Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Investigating Implausible Bloomberg Supermicro Stories

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 30 Oct 2018 10:40:54 +0000 (UTC)
https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/

By Patrick Kennedy
ServeTheHome
October 22, 2018
Today we are going to more thoroughly address the Bloomberg Businessweek article alleging that China targeted 30 companies by inserting chips in the manufacturing process of Supermicro servers. Despite denials from named companies and the technology press casting some reasonable doubt on the story, Bloomberg doubled down and posted a follow-up article claiming a different hack took place. In this piece, we are going to present a critical view of Bloomberg’s claims, as supported by anonymous sources, in order to allow our readers to decide for themselves the credibility of Bloomberg’s reporting in this case. 


Technical Lightness or Inaccuracy
This is a long article. In the first section, we are going to discuss why there are some fairly astounding plausibility and feasibility gaps in Bloomberg’s description of how the hacks worked. The weakness in this section of the Bloomberg article makes it extremely difficult to navigate and it is light on details. We are going to evaluate some of the parts in isolation, and also discuss some of the logical outcomes. In our first investigative piece, Bloomberg Reports China Infiltrated the Supermicro Supply Chain We Investigate, we went into some detail about why a motherboard and hardware for a motherboard is a very difficult way to hack a BMC. If you have not read our Explaining the Baseboard Management Controller or BMC in Servers that should be a precursor to reading the next section. STH has a relatively technically minded audience, so we are going to assume our audience has at least the knowledge imparted in that article. 


The Lynchpin of How Bloomberg’s Device Activates is Not Plausible
We are going to focus on a few key parts of one of the opening paragraphs from the story where functionality is described. 

[...]


--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: