China Embedded Spy Chips On Supermicro Motherboards

Not sure I'm buying it. Phoning home would've been cought long ago. Or were only specific Supermicro boards targeted that went to a few chosen companies? Otherwise, I don't see how this could've been kept secret seeing how much market share Supermicro has.

Looks like primarily limited to Elemental server line. Makes sense. PRC probably doesn't care about the average American's Porn collection but does want to learn how to build their own iProducts and how Amazon's AWS works. If you have the real blueprints for the iPhone, sure makes it easier to add such a chip the the China made parts before they are shipped to the US and knowing the internals of AWS makes infiltration that much easier.
 
Looks like primarily limited to Elemental server line. Makes sense. PRC probably doesn't care about the average American's Porn collection but does want to learn how to build their own iProducts and how Amazon's AWS works. If you have the real blueprints for the iPhone, sure makes it easier to add such a chip the the China made parts before they are shipped to the US and knowing the internals of AWS makes infiltration that much easier.
Do they have such detailed knowledge in the factory on which boards end up where? Or is there a custom SM design for Elemental specifically?
 
Do they have such detailed knowledge in the factory on which boards end up where? Or is there a custom SM design for Elemental specifically?


from the article, which is LONG.. it appears that the 3 main factories producing the boards were not making ones with the chips, it was 4 smaller sub contractors used to fulfill overflow needs that were infiltrated and had chips inserted onto those.
 
This isn't the first security issue from SuperMicro. They've been banned from datacenter deployment where I work for a while now. Pretty good chance this chip could basically replace the BIOS, BMC or other firmware stored on the MB with their own version, likely selectively to avoid detection.

"The issue's not whether you're paranoid, Lenny, I mean look at this shit, the issue is whether you're paranoid enough." --Max from Strange Days
 
Other countries love to spy on other countries and this was very much to be expected. One of the leading arguments in my opinion on why you don't have potential trade enemies manufacturing things like this for your home market.
 
Other countries love to spy on other countries and this was very much to be expected. One of the leading arguments in my opinion on why you don't have potential trade enemies manufacturing things like this for your home market.
Friendly countries will spy on each other as well. Some things are much better off being made at home.
 
I'm doubting the Bloomberg reporting. There is so much of this that doesn't pass the basic logic test. First off you have to assume that Supermicro (an American company) made a deal with the Chinese to install these chips on custom PCB boards, spec'd by the customer, so they knew they would eventually get detected. It would have to have been done at a high level, because anyone who has had anything to do with PCB fabrication, knows you have trace layouts, testing pads, xray and lithography sheets, pick and place setups, etcetera that would all have to be updated to accommodate for this chip... (not to mention these proprietary board layouts would have to be given to whomever developed this chip, so the could integrate it). All this work and you know it would be detected because Amazon, Apple, etcetera will be pulling a certain number of boards and comparing them against the specs they sent to Supermicro. The changes in the traces and introduction one extra chip isn't going to go unnoticed. Sorry, it sounds plausible if you have no idea what goes into PCB manufacturing, but as someone who has seen all aspects of it, it's just not likely.
 
Sounds more like someone doesn't care to keep the Chinese Lobby groups happy and don't feel the need to downplay China's bullshit.

I worship my politicians, too. I'm so impressed with their very, very big brains.
 
Supermicro is going to be literally destroyed by this.

But the chain of events that they allege happened, could really happen to any firm that is manufacturing in China. Agents were showing up, saying they were from Supermicro or they were using bribes/intimidation to get these chips into mother boards.

I would also allege that it was probably pretty easy to get spies into Supermicro so that they got access to their motherboard designs so that they would know where to inject these chips well ahead of the scheduled manufacturing.
 
I'd buy made-in-the-USA PC components like motherboards, even at 2x the cost of Chinese stuff. It's a shame nobody will do it.
 
There is literally no way Chinese agents show up at a fab plant and make that many changes to the manufacturing process of PCB boards and it wouldn't be reported by Supermicro's onsite management. This isn't some minor thing, it would involve multiple engineers changing settings on the assembly line and engineers updating custom PCB traces. Either Supermicro was entirely complicit or this story is BS... I'm inclined to believe it is BS as there hasn't been any corroborating evidence to back this up.
 
And people wonder why they want to ban Chinese companies from selling cellphones in the US.....This crap doesn't surprise me, and it wouldn't surprise me that the US probably does the same.


This is even scarier though. Supermicro doesn't design its products in China to my knowledge. These spy-chips were surreptitiously inserted during the manufacturing process.

This puts not just Chinese brands under suspicion, but every single electronic device manufactured in China, which is essentially all of them.
 
This is even scarier though. Supermicro doesn't design its products in China to my knowledge. These spy-chips were surreptitiously inserted during the manufacturing process.

This puts not just Chinese brands under suspicion, but every single electronic device manufactured in China, which is essentially all of them.

