What can we learn about supply chain security from the Super Micro story?
Bloomberg Businessweek’s story on the hardware hack at Super Micro sent shock waves through the technology industry. In this executive summary, Pluralsight author and security expert Tim Warner breaks down what technology leaders and security professionals can learn from this kind of attack, and what be be done to safeguard the supply chain.
The full transcript follows below.
Tim Warner: Hi there. Tim Warner from Pluralsight here. I’d like to talk to you briefly about the Bloomberg Super Micro story and how it impacts supply chain security.
Let’s imagine if I were a bad actor, what are some things that I would want to do? Well maybe I wanna snoop on my competition and my business enemies. How could I do that? What if I were a hardware manufacturer, and I could compromise an Original Equipment Manager partner’s factory and slip a tiny microchip that I designed that phones home, that opens up administrative back doors, any kind of nefarious fill-in-the-blank. If I could integrate that tiny chip, and hide it on an OEM partner’s system board or motherboard then I could really profit, couldn’t I? Because those factories would then ship the factories back to the OEM, the OEM would sell these servers to various big, high profile businesses around the world, and I would be able to take advantage of my chip, it’s back doors, it’s phoning home. I profit. Sounds like a scary situation, doesn’t it?
Well you might’ve read, on October 8th, 2018, Bloomberg Businessweek put together a comprehensive article called The Big Hack: How China Used a Tiny Chip to Infiltrate America’s Top Companies. If you’d like to read the article, here’s a short URL: timw.info/bsm.
This article called a huge stir because, as it happens, Super Micro, a California-based equipment manufacturer, sells their servers to businesses all over the world, including, yes, high profile clients.
Some key points from that story: number one, the company in question, as I mentioned, is called Super Micro. They’re based in California in the United States, but they have a number of hardware partners around the world, particularly in China, where these factories develop system components, like the main circuit board of a computer, the motherboard. And, as it happens, according to Bloomberg, the Chinese military developed a rogue chip that they were able to stick in these motherboards at a particular factory in China that obviously had been compromised.
This diagram you see is one I found on Twitter, that shows you…I don’t know if this is exactly accurate to what the actual hack was, but as you can see when you’re looking at the circuitry of a motherboard, it’s all too easy to overlook a tiny little chip. In this case the rogue chip was placid between a flash memory chip on the motherboard, and what’s called the baseboard management controller, or BMC. Now that’s a big deal, because a BMC is the Grand Central Station for a motherboard for remote management.
So this little tiny rogue microchip was able to inject it’s instructions in line with the BMC’s. That gave the microchip the ability to compromise the system, and even use the internet to connect back to the command and control center where the hack originated in the world.
Bloomberg said that some high profile businesses use Super Micro servers, including Amazon and Apple. Now, I’m not going to get into the specifics beyond that. Both Amazon and Apple, as of this recording, strongly deny that they’ve been affected by this hack. Instead, I just want you to have a good executive overview of what’s happened, and I want to complete this brief thought piece on giving you some practical suggestions on what you could do in case you’re worried you might be breached by this Super Micro hack.
The first thing you can do, and what I think is most important, is prioritize network traffic monitoring and alerting in your network. The bottom line is, these hacked microchips, or really any malware worth its salt, is going to phone home. Because after the malware compromises a system you wanna access data you shouldn’t have access to. And how are you going to see that data, unless the rogue process, that is the rogue hardware or software, phones home across the internet. So if you’re inspecting every ethernet frame in your environment then you should be able to track or trap this unexpected, unwanted traffic. It’s a lot of work, but it’s not impossible.
Second, apply controls to ensure hardware chain of trust. Now one reason why this Super Micro chip hack is so scary is because you may think right now, “Well, wow, I have a lot of hardware in my data center, we might use a public cloud provider where we never see their hardware. What if those system boards include either this microchip hack, or something similar? How can we control the entire supply chain to ensure trust?” Well that can be difficult to do, but you can apply technologies like the trusted platform module, and UAFI’s secure boot, to digitally sign system firmware, such that any changes at the low level system board level will be flagged and raise boot errors. In fact, it would prevent the system from booting.
Now of course the complexity here with Super Micro is that, normally, TPM and the low-level device signing that happens, occurs at the OEM’s factory. So, if the factory itself is compromised these controls may be rendered irrelevant.
Finally, apply controls where you can to ensure software code integrity. For instance, in the Microsoft world we have Device Guard, which is an application whitelisting technology. The idea here is that any of your servers should only execute processes that are explicitly trusted. Every single bit that executes needs to be trusted, and there are controls that can give you that level of assurance in your executing code.
In summary, I submit to you that defensive in-depth security means it’s incumbent upon you, now more than ever, to examine your entire IT supply and trust chain. From the motherboard at the hardware level, all the way up through software; the operating system, the device drivers, into your user mode applications. Also, don’t be afraid to ask your partners, especially your OEM partners, your cloud providers, if they were affected by this Super Micro breach.
Again, my name is Tim Warner from Pluralsight. You can check out our training at Pluralsight.com, we have lots of infosec training. You can find me on Twitter where I post tech news: it’s @techtrainertim.
