Industry Reactions to Chinese Spy Chips: Feedback Friday
7.10.2018 securityweek
BigBrothers

Bloomberg reported this week that the Chinese government planted tiny chips in Super Micro servers to spy on Amazon, Apple and tens of other important organizations in the United States.

The spy chips allegedly made it into devices made by California-based Super Micro after Chinese agents masquerading as government or Super Micro employees pressured or bribed managers at the Chinese factories where the motherboards are built.

Once the chips were planted, they would reportedly allow attackers to remotely access the compromised devices. According to Bloomberg, the operation was conducted by the Chinese military and it targeted over 30 organizations, including government agencies and tech giants. Amazon, Apple and Super Micro have all denied the allegations.

Experts comment on reports that China used tiny chips to spy on US tech giants

Industry professionals contacted by SecurityWeek have commented on various aspects of the story, including the technical details, political impact, and how organizations can defend themselves against such attacks.

And the feedback begins...

Ian Pratt, co-founder and president, Bromium:

"From the publicly available information it sounds like the implant was intended to compromise the Baseboard Management Controller (BMC) that is present on most server hardware to allow remote management over a network. The BMC has a lot of control over the system. It can provide remote keyboard/video/mouse access to the system over the network. It also typically has access to lots of information about the host, such as its name, domain, IP addresses etc, and can query other information from the host via SNMP. The BMC can also be used to upgrade or modify the firmware used by the main CPU and Management Engine (ME), providing a great scope for stealthy malfeasance.

Based on the photographs, the device appears to be an SPI bus interposer, which would be inserted into the SPI bus between the BMC and the flash memory chip it boots from. A serial interface like SPI is very convenient for this purpose as it requires few pins (6), and hence a small and unobtrusive chip can be used. The implant likely contains a small firmware image that is served up to the BMC when it boots, in preference to the real firmware. Once that special image is running on the BMC, it likely puts the implant into pass-through mode and then loads the real firmware, but the special implanted code will stay resident within the BMC, controlling its actions.

It is likely that the implant would have had very limited functionality built directly into it. It would rely on communicating over the internet to a command and control server where it would report information about the machine it was resident on (such as the domain and network), and then receive instructions. I would expect/guess that out of the box it could have enabled the remote video/keyboard to the attacker, and would have been able to download additional code modules that it could store in BMC flash and use for other kinds of exploitation.

This communication with the C&C server is vulnerable to observation, and is quite likely how the implant was discovered -- rather more probable than someone spotting the tiny extra chip.”

Jack Jones, Co-Founder and Chief Risk Scientist, RiskLens:

“We all know that the Chinese have been persistent in their campaigns to steal intellectual property and government intelligence through digital infiltration. We’ve also always known that hardware backdoors are a potential vector for this activity. In fact, many information security professionals have been warning of this for years. Why then, have companies and government agencies continued to purchase vast amounts and varieties of technologies from China?

If we put ourselves in the shoes of a business executive or agency head the answer is fairly obvious — cost savings. They have limited resources with which to achieve their objectives. Yes, their security team may have whispered (or shouted) in their ear of the dangers, but our profession has long suffered from a Chicken Little image. After a while, the myriad “high risks” all start to become an abstract blur in an executive’s mind — as opposed to the clarity of, for example, a 10% lower price with a Chinese product. What decision-makers haven’t had is a way to appropriately weigh these cost saving decisions against the risk implications.

Obviously, while the jury is still out (in some people’s minds) about the veracity and effect of this latest Chinese incursion, it should still serve as a wake-up call. We have to do a much better job of defining, evaluating and communicating loss event scenario probabilities and impacts so that decision-makers can make better-informed decisions. It shouldn’t take a digital "bullet to the knee" before exposures like this are taken seriously.”

Brian Vecci, Technical Evangelist, Varonis:

“This attack is about as surprising as catching Cookie Monster with his hand in the cookie jar. Compromising digital assets has become industrialized with advanced threats’ careful planning and organization. These threat actors are playing a long game with pre-attacks like these that position themselves for devastating attacks down the road– they are testing their abilities and an organization’s vulnerabilities to see how far they can go. What is surprising is that it has only taken decade or two for the digital world to become so inter-dependent – not just with hardware but with software -- today many systems have so much code in common that any upstream compromise is a widespread threat.
Yes, executives at top companies should be concerned, but they should have been concerned yesterday. CISO’s should operate under the assumption that they have live vulnerabilities on their network at all times because chances are they either have their own Edward Snowden on their hands or are exposed to external adversaries ranging from a basement script kiddie to a nation state-sponsored APT. Monitoring, both deeply and broadly, and useful security analytics that combine different data sources are the only way these kinds of threats will ever be detected or controlled. Companies have to start understanding that they can't sit around and patch their way to a secure network. On a positive note, now that this vulnerability has been detected, it’s going to get harder to fly under the radar because companies will know what to look for.”

