security research repository of nathan andrew fain / cyphunk

Another Chinese backdoor that isn’t

On Thursday (Oct 4 2018) Bloomberg claims to have been informed of widespread modifications of server hardware made by Super Micro, a company that manufacturers their hardware in China. Amazon, Apple, and now the US DHS and UK GCHQ have refuted their claims. Most of the claims made by Bloomberg’s intelligence sources appear to come from a lack of understanding of embedded systems. While it is still possible that some sort of compromise may have been found, though the rationality and application would be more narrow than reported, a Chinese manufacturer is not the likely source of attack.

The main issue with their claims, and a general rule I hope people take away from this:

If a hardware modification targeting memory storage can result in a compromise then the software in that memory can be modified at the manufacturer without need for any hardware modification.

Bloomberg’s sources claim that the hardware modification modifies memory as it transits to a processor. The article mentions the attack applies to a specific component (the BMC) that obtains its memory from an external SPI memory chip.

“as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow.”
— Bloomberg

Any device that stores its software on an external memory chip without signing or encrypting that memory (a procedure known as “Secure Boot”) inherently trusts every single person that touches that device, regardless of location or their nationality. If Secure Boot is not implemented, the easiest, cheapest, and least detectable way for a manufacturer to widely install a backdoor is to reprogram that memory. Every other attack on memory, including the hardware modifications Bloomberg sources hint at, are akin to digging a ditch and filling it again.

I can think of only one scenario where the cost of fabricating a target-specific rice sized microchip to be installed by the manufacturer would make sense over simple memory modification: if secure boot is in place but a runtime flaw exists in its implementation. For example if the device starts, reads out memory and confirms its authenticity but then later reads the memory again for some reason without authenticating it. Then and only then could I imagine a hardware modification to attack a memory bus making sense. This very narrow scenario is made more expensive by the fact that once the flaw is discovered a firmware patch will negate its effect permanently. Further more the runtime secureboot flaws I’ve personally found over the years have all been exploitable through modification of non-volatile memory, without need for a hardware mod. So I think the scenario where a secure-boot hack via hardware mod is useful will be extremely narrow.

Additionally there are other more anecdotal reasons to be a little suspicious of Bloomberg’s claims. The article plays very loose with facts, mixing up hardware and software related threats and one-time-use attacks vs system wide attacks. The timing of this revelation by anonymous US intelligence sources comes during a trade war. And the artist rendering of how the rice size chip was installed would either restrict it to a code glitch on the HOLD line of memory or be impossible because it has no access to GROUND.

Peek 2018-10-07 12-50.gif

(Thank you Trammel Hudson for pointing out rendering
and @1kevin335200 for providing device images)

But there are scenarios where a hardware modification could make sense, just not on memory. For example, some cellular devices use a separate baseband processor that the primary processor communicates with over a serial bus. If the serial traces are exposed on the PCB then they can be cut, a procedure that is hard to apply en-masse, and a serial proxy added in place to modify location or data in transit. But this and other attacks assume one cannot go the cheaper route and just patch memory, as a manufacturer could.

If you do not trust your manufacturer, or your delivery trucks, or the mafia and some rogue intelligence agent trying to make a quick buck shorting a stock, there are tested procedures. The Pay TV and smart card industry have been dealing with these trust issues since inception. In these industries secure boot architectures are designed and secret key installation into processor OTP memory conducted using developer supplied HSM’s inside black boxes put in factories that company agents routinely audit.

It is certainly worth scrutinizing the security of manufacturing chains. It’s just that, well, I’ve been here before, when it was assumed China was making backdoors inside of microchips from MicroSemi. With too few dissenting voices the exact same evil-china narrative spread like wild-fire before it eventually became clearer that the evidence wasn’t there. This time around I’d be happy if we get past the false McCarthyesque assumptions that this debate started with and instead deal with supply chain and trust in general.


Published by

4 responses to “Another Chinese backdoor that isn’t”

  1. This analysis is quite false. There are innumerable bit flows that secure boot does not capture. Furthermore secure boot tends to assume data will not change once validated — a MITM can TOCTOU however it likes.

    Beyond that, a wire that changes bits is less likely to be dumped.

    1. The TOCTOU you describe is what I meant by flawed secure boot implementation, a limited case where attack could apply. I also mentioned there are other non-memory related targets where a hardware mod makes sense. But I appreciate the kick-back.

  2. […] microchip. There are plenty of great takes already (1, 2, 3, 4, 5, 6, 7). Supply chain attacks are not new, nor are those […]

  3. […] microchip. There are plenty of great takes already (1, 2, 3, 4, 5, 6, 7). Supply chain attacks are not new, nor are those […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s