Chinese Supply-Chain Attack on Computer Systems

Started by al_infierno, February 22, 2021, 04:37:22 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

al_infierno

https://www.schneier.com/blog/archives/2021/02/chinese-supply-chain-attack-on-computer-systems.html

I used to work at Supermicro (worst work experience of my life) so I have to admit this news is rather amusing to me.  Loads of links in the article with further details for anyone interested.

QuoteBloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It's been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:

QuoteChina's exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.

There's lots of detail in the article, and I recommend that you read it through.

This is a follow on, with a lot more detail, to a story Bloomberg reported on in fall 2018. I didn't believe the story back then, writing:

QuoteI don't think it's real. Yes, it's plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

I seem to have been wrong. From the current Bloomberg story:

QuoteMike Quinn, a cybersecurity executive who served in senior roles at Cisco Systems Inc. and Microsoft Corp., said he was briefed about added chips on Supermicro motherboards by officials from the U.S. Air Force. Quinn was working for a company that was a potential bidder for Air Force contracts, and the officials wanted to ensure that any work would not include Supermicro equipment, he said. Bloomberg agreed not to specify when Quinn received the briefing or identify the company he was working for at the time.

    "This wasn't a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device," Quinn said, recalling details provided by Air Force officials. The chip "was blended into the trace on a multilayered board," he said.

    "The attackers knew how that board was designed so it would pass" quality assurance tests, Quinn said.

Supply-chain attacks are the flavor of the moment, it seems. But they're serious, and very hard to defend against in our deeply international IT industry. (I have repeatedly called this an "insurmountable problem.") Here's me in 2018:

QuoteSupply-chain security is an incredibly complex problem. US-only design and manufacturing isn't an option; the tech world is far too internationally interdependent for that. We can't trust anyone, yet we have no choice but to trust everyone. Our phones, computers, software and cloud systems are touched by citizens of dozens of different countries, any one of whom could subvert them at the demand of their government.

We need some fundamental security research here. I wrote this in 2019:

QuoteThe other solution is to build a secure system, even though any of its parts can be subverted. This is what the former Deputy Director of National Intelligence Sue Gordon meant in April when she said about 5G, "You have to presume a dirty network." Or more precisely, can we solve this by building trustworthy systems out of untrustworthy parts?

    It sounds ridiculous on its face, but the Internet itself was a solution to a similar problem: a reliable network built out of unreliable parts. This was the result of decades of research. That research continues today, and it's how we can have highly resilient distributed systems like Google's network even though none of the individual components are particularly good. It's also the philosophy behind much of the cybersecurity industry today: systems watching one another, looking for vulnerabilities and signs of attack.

It seems that supply-chain attacks are constantly in the news right now. That's good. They've been a serious problem for a long time, and we need to take the threat seriously. For further reading, I strongly recommend this Atlantic Council report from last summer: "Breaking trust: Shades of crisis across an insecure software supply chain."
A War of a Madman's Making - a text-based war planning and political survival RPG

It makes no difference what men think of war, said the judge.  War endures.  As well ask men what they think of stone.  War was always here.  Before man was, war waited for him.  The ultimate trade awaiting its ultimate practitioner.  That is the way it was and will be.  That way and not some other way.
- Cormac McCarthy, Blood Meridian


If they made nothing but WWII games, I'd be perfectly content.  Hypothetical matchups from alternate history 1980s, asymmetrical US-bashes-some-3rd world guerillas, or minor wars between Upper Bumblescum and outer Kaboomistan hold no appeal for me.
- Silent Disapproval Robot


I guess it's sort of nice that the word "tactical" seems to refer to some kind of seriousness during your moments of mental clarity.
- MengJiao

Gusington



слава Україна!

We can't live under the threat of a c*nt because he's threatening nuclear Armageddon.

-JudgeDredd

al_infierno

Lol.  I guess Mr. Schneier did not pass his copyediting classes.   :2funny:
A War of a Madman's Making - a text-based war planning and political survival RPG

It makes no difference what men think of war, said the judge.  War endures.  As well ask men what they think of stone.  War was always here.  Before man was, war waited for him.  The ultimate trade awaiting its ultimate practitioner.  That is the way it was and will be.  That way and not some other way.
- Cormac McCarthy, Blood Meridian


If they made nothing but WWII games, I'd be perfectly content.  Hypothetical matchups from alternate history 1980s, asymmetrical US-bashes-some-3rd world guerillas, or minor wars between Upper Bumblescum and outer Kaboomistan hold no appeal for me.
- Silent Disapproval Robot


I guess it's sort of nice that the word "tactical" seems to refer to some kind of seriousness during your moments of mental clarity.
- MengJiao

Gusington

For all I know there could be a 'Levono' computer company out there. But if he meant 'Lenovo' who knows what else is wrong. Not that the Chinese are not uber cyber warlords. But you know what I'm saying.


слава Україна!

We can't live under the threat of a c*nt because he's threatening nuclear Armageddon.

-JudgeDredd

Staggerwing

Wasn't there a similar incident with (IIRC) Linksys routers a decade or so ago?
Vituð ér enn - eða hvat?  -Voluspa

Nothing really rocks and nothing really rolls and nothing's ever worth the cost...

"Don't you look at me that way..." -the Abyss
 
'When searching for a meaningful embrace, sometimes my self respect took second place' -Iggy Pop, Cry for Love

... this will go down on your permanent record... -the Violent Femmes, 'Kiss Off'-

"I'm not just anyone, I'm not just anyone-
I got my time machine, got my 'electronic dream!"
-Sonic Reducer, -Dead Boys

demjansk1942


Sir Slash

 :2funny:  And no threat at all that they'll, 'Eat our Lunch'.
"Take a look at that". Sgt. Wilkerson-- CMBN. His last words after spotting a German tank on the other side of a hedgerow.