Sanjay Beri, CEO, Netskope:

“Chinese cyber infiltration is nothing new, as proven by ongoing recent attacks from elite Chinese institutions diligently working to gain access to assets from the west. Today’s news proves that it’s clear we have exited the honeymoon period created by the deal President Obama struck with President Xi Jinping in back in 2015, where the two pledged that each of their governments would refrain from targeted cyber attacks toward another for commercial gain.

As economic tensions continue to escalate between nation states and the US, organizations -- especially those operating in high-risk sectors such as energy, manufacturing, government, etc. -- need to remain watchful and on high-alert in order to ensure their sensitive data is protected and inaccessible to foreign entities. Given the nature of this attack was at the hardware level, there are bound to be even more complex ramifications of those affected, as these types of breaches are far less simple to rectify than those at the software level.”

Itzik Kotler, CTO and Co-Founder, SafeBreach:

“Like many recent attacks, this is low-level, stealthy, and widespread. The combination of these three makes it especially frightening at first, and it certainly is rare to see such an attack in the wild.

However, no attack is ever a "one and done" operation. Even a compromised server isn't, by itself, a success for an attacker. Stolen data always needs to be retrieved. Or that server needs to be used to download, install, or run further attacks. It's for these reasons that enterprises employ layered defense, or "defense in depth" strategies that try to stop attacks at various points throughout their environment.

We must assume that no security, at any point, is 100% effective - and this attack is just another example. However, with the right layered defense, validated to ensure it's working as intended, even something like a hardware attack doesn't end up becoming a single point of failure.”

Dave Weinstein, VP Threat Research, Claroty:

“While the denials from Apple and Amazon have been relatively unprecedented in their strength and specificity, the reality is that the supply chain – for everything from consumer products, to technology, to heavy machinery – has been a perpetual source of concern for many years as a morass of potential exposure, and one that renders most security tools obsolete.

Regardless of where the claims of the story shake out, there are two immutable facts. First, we have a preponderance of evidence that supply chain compromise is not only possible at multiple levels, it’s happening. Second, China has proven its willingness pursue advantage by any means necessary, and as the world's de-facto factory of IT components, this is the “high ground” advantage that they are willing to exploit. Likely even more willing given recent developments in trade policy between the U.S. and China.”

Rick Moy, Chief Marketing Officer at Acalvio:

"While there’s a lot of denial about the attacks, it’s completely plausible that China did in fact seed certain hardware with these backdoor chips. One can imagine the liabilities that firms would rather not take on by admitting this kind of a breach. However, it is entirely within the capabilities and mission scope of nation state intel armies to infiltrate supply chains in this way. Although, the ramifications are more serious than embedding malicious software because they could bring wholesale sanctions against the vendors in question, which is what we have been seeing on an informal basis for a while now."

Joseph Carson, chief security scientist at Thycotic:

“We are one step away from a major cyber conflict or retaliation that could result in serious implications. This could be one of the biggest hacks in history. What is clear is that it is a government behind this cyber espionage and I believe it is compromised employees with privileged access that are acting as malicious insiders selecting specific targets so the supply chain has been victim of being compromised. The motive will not be clear until exact details of the hardware chip is reversed to know what it is capable of and who are the victims since no one is owning up from any of the Super Micro’s customers.

It is too early to tell until more evidence is made transparent and any victims own up to this. What is clear is that Super Micro must conduct an Incident Response to determine the actual evidence behind these allegations so that transparency and a motive is revealed and that the nation state behind such compromise can be held responsible.”

Malcolm Harkins, Chief Security and Trust Officer, Cylance:

“Unfortunately the only surprising element about this attack is that it’s taken so long to be uncovered in a report. Supply chain compromise has been a concern for a long time, and there are multiple nation states with endless motivations who make attacks of this scale a certainty rather than a probability.

Adversaries have a wealth of choices of how to execute. From leaving extra bits in software to compromising a validation engineer, