Last week, Bloomberg published an explosive article alleging that SuperMicro servers had been found with critical hardware-level compromises that could only have been inserted at the factory. The allegations sent shockwaves through the international tech community. Such attacks have been theoretically possible for years, but none are known to have actually occurred. But in the aftermath of the story, companies like Apple and Amazon, both implicated in the events in question, strenuously denied them. Those denials were backed by the Department of Homeland Security, while Bloomberg has defended its reporting, claiming to have spoken to 17 different sources both inside the companies in question and within the federal government. Neither side has blinked.
But Bloomberg isn’t just standing by its previous reporting. It’s pushing ahead. The organization notes that a US telecom discovered and removed manipulated SuperMicro servers from its network in August. Bloomberg spoke to security expert Yossi Appleboum, who worked for the telecom in question and reportedly provided documents, analysis, and additional evidence for his claims.
Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a SuperMicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.
The fight over whether these claims are true continues. SuperMicro, reached by Bloomberg for comment, stated:
The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.
According to Bloomberg, the attacks detailed today aren’t identical to the earlier variants that were discussed but share certain key characteristics, namely: “They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a SuperMicro subcontractor in China.”
Appleboum was able to determine that the device was tampered with at the factory where it was manufactured and that the hardware was built by a SuperMicro subcontractor in Guangzhou. The poisoned hardware was found in a facility with a number of SuperMicro servers deployed inside it, but it’s not clear what data was running on the server, specifically. Bloomberg notes that the analysis of the hardware it has found was handled by the FBI’s cyber and counterintelligence teams rather than Homeland Security, which may explain why DHS had no knowledge of the allegations. Appleboum claims to have consulted with firms outside the US, and they’ve confirmed to him that they’ve been tracking the manipulation of SuperMicro hardware for quite some time.
Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.
In the case of the telecommunications company, Sepio’s technology detected that the tampered SuperMicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.
Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.
These details suggest an attack vector more plausible than a piece of equipment soldered to the motherboard or hidden inside the PCB. A component hidden inside an Ethernet jack would be much more difficult to detect. And the new details should shed light on how the attack was supposedly carried out and implemented, helping to answer the question of what took place and what needs to be done about it.
Now Read: Apple Denies Bloomberg Chinese Hacking Story to Congress and Amazon, Apple Servers Completely Compromised by Chinese Hardware Backdoors
Top image: Getty