Hardware hacking our motherboards… now a thing?

Pull the ‘internet’ plug?

Back and forth the pendulum swings on whether to have VAPN attached to the Internet… or not!!!!! Today’s news from Bloomberg swings hard towards disconnection…

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

This is a must read for anyone with the slightest interest in Internet security. It seems hardware infiltration into asian built computer motherboards is now allegedly “a thing.”

Supermicro?

It seems the primary avenue of this infiltration allegedly comes from Supermicro products sourced from China. Readers of this site know all too well VAPN uses a Supermicro server running the prototype packet system. The primary target for this hardware hack appears to be heavy hitting high-rel components destined to the server farms of our larger tech companies. Does this mean VAPN’s otherwise ultra reliable 1U machine is compromised? The fact we even have to ask the question is tremendously eye opening.

Frightening quotes

The following highlights from Bloomberg’s article reveal the true cost of low cost…

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies.

Despite klaxons ringing away, it seems faith (and penny pinching) rules the roost…

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials.

Everyone hold your nose…

“You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

The cost of value

Hey I admit to being a typical US consumer. Haven’t we all enjoyed a tremendous bounty of value from low cost gadgets from asian sources? A big HDTV costs a few hundred bucks. Some 2m/440 HTs are available for $30 a pop. Modern smartphones pack a punch for their cost. So yes I am as addicted as anyone to pretty good “stuff” for a mighty good price.

Targeted allegations?

In a world where allegations are enough to render a guilty verdict in the eye of public opinion even for the legally innocent, one has to wonder if this may well be an orchestrated effort to knock the otherwise tremendously successful Supermicro off the world stage. Time will tell. In the meantime no one can assume anything is secure anymore.

Supermicro’s stock got slammed after the allegations surfaced. Click the graph for live stock graph from TradingView.com.

Tumultuous times at Super Micro, Inc. (SMCI)
Tumultuous times at Super Micro, Inc. (SMCI)

I never underestimate what efforts some will go to for profit and artificially depressing a stock’s value isn’t new. Bear Raid anyone? Plus isn’t it something when a web site detailing an amateur radio packet system finds a valid reason to show a stock valuation graph? In my opinion SMCI is on sale.

Counter arguments

The big tech companies, China and government interests are firing back in a big way…

Continuing headlines

Bloomberg stands by their original story with this later update…

FBI urges caution

FBI director on whether Apple and Amazon servers had Chinese spy chips

Blowback from a key Bloomberg source

Yossi Appleboum, a key source of information to Bloomberg’s articles, suggests Bloomberg misread quote. Details here…

Conclusion

What a mess. This is turning into a big kerfuffle day by day as various sides dig their heels into their version truth.

We will research if VAPN gear has this problem. Short of that, it makes sense to put it behind several layers of IP filtering since the actual machine cannot be trusted until vetted. Or we can simply remove the Ethernet connector and call it a day. Being an amateur radio system, it’s still a perfectly viable means of digital communication with or without the Internet… that’s the ultimate point of all this effort anyway right?

This whole kerfuffle doesn’t quite pass the smell test for assorted technical and financial reasons. Only time will tell if Bloomberg wins a Pulitzer or gets tossed on the ash bin of fake news.

One can only wonder what’s next… or to put it another way, what’s left to hack… the 10/100/1000 Base-T connector? Hmmm what’s in this Samsung G7 on my belt or my wife’s I-phone?

Bloomberg: The Big Hack
What’s in your wallet server?