The Enemy Camped in Your Server
Last week got off to a sensational start with reports of custom chips discovered in Supermicro serverboards that were designed to smuggle malware into companies. Apple, Amazon and dozens of other top companies are claimed to be affected. What happened exactly? Reporters from Bloomberg uncovered a story claiming that the Chinese military had persuaded a Chinese contractor to install special chips on Supermicro serverboards capable of injecting malicious code into communications between the bus interface and the processor. These compromised boards would have been used by Apple, Amazon and a number of other well-known companies in their servers until Amazon discovered the chips in an external audit.
It almost sounds too shocking to be true and categoric denials of intervention leave little room for speculation. Still the facts in the story seem watertight and the story comes from Bloomberg which has an excellent reputation for well-researched and knowledgeable content. And the Chinese are not the first to manipulate new hardware before it reaches the customer. As the world knows thanks to Edward Snowden, the NSA was also happy to intercept and manipulate routers before delivery.
Reactions to the alleged supermicro hack are still cautious, too many details of the story cannot yet be verified externally. But it doesn't really matter if the Chinese have abused their position as the world’s manufacturing hub to further national interests, if it is clear that the Americans have been doing it for a long time. Unfortunately, it’s only safe to say that care needs to be taken where IT manufacturers may have had their products manipulated in the supply chain. Especially with infrastructure components, the prospect of gaining access to valuable information by making a few changes without taking any security measures is too tempting.
Before we start seeing spooks everywhere, let’s bear in mind that the hack didn’t get past every security check otherwise it would not have been discovered. Although many perimeter measures would have failed to detect penetration, any intercepted data also has to be transferred to the attacker outside of the data center. And this is exactly where the external auditors found what they were looking for – unexplained network activity and problems with firmware updates led to the discovery of the hack. This shows once again that information security hinges on the correct application of IT rather than the products themselves. Once suspicious network activity was detected, IT security specialists were able to stop even a sophisticated and well-planned attack. Any company that does not take a closer look at outgoing traffic after the Bloomberg report has not learned anything. We might also learn from this incident by taking more interest in the IT supply chain and relying on trusted partners from countries which have a leading reputation in strong IT security, like Germany.