bloomberg on supermicro: sky is falling
SNaslund at medline.com
Thu Oct 4 21:00:57 UTC 2018
It is definitely more desirable to try and tap a serialized data line than the parallel lines. The thing that made me most suspicious of the article is why would anyone add a chip. It requires power and connections that a highly detectable. Motherboard designs are very complex in the characteristics of data buses so it is not so easy to just extend or tap into them without having negative effects (which brings the board under scrutiny that we don't want). Why not embed our rogue chip inside the case of a chip that is already controlling the bus or memory we want to play with? It would be really hard to detect without x-ray of all of the system chipsets.
The other thing I am highly skeptical of is the suggestion of attempting to tap sensitive intel agency systems this way. Talking to a C&C server is suicide from within their network. How long do you think it would take them to detect a reach out to the Internet from inside? How are you going to get the data from the outside back into their network? You still have to defeat their firewalls to do it. If this was targeted to specialized video processing server then would it not be unusual for them to be talking to some random IP address on the Internet?
>Just theory - tapping on same lines as SPI flash (let's assume it is not
>QSPI), so we are "in parallel", as "snooper" chip.
>First - it can easily snoop by listening MISO/MOSI/CS/CLK.
>When required data pattern and block detected during snooping, it can
>remember offset(s) of required data.
>When, later, BMC send over MOSI request for this "offset", we override
>BMC and force CS high (inactive), so main flash chip will not answer,
>and answer instead of him our, different data from "snooper".
>Voila... instead of root:password we get root:nihao
More information about the NANOG