bloomberg on supermicro: sky is falling

Naslund, Steve SNaslund at
Thu Oct 4 21:28:47 UTC 2018

Quite different really.  FIREWALK is really an intercept device to get data out of a firewalled or air gapped network.  The exploit Bloomberg describes would modify or alter data going across a server’s bus.  The big difference is the Bloomberg device needs command and control and a place to dump the tapped data to over the server’s network connection.  That device is not going to be able to do so out of any classified military network I have ever worked on.  Or anyone with a halfway decent firewall (which I would assume Apple and Amazon would have for the internal servers).  I think this article is unlikely to be true for the following reasons :

1.       Separate chip is much more detectable physically than an altered chipset that is already on the board.

2.       Requires motherboard redesign to get access to power and buses needed (again easily detectable during any design mods “hey does anyone know what these are for?”)

3.       Does not have onboard communications so it will be sending data traffic on the network interfaces (will definitely trigger even the most rudimentary IDP systems).    It relies on these backbone Internet companies and Intelligence agencies to have absolutely abysmal security on their networks to be at all useful.

4.       Parts would have to be brought into the plant, stored somewhere, and all the internal systems would need a trail of  where the part came from, how ordered it, where it is warehoused, loaded into pick/place, etc.  Much better to compromised an existing chips supply chain.

Does anyone think that someone somewhere is trying to kill Supermicro?  They sure have had a lots of bad news lately.

Steven Naslund
Chicago IL

>To me this looks like a Chinese version of the NSA FIREWALK product. Which is a network implant built into a RJ45 jack intended to be soldered onto a motherboard. The FIREWALK info came out with the Snowden leaks in 2013 and the tech was >years old at that time.
>I am not able to say a lot more, but when I worked for a major defence contractor in 2006-2007 in Afghanistan, building WAN links in and out of the country by satellite, hardware implants were found in equipment. Not our equipment, but it was close >enough to our operations that we were briefed on it and made aware.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list