to power the entire RFID processor, and the response transmitter (at very low power).

            an RFID transceiver plus its power circuit *and* the antenna would easily fit within a compromised ASIC, under the packaging case.

      • by sjames ( 1099 )

        Exactly this. Their only named source says he was speaking in the hypothetical and taken out of context, and multiple 3rd parties say they found nothing. Ni pictures, just artist's concepts obviously meant to be mistaken for pictures.

    • by tsqr ( 808554 )

      So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen? Or is this one of those things where you won't accept any explanation from "the deep state"/"vested interests"/etc?

      This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.

      “To one who has faith, no explanation is necessary. To one without faith, no explanation is possible.”

      St. Thomas Aquinas

    • It a shame that the burden of proof is on the injured party having the task of proving a negative.

      The SEC needs to investigate illegal Short and Distort stock scams. The FCC needs to enforce laws where media intentionally spread false reports.

      I dislike government oversight, but I dislike anarchy more.

      • I dislike government oversight, but I dislike anarchy more.

        What you're missing is that people only believe the Bloomberg reporter because they believe he fears retributive justice by the government (slander, libel, etc. laws) that could carry prison time.

        Absent that most people would assume everybody is full of bullshit without convincing evidence because private law solutions focus on restitutive mechanisms, not penal. If this turns out to be a short play then the profits would still be worth direct prova

        • You make excellent points.

          > At least the wise ones.
          On the surface, it seems wisdom is in short supply. Digging deeper it seems that people make logical choices based upon the information they are given. It is an unintended consequence of the Internet to see the decline in journalism. Media outlets are under intense pressure to survive and are making choices to run unsubstantiated stories that would never have been run more than 20 years ago, This is combined with more than half of people getting their
    • So my question for the assembled multitude is this: What would be -sufficient proof- this didn't happen?

      Proving or disproving a particular incident is irrelevant, what is relevant is proving that it's not possible for it to occur.

      This is a significant issue for tech in general, as we need some widely accepted way to show systems are free from hidden vulnerabilities.

      Absolutely. It can be done but it's very expensive because it requires making bug-free software and then releasing it for public review. Until then your best option is to use ultraparanoid computing which assumes the host system is compromised. The alternative is cross your fingers and wait for the CVE reports to roll in.

    • There isn't anything. Some people are just crazy.

      Obama shows his official birth certificate, and people (including the current us president) think it's fake

      • OK, here's a conspiracy theory. Why did Obama wait years to make the official birth certificate available for public inspection? He needed time to have a high quality forgery made.

    • by Anonymous Coward

      So...a tempest in a teapot, then.

      The original story mentioned an unnamed "security company" as the source. But no details. "Ongoing investigation" and "top secret" as reasons for this.
      There was a distinct fishy odor, but, hey, better safe than sorry, and they wouldn't have gone public if they hadn't found something, was my take. So yeah, I was suckered into the hysteria.

      What would have constituted proof? Well, for a start, good pictures of the offending chips and a marked up schematic of where they were

      • One suggestion for motivation is to drive prices of Super Micro, and tech in general, down. That certainly happened for Super Micro. Another is to cast doubt on tech, particularly Big Tech (and cloud vendors) in general. That could be for financial reasons, or it could be for propaganda/'engendering distrust" reasons.

        I'm not saying I necessarily believe either suggestion, but they're worth considering if one concludes the Bloomberg story was a deliberate plant, rather than just particularly shoddy journa

    • Generally bloomberg is pretty reliable so one wants to give them the benefit of the doubt. And they must think their sources reliable enough to make them worth protecting. But at this point is seems like they do need to defend their certainty more.

      Super micro presumably can only inspect the boards it has now not the boards it shipped. It could try recalling some of those but if the infiltration was selective and rare that might not be possible. For example if a few of the boards shipped to say, the NSA, whe

      • by EEmarty ( 795427 )
        That photo they showed was not the actual chip, just a mockup of what it might look like. They made that fact hard to find in the captions. For anything new to get uncovered with this story, one of the sources to the bloomberg story needs to come forward with more information. Or some other engineer from amazon/elemental/apple who was supposedly involved in the detection of the chip. The article was written like breaking news with the assumption that more information would imminently become public, but tha
      • by f00zbll ( 526151 )
        As others have pointed out, it was a photoshop and not a real photo. By law, they're supposed to turn that evidence over to the FBI. Since the FBI already said that it didn't happen and they have no evidence, I would say Bloomberg isn't reliable.

        This is the same Bloomberg that runs news story suggested by Wall Street elite to pump and dump stocks. This is the same Bloomberg that is the unofficial marketing arm of Wall Street. This is the same Bloomberg that has been saying regulations aren't needed anymor

    • They could start with a denial that is even a denial; when the headline says their review found no malicious chips "in" their motherboards, I assume they're telling me that the did find some on their motherboards.

    • What would be -sufficient proof- this didn't happen?

      Give it up man. The moon landing was filmed in a studio in LA, and the earth is flat.

  • It's pretty clear a big percent of the news papers based in NYC do shoddy reporting and in some cases, it's out right propaganda for Wall Street. If Bloomberg had proof, they should have produced it and given it to the FBI for verification.

    The biggest red flag on the Bloomberg report is it's a sorry hack attempt. To put an additional chip on a board that can easily be caught with automated visual scans (ie computer vision) is just sloppy and stupid. There are so many other ways to compromise a MB without l

  • ...the day that they broadcast a special command on the Internet. And blow up every Chinese capacitor on every motherboard.

  • Part of the propaganda war that is going on between US & China.
    Fake news (I do hate that cliche; smells bad).

    • by tlhIngan ( 30335 )

      Part of the propaganda war that is going on between US & China.
      Fake news (I do hate that cliche; smells bad).

      Except SuperMicro is a Taiwanese company. Sure Taiwan is in a weird place, claimed by China but considers itself independent, but most Taiwanese actually believe they are an independent country regardless of what the UN and other people say. (Plus, they have a real democracy and not a dictatorship).

      And the real articles are Apple and Amazon for those two were the ones first reported on by Bloombe

  • Why do you need chips when you can hide anything in firmware? Show me a single motherboard OEM which releases source code. Also, not only motherboards contain firmware, NICs and storage devices have them too. There are just too many places where you can hide something which makes your hardware easily exploitable.
    • Because the contents of the firmware are easy to audit. If you have customers that do factory inspections and pay for specific firmware to be installed, you can't hide anything there. You need something that isn't on the BOM to actually hide anything if you have big customers that send auditors.

  • Wait... so they couldn't detect them? This is getting scary!

The explanation requiring the fewest assumptions is the most likely to be correct. -- William of Occam

Working...