^^ Pretty much. If this story is true, this is greatest supply chain attack in history.
 
No board model numbers?
No batch numbers?
No pics for proof?
No naming of the supposed 4 subcontractors?

Humm.. :shifty:

Yeah. Not to mention...What protocol was used to send data back? Was a protocol used to send the data back? Where did the data go? How was command and control facilitated? How did this pass perimeter monitoring for so many huge environments without flagging? There ARE ways to provide good answers to the above questions, which btw, are very valid questions that are asked in nearly any infosec related engagement. None of which are asked with answers provided in this report.
 
  • Like
Reactions: Meeho
like this
I'm doubting the Bloomberg reporting. There is so much of this that doesn't pass the basic logic test. First off you have to assume that Supermicro (an American company) made a deal with the Chinese to install these chips on custom PCB boards, spec'd by the customer, so they knew they would eventually get detected. It would have to have been done at a high level, because anyone who has had anything to do with PCB fabrication, knows you have trace layouts, testing pads, xray and lithography sheets, pick and place setups, etcetera that would all have to be updated to accommodate for this chip... (not to mention these proprietary board layouts would have to be given to whomever developed this chip, so the could integrate it). All this work and you know it would be detected because Amazon, Apple, etcetera will be pulling a certain number of boards and comparing them against the specs they sent to Supermicro. The changes in the traces and introduction one extra chip isn't going to go unnoticed. Sorry, it sounds plausible if you have no idea what goes into PCB manufacturing, but as someone who has seen all aspects of it, it's just not likely.

As best I can tell from the long TFA, the chips were added at one or more subcontractors that provided sub assemblies for the primary contractors. The chip in question is small enough to be missed in any inspection a Manager is likely to make. The changes were probably made not to the first batch but to batches made long after the design had been approved and installed in thousands of main boards. If Lot #12 worked just fine, who is going to really give Lot #13 a close look if it works fine as well. And from TFA, Amazon and Apple did notice something weird and reported to the Feds sometime in 2015. Also stated that the reason Amazon sold off the China operation was it was so infected by this and other things it was easier to cut and run then accuse China of spying. Everyone stayed quiet until recently.
 
Yeah. Not to mention...What protocol was used to send data back? Was a protocol used to send the data back? Where did the data go? How was command and control facilitated? How did this pass perimeter monitoring for so many huge environments without flagging? There ARE ways to provide good answers to the above questions, which btw, are very valid questions that are asked in nearly any infosec related engagement. None of which are asked with answers provided in this report.


Maybe part of the reason why this information hasn't been released is that its still under investigation by the FBI/NSA/etc and is still classified not for public consumption?

As for the design aspects of it-don't ever discount insider threats either-could have been development work done by a few employees that where actually agents of PRC intellengence or where turned by them.
 
All these people talking about all that it takes to make this hack work, and expecting "Someone" to notice something wrong, and bring it up. I can't help but think did those somebodies get paid to care? When building this stuff, not designing, actual building you do your job, you get paid, you go home, and you get to do it all over again the next day. Then with all this military stuff it makes me think of Edward Snowden. He saw something wrong, and spoke up about it look where it got him...

You do your job, you get paid, you go home, and you get to do it all over again the next day...
You're not paid to care.
 
So if we are replacing mobo's from 2015 and such. Arnt they 99.9% intel? Will this help AMD speedbup EPYC adoption, as datacenters decide to upgrade from this event?

Would be hard to replace old mobo's in a DDR4 world, might as well replace everything?

EPYC has less power usage, more cores, upgrade path, 7nm, mors memory speed and support, 5x lower cost.
 
The timing of this story is interesting. I wonder if a certain competitor is not happy with this partnership anymore.

https://www.amd.com/en/campaigns/amd-and-supermicro

Nah that would delve into the territory of conspiracy theory.. Mulder and Scully and all that.

the-smoking-man-the-x-files.jpg
 
As best I can tell from the long TFA, the chips were added at one or more subcontractors that provided sub assemblies for the primary contractors. The chip in question is small enough to be missed in any inspection a Manager is likely to make. The changes were probably made not to the first batch but to batches made long after the design had been approved and installed in thousands of main boards. If Lot #12 worked just fine, who is going to really give Lot #13 a close look if it works fine as well. And from TFA, Amazon and Apple did notice something weird and reported to the Feds sometime in 2015. Also stated that the reason Amazon sold off the China operation was it was so infected by this and other things it was easier to cut and run then accuse China of spying. Everyone stayed quiet until recently.

Yeah, I don't get the doubters here. The fact that a chip was disguised as a different type of component is sufficient to be alarming. All other details would be classified so it's no surprise the article's author is circumspect, especially if there are canaries in the reports.
 
  • Like
Reactions: Madoc
like this
Well, I can promise all of you that there is a lot more than just this going on. The United States has also been doing this type of business since the 40's. For many decades, the US supplied telecommunications equipment to the rest of the world. This included internet infrastructure and any related equipment since at least the 80's. And I am going to safely assume they have many top secret projects that fully cover all of their bases. I imagine China is heavily embedded one way or another.

