On 2018-10-04 23:37, Naslund, Steve wrote:
I was wondering about where this chip tapped into all of the data and
timing lines it would need to have access to. It would seem that
being really small creates even more problems making those
connections. I am a little doubtful about the article. It would seem
to me better to create a corrupted copy of something like a front side
bus chipset, memory controller or some other component that handles
data lines than create a new component that would then require a
motherboard redesign to integrate correctly. It would seem that as
soon as the motherboard design was changed someone would wonder "hey,
where are all those data lines going?" It would also require less
people in on the plan to corrupt or replace a device already in the
design. All you need is a way to intercept the original chip supply
and insert your rogue devices.
On the opposite side of the argument, does anyone think it is strange
that all of the companies mentioned in the article along with the PRC
managed to get a simultaneous response back to Bloomberg. Seems
pretty pre-calculated to me. Or did some agency somewhere tell
everyone they better shut up about the whole thing?
Steven Naslund
Chicago IL
Just theory - tapping on same lines as SPI flash (let's assume it is not
QSPI), so we are "in parallel", as "snooper" chip.
First - it can easily snoop by listening MISO/MOSI/CS/CLK.
When required data pattern and block detected during snooping, it can
remember offset(s) of required data.
When, later, BMC send over MOSI request for this "offset", we override
BMC and force CS high (inactive), so main flash chip will not answer,
and answer instead of him our, different data from "snooper".
Voila... instead of root:password we get root:nihao
