Announcing The Supermicro Spy Chip Sequel 1

Announcing The Supermicro Spy Chip Sequel

General Tech
Announcing The Supermicro Spy Chip Sequel 2

Bloomburg Doubles Down On Their Story From 2018

If you had thought that the story about the mysterious and possibly invisible spy chip Bloomberg reported on a couple of years back would peter out after they failed to present much in the way of evidence then you are going to be disappointed by their recent follow up article.  It continues to allege the existence of secretly added malicious chips and added in a new facet, accusing the Chinese government of hiding code in the spare memory of BIOS chips on the motherboards.  This additional code is reported to “load into the machine’s main memory” and run a service which would then phone home to somewhere.

As evidence that this could happen they cite three previously discovered attacks, the the 2010 discovery that thousands of DoD computers were sending military network data to China, the 2014 attack against Intel where a Chinese based hacking group compromised one of their supplier’s update sites to gain access to their network and finally a 2015 FBI warning to a large number of corporations that a extra chip with back-doored code had been installed on certain server motherboards.

Those three cited incidents did indeed happen, and Bloomberg also missed dozens of other examples over the years but there is a difference between those examples and the story which Bloomberg published.  In each of those three cases the code, or hardware, was discovered and evidenced was published.  The exact details were not fully revealed to protect certain architectural details or proprietary code, but enough was published for security researchers to confirm the code existed and could do what was claimed.

In Bloomberg’s article, we have none of these details nor have they offered evidence of the existence of the extra chip added to Supermicro boards which is why Supermicro’s response to their follow up story is rather dismissive.  This kind of attack has occurred in the past and carries on today, however offering accusations without any proof not only makes the jobs of security professionals more difficult but also obfuscates the very real vulnerabilities currently being leveraged.

The Register has details here if you don’t want to deal with Bloomberg’s paywall.