Build Your Own Hardware Implant

Bloomberg’s story about an alleged hardware implant […] Several people were pointing out the fact that the BMC (Baseboard Management Controller – the component allowing an out-of-band access to the server) could be tampered with, allowing an implant to control the BMC to gain access to the network card. But how does it work in practice? Let’s see if we can reproduce this.[…]

Build Your Own Hardware Implant

more on SuperMicro Bloomberg story

Re: https://firmwaresecurity.com/2018/10/04/bloomberg-the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-u-s-companies/

SuperMicro response:
https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm

Apple response:
https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/

Amazon.com response:
https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/

More info:
https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
https://blog.senr.io/blog/impervious-implants-splintery-supply-chains
https://motherboard.vice.com/en_us/article/gye8w4/chinese-supply-chain-hack-apple-bloomberg

Bloomberg: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.

[…]There are two ways for spies to alter the guts of computer equipment.
One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden.
The other method involves seeding changes from the very beginning.[…]

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

 

 

Eclypsium: new Supermicro firmware research

Firmware Vulnerabilities in Supermicro Systems

https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products/

[…]We have confirmed missing firmware storage access controls and insecure firmware updates on specific Supermicro systems. Many other systems are likely to have similar vulnerabilities, leaving them exposed to attacks targeting firmware and hardware. Since most organizations do not monitor at this deep level, these attacks may go unnoticed for an extended period. By providing this summary of the vulnerabilities, impacts, and mitigation strategies, we hope to assist organizations in understanding and defending against threats at this level.

I did not see any CVE yet, I hope SuperMicro has seen this.

more on Apple/SuperMicro story

Re: https://firmwaresecurity.com/2017/02/24/apple-rejects-supermicro-due-to-bad-firmware/

An update from the Ars Technica story:

Update: A source familiar with the case at Apple told Ars that the compromised firmware affected servers in Apple’s design lab, and not active Siri servers. The firmware, according to the source, was downloaded directly from Supermicro’s support site—and that firmware is still hosted there.

Apple issued the following official comment: Apple is deeply committed to protecting the privacy and security of our customers and the data we store. We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware. We’re not aware of any data being transmitted to an unauthorized party nor was any infected firmware found on the servers purchased from this vendor.

https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/

https://www.theinformation.com/apple-severed-ties-with-server-supplier-after-security-concern?shared=516084

Apple rejects Supermicro due to bad firmware

https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/

http://appleinsider.com/articles/17/02/23/server-firmware-security-incident-in-2016-forced-apple-to-sever-ties-with-vendor-super-micro

https://www.macrumors.com/2017/02/23/apple-ends-relationship-with-super-micro/

Hurray for a vendor for checking the security of the hardware, and rejecting it for not being secure. If you are a big enough vendor, demand the output of CHIPSEC’s security tests and FWTS’s test results, before you buy it.  If CHIPSEC is failing, do not buy it. This is the only way some OEMs will learn to build secure systems. Unfortunately, no end user consumer has this ability. Large enterprises do, and I wish more would be doing it, and demanding the results be public. OEMs which build secure systems should be proactively showing their test results, so that savvy customers will realize this huge market advantage over competitors.

I wonder what kind of incident this was, firmware malware or something else???

SuperMicro on using IPMI in a home lab

Here’s advice from a few months ago by SuperMicro on how to use IPMI in a network environment:

 

If you are utilizing Supermicro in your lab environment, there is a great feature that comes with Supermicro boards that allows BMC IPMI management of the server.  It is basically an out of band management of the server much like a switch OOB management interface.  I wanted to post some screenshots of most of the various areas of control you have with the IPMI console of a Supermicro box.  It is fairly comprehensive.  Let’s take a look at Supermicro IPMI management walkthrough.

http://www.virtualizationhowto.com/2016/05/supermicro-ipmi-management-walkthrough/

DMTF Redfish 1.0 released

Redfish, an IPMI replacement, has shipped the first release of their spec. Quoting the press release:

DMTF Helps Enable Multi-Vendor Data Center Management with New Redfish 1.0 Standard

DMTF has announced the release of  Redfish 1.0, a standard for data center and systems management that delivers improved performance, functionality, scalability and security. Designed to meet the expectations of end users for simple and interoperable management of modern scalable platform hardware, Redfish takes advantage of widely-used technologies to speed implementation and help system administrators be more effective. Redfish is developed by the DMTF’s Scalable Platforms Management Forum (SPMF), which is led by Broadcom, Dell, Emerson, HP, Intel, Lenovo, Microsoft, Supermicro and VMware with additional support from AMI, Oracle, Fujitsu, Huawei, Mellanox and Seagate. The release of the Redfish 1.0 standard by the DMTF demonstrates the broad industry support of the full organization.

http://dmtf.org/standards/redfish
http://dmtf.org/join/spmf

Don’t forget to grab the Redfish “Mockup” as well as the specs and schema.

UEFI 2.5 has a JSON API to enable accessing Redfish. HP was first vendor with systems that supported UEFI 2.5’s new HTTP Boot, a PXE replacement.  Intel checked in HTTP Boot support into TianoCore, so it’s just a matter of time until other vendors have similar products. JSON-based Redfish and HTTP-based booting makes UEFI much more of a “web app”, w/r/t security research, and the need for system administrators to more closely examine how firmware is updated on their systems, to best protect them.
https://firmwaresecurity.com/tag/uefi-http-boot/