On Lawfare, Nicholas Weaver comments on a report of certain servers in use by various U.S. companies being compromised by the Chinese People’s Liberation Army (PLA):
Robertson and Riley report a scheme in which Chinese intelligence bribed, threatened or cajoled at least four separate subcontracted manufacturing facilities in China to modify the design of SuperMicro server motherboards to include a small chip—smaller than a grain of rice—that would insert the backdoor into the BMC.
This scheme is less crazy than it might seem. Modern circuit boards are filled with small support chips, and the backdoor chip would appear to be just another faceless component to all but the most detailed examination. And while the Bloomberg article doesn’t go into the mechanics of how this would work, there’s one likely culprit: the serialEEPROM chip or a serial FLASH chip, which is used to store program and other instructions used during the startup process. The BMC itself loads at least some data from such a chip, which itself needs only two wires to communicate—so it would only take two connections for a rogue chip to mask the contents of a SEEPROM or SPI FLASH, replacing the contents and thereby corrupting the BMC by installing the backdoor code. …
Then there is the question of whether the NSA is aware of other supply chains compromised in similar manners. If so, a quiet nudge may be a good idea. This style of backdoor can be very hard to find until one knows where to look, but is reasonably discoverable once the searcher pointed in the right direction.
This is one of the problems with free trade with adversarial countries such as China that can supply components cheaply – we end up revealing our secrets without ever realizing it.
But it also suggests a business opportunity, the supply of components and servers certified to be free of industrial espionage. Manufacturers would probably be required to provide proof, probably through inspection, and perhaps even a bond for each server sold – although bonds may not be sufficient to restrain some avaricious businessmen.
In essence, it’s a trade war without the drama.
Another reason to distrust private sector folks who think it’s all about making money.
