bloomberg on supermicro: sky is falling

Naslund, Steve SNaslund at
Thu Oct 4 21:00:57 UTC 2018

It is definitely more desirable to try and tap a serialized data line than the parallel lines.  The thing that made me most suspicious of the article is why would anyone add a chip.  It requires power and connections that a highly detectable.  Motherboard designs are very complex in the characteristics of data buses so it is not so easy to just extend or tap into them without having negative effects (which brings the board under scrutiny that we don't want).  Why not embed our rogue chip inside the case of a chip that is already controlling the bus or memory we want to play with?  It would be really hard to detect without x-ray of all of the system chipsets.

The other thing I am highly skeptical of is the suggestion of attempting to tap sensitive intel agency systems this way.  Talking to a C&C server is suicide from within their network.  How long do you think it would take them to detect a reach out to the Internet from inside?  How are you going to get the data from the outside back into their network?  You still have to defeat their firewalls to do it.  If this was targeted to specialized video processing server then would it not be unusual for them to be talking to some random IP address on the Internet?

Steven Naslund
Chicago IL

>Just theory - tapping on same lines as SPI flash (let's assume it is not 
>QSPI), so we are "in parallel", as "snooper" chip.
>First - it can easily snoop by listening MISO/MOSI/CS/CLK.
>When required data pattern and block detected during snooping, it can 
>remember offset(s) of required data.
>When, later, BMC send over MOSI request for this "offset", we override 
>BMC and force CS high (inactive), so main flash chip will not answer, 
>and answer instead of him our, different data from "snooper".
>Voila... instead of root:password we get root:nihao

More information about the NANOG mailing list