Looks like the alleged chip is hooking into the BMC actually based on layout of the board pictured in the article.
On Sun, Oct 7, 2018 at 2:06 PM Russell Senior <[email protected]> wrote: > Devices aren't omniscient. They can't really tell when we are looking or > not looking. So, if they are misbehaving, it is possible to observe that > misbehavior. Certainly, the more complex their normal behavior, the more > difficult it is to identify misbehavior. > > The Bloomberg story is difficult to assess. The tiny little device they > show is a little hard to credit, not so much for its size as that it's hard > to see how that in that shape it could get access to enough traces on the > motherboard in such a tiny package to power itself and interfere with > normal signalling. Seems like it would need at least power, ground and at > least one signal, maybe a couple more, given that the most plausible attack > seems to be that they interfere with the firmware data coming into the BMC > over SPI flash. > > That said, the BMC on server motherboards has a scarily privileged > position. Better, more reviewable software there, as well as on the ME chip > on modern desktop/laptops, is something I've been looking for. There was > recently a meeting in Europe called Open Source Firmware Conference ( > https://osfc.io/) with some interesting talks, available online. > > On Sun, Oct 7, 2018 at 1:35 PM Louis Kowolowski <[email protected]> > wrote: > > > On Oct 5, 2018, at 1:24 AM, Keith Lofstrom <[email protected]> wrote: > > > > > > On Thu, Oct 04, 2018 at 12:21:22PM -0700, Dick Steffens wrote: > > >> The story about Elemental's computers having a spy chip on their > > >> motherboards raise the question, how can we know if our computers > > >> are compromised? > > >> > > >> > > > https://www.oregonlive.com/silicon-forest/index.ssf/2018/10/chinese_planted_spy_chips_insi.html > > > > > > Assume your machines ARE compromised. The only question is > > > how many different organizations have their own compromises > > > in your machine. > > > > > > Without a completely open production process, end to end, > > > which includes open source chip design, and a back end chip > > > teardown process to compare design intent to samples of the > > > actual silicon, there are just WAY too many places that > > > very complex behavior may be inserted. An extra chip on > > > the circuit board, like this unconfirmed hack, is far too > > > obvious for a deep-pockets adversary to bother with. > > > > > > My nightmare: > > > > > > The easiest place to insert malware is into the firmware > > > boot tracks on your hard drive. > > > > > > Hard drive behavior is controlled by "digital signal > > > processing" software for motor control, head movement, > > > and the high level, pack-the-bits-onto-a-track behavior. > > > That behavior is complex (vastly more complex than hard > > > drives or even whole computers a decade ago), and is way > > > more than they want to freeze into logic chips or store > > > in an EPROM. So the drive manufacturer stores those > > > megabytes on the disk itself, in the "low performance" > > > areas of the disk platter. > > > > > > A few percent of the platter area is low performance, too > > > slow to move user data quickly, but usable at lower speeds > > > or bit densities, or with simpler encodings usable by > > > simple "boot-the-boot" hardware. There is room to store > > > gigabytes of potential boot information in that area, > > > a vast opportunity for mischief and malware. > > > > > > I can imagine conditions that trigger the loading of > > > alternate disk control software, which inserts exploits > > > into an operating system as it is read off the disk. > > > There is enough room on the disk to do this for hundreds > > > of common operating systems. That would NOT include all > > > the zillions of variant kernels used by the Linux > > > community, but there are many fewer variants of other > > > linux security software, like the SELinux suite. > > > > > > My former neighbor worked for a Vancouver Washington > > > company ("C") that builds network monitoring systems. > > > "C" assembles their machines in China, and installs > > > firmware there so they can do acceptance testing on > > > arrival here. After acceptance, they wipe the hard > > > drives down to the boot tracks and rebuild them, Just > > > In Case, because their systems control the Internet. > > > > > > The silicon might still be compromised, though. I am > > > a chip designer. If I control the fabrication process, > > > especially the ion implanter or the photomask aberration > > > correction system, I can hide behavior in a chip that you > > > won't be able to find unless you take the chip apart atom > > > by atom and compare that to a detailed mask level > > > specification, then compare the mask specification to > > > a mind-bogglingly expensive series of simulations. > > > > > > Optimization-by-complexity is the antithesis of security. > > > > > > In simple words, complex chips are vulnerable. Use > > > simpler chips, or avoid making enemies. > > > > > If you assume the hardware is compromised, how can it be used in a way > > that would allow you to believe the results it provides? The software by > > definition couldn't correct the compromise. > > > > -- > > Louis Kowolowski [email protected] > > Cryptomonkeys: > > http://www.cryptomonkeys.com/ > > > > Making life more interesting for people since 1977 > > > > _______________________________________________ > > PLUG mailing list > > [email protected] > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
