bloomberg on supermicro: sky is falling

Denys Fedoryshchenko denys at
Thu Oct 4 20:46:00 UTC 2018

On 2018-10-04 23:37, Naslund, Steve wrote:
> I was wondering about where this chip tapped into all of the data and
> timing lines it would need to have access to.  It would seem that
> being really small creates even more problems making those
> connections.  I am a little doubtful about the article.  It would seem
> to me better to create a corrupted copy of something like a front side
> bus chipset, memory controller or some other component that handles
> data lines than create a new component that would then require a
> motherboard redesign to integrate correctly.  It would seem that as
> soon as the motherboard design was changed someone would wonder "hey,
> where are all those data lines going?"  It would also require less
> people in on the plan to corrupt or replace a device already in the
> design.  All you need is a way to intercept the original chip supply
> and insert your rogue devices.
> On the opposite side of the argument, does anyone think it is strange
> that all of the companies mentioned in the article along with the PRC
> managed to get a simultaneous response back to Bloomberg.  Seems
> pretty pre-calculated to me.  Or did some agency somewhere tell
> everyone they better shut up about the whole thing?
> Steven Naslund
> Chicago IL
Just theory - tapping on same lines as SPI flash (let's assume it is not 
QSPI), so we are "in parallel", as "snooper" chip.
First - it can easily snoop by listening MISO/MOSI/CS/CLK.
When required data pattern and block detected during snooping, it can 
remember offset(s) of required data.
When, later, BMC send over MOSI request for this "offset", we override 
BMC and force CS high (inactive), so main flash chip will not answer, 
and answer instead of him our, different data from "snooper".
Voila... instead of root:password we get root:nihao

More information about the NANOG mailing list