Bloomberg Businessweek’s Super Micro story: How leaders can secure the supply chain

Hi there, Tim
Warner from Pluralsight here. I’d like to talk to you
briefly about the Bloomberg Super Micro story and how it
impacts supply chain security. Let’s imagine if I were a bad actor. What are some things
that I would wanna do? Well, maybe I wanna
snoop on my competition and my business enemies. How could I do that? What if I were a hardware
manufacturer and I could compromise an original
equipment manufacturer partner’s factory and slip a tiny
microchip that I designed, that phones home, that opens
up administrative back doors, any kind of nefarious fill-in-the-blank. If I could integrate that tiny
chip and hide it on an OEM partner’s system board or motherboard, then I could really profit, couldn’t I? Because, those factories would then ship the motherboards back to the OEM. The OEM would sell these
servers to various big, high-profile businesses around the world, and I would be able to
take advantage of my chip, its back doors, its
phoning home, I profit. Sounds like a scary situation, doesn’t it? Well, you might’ve read
on October 8, 2018, Bloomberg Businessweek put
together a comprehensive article called “The Big Hack: How
China Used a Tiny Chip to Infiltrate America’s Top Companies.” If you’d like to read the article, here’s a short URI: This article caused a huge
stir because, as it happens, Super Micro, a California-based
original equipment manufacturer, sells their
servers to businesses all over the world, including,
yes, high-profile clients. Some key points from that story: Number one, the company
in question as I mentioned is called Super Micro. They’re based in California
in the United States, but they have a number
of hardware partners around the world, particularly
in China where these factories develop system
components like the main circuit board of a
computer, the motherboard. And as it happens, according to Bloomberg, the Chinese military developed
a rogue chip that they were able to stick in these motherboards
at a particular factory in China that obviously
had been compromised. This diagram you see is one I found on Twitter that shows you, I
don’t know if this is exactly accurate to what the actual hack was, but as you can see when you’re looking at the circuity of a motherboard, it’s all too easy to
overlook a tiny little chip. In this case, the rogue chip
was placed between a flash memory chip on the motherboard
and what’s called the baseboard management controller, or BMC. Now that’s a big deal because
a BMC is the Grand Central Station for a motherboard
for remote management. So this little tiny rogue
microchip was able to inject its instructions in-line with the BMC’s. That gave the microchip the
ability to compromise the system and even use the internet to
connect back to the command and control center where the
hack originated in the world. Now as I said, Bloomberg
said that some high-profile businesses use Super Micro servers, including Amazon and Apple. Now I’m not going to get into
the specifics beyond that. Both Amazon and Apple, as of
this recording, strongly deny that they’ve been affected by this hack. Instead, I just want you to
have a good executive overview of what’s happened, and I
wanna complete this brief thought piece on giving you
some practical suggestions on what you could do in case
you’re worried you might be breached by this Super Micro hack. The first thing you can do
and what I think is most important is prioritize network traffic monitoring and alerting in your network. The bottom line is
these hacked microchips, or really any malware worth it’s salt, is going to phone home because after the malware compromises a system, you wanna access data that
you shouldn’t have access to. And how are you going
to see that data unless the rogue process, that is the
rogue hardware or software, phones home across the internet? So if you’re inspecting
every ethernet frame in your environment, then
you should be able to track or trap this unexpected, unwanted traffic. It’s a lot of work, but
it’s not impossible. Second, apply controls to
ensure hardware chain of trust. Now one reason why this Super Micro
chip hack is so scary is because you may think right now well wow, I have a lot of
hardware in my data center. We might use a public cloud provider where we never see their hardware. What if those system boards include either this microchip hack or something similar? How can we control the entire
supply chain to ensure trust? Well that can be difficult
to do but you can apply technologies like the
Trusted Platform Module and UEFI Secure Boot to
digitally sign system firmware, such that any changes at the
low-level system board level will be flagged and raise boot errors. In fact, it would prevent
the system from booting. Now of course the complexity
here with Super Micro is that normally TPM and the low-level
device signing that happens occurs at the OEM’s factory. So if the factory itself is compromised, these controls may be rendered irrelevant. Finally, apply controls where you can to ensure software code integrity. For instance, in the Microsoft
world we have Device Guard, which is an application
whitelisting technology. The idea here is that any
of your servers should only execute processes that
are explicitly trusted. Every single bit that executes
needs to be trusted and there are controls that can give you that level of assurance in your executing code. In summary, I submit to you
that defense in depth security means that it’s incumbent
upon you now more than ever to examine your entire IT
supply and trust chain from the motherboard at the hardware
level all the way up through software, the operating
system, the device drivers, and to your user-mode applications. Also, don’t be afraid
to ask your partners, especially your OEM partners,
your cloud providers, if they were affected by
this Super Micro breach. Again, my name is Tim
Warner from Pluralsight. You can check out our
training at We have lots of InfoSec training. My email address is
[email protected], or you can find me on Twitter
where I post tech news. It’s @TechTrainerTim. Thanks very much, take good care.

Leave a Reply

Your email address will not be published. Required fields are marked *