Also, depending on the design of a motherboard, motherboard thickness, trace width, trace thickness along with those lengths, IC placement, etc ... you can blow these little IC chips right off the motherboard remotely?
 
So if we are replacing mobo's from 2015 and such. Arnt they 99.9% intel? Will this help AMD speedbup EPYC adoption, as datacenters decide to upgrade from this event?

Would be hard to replace old mobo's in a DDR4 world, might as well replace everything?

EPYC has less power usage, more cores, upgrade path, 7nm, mors memory speed and support, 5x lower cost.

I doubt it will help that much because AMD is actively sharing their tech with china. Its probably a lot easier for the chinese to reverse engineering and develop a custom board and solution.
 
Huawai check for stuff like this by slowly peeling off a thin layer by layer of what ever sub component to make sure nothing sneak buy, i would assume other people in high risk scenarios would do the same.

Maybe thats Why the Danish mobile infrastructure to a large degree have been put in the hands of Huawei so we dont have to check for things like this ourself. :rolleyes::whistle:
 
Main article reads like a good spy story / movie plot with no real details or facts. Like when people say enhance in tv/movies.

Disclaimer: I bought some supermicro stock half off this morning and am up 200 dollars since then so I might be biased hahahaha.
 
:( damn....... I saw it at just under 10 bucks and should have freaking bought some! Now its back up around 13.20 a share. To have hit it right at 8.50 would have been amazing good timing!
 
  • Like
Reactions: mikeo
like this
Bad supermicro....no biscuit. This is why we cant trust Chinese goods. Folks who live in the USA just don't understand that the freedoms we enjoy in this country are not found in others. Chinese company's are subject to the government under which they operate. The chineese government is one of the worst, most oppressive and restrictive in the world. Americans really need to travel to see how the world really works. We stick our head in the sand and make bad decisions based on price/cost. Yes these countries (china, cuba,russia,iran, etc) are REALLY out to get you, this is not a tin foil has situation. By the time the USA wakes up and pays attention it will be too late.

What Freedoms, sorry to burst your bubble but a certain Apartheid Regime that owns and controls your government gets all your data.
 
It's a good thing that AMD licensed their EPYC processor design to a Chinese company. Nothing bad can come from that.

Anyway, any one else see red flags in the article. No matter if its IME style, how well hidden locally on the server, once it gets on the network it is monitored by a separate entity. The professionals should have detected anomalies very fast. Of course, you can never be surprised how bad things are in reality, like Equifax's security or OPM's security.
 
Whether this is true or not, this kind of thing has been hinted at before with Huawei phones. Maybe it is time to build the fabs in western countries to be sure that this kind of thing stops.
 
Whether this is true or not, this kind of thing has been hinted at before with Huawei phones. Maybe it is time to build the fabs in western countries to be sure that this kind of thing stops.
Hinted. What about proven?
 
And people wonder why they want to ban Chinese companies from selling cellphones in the US.....This crap doesn't surprise me, and it wouldn't surprise me that the US probably does the same.

Iv'e been waiting for this shit for a decade, too.....weaaponezed wifi is next ...bluetooth headaches......
 
We'll just have to see if this is a Cheney style lie to justify a new major war.

Anything is possible, in either direction.

Why would they do something so brazen, that literally leaves physical evidence(IE it cant be destroyed with a reboot,...) That's like 3 letter agency 101 level no-no. Of course you will get caught when it phones home. At some point.

On other hand, they now have an emperor, they could have gotten too big or too arrogant. Many possibilities. Like even, its so stupid that no one would believe it was done.


Of course, on our side. This is so much like the Cheney administrations Iraq War boondoggle. And with the president and the administration doing so much gaslighting.
 
  • Like
Reactions: mikeo
like this
We should ask the FBI to find out who had big short positions on SM, and see if they were involved in this "news."
I'm surprised the market hasn't suspended trading, you'd think the circuit breakers would have tripped.
I'd think it'd be the SEC, not the FBI that heads an investigation like that.
 
And here's me wondering why sensitive data is stored on devices that have a physical connection to the internet...
 
Doesn't the nsa also do this?


The NSA target's an individual collection target, intercepts a shipment, compromises the equipment en-route, in order to establish/insert a vulnerability.

It sounds like China was just seeding a factory in the hopes that their vulnerability would wind up in some choice servers. It's a little bit different.
 
The article mentions that NASDAQ delisted Supermicro back in August, due to some suspicious accounting and delayed reports. The stock prices we see are on exchanges outside the US, I believe.
AFAICT, it's still on the NASDAQ. But if it was dropped from there, it'd be on an OTC exchange. Given that their ticker symbol is still SMCI, I believe they're still on the Nasdaq.
 
Back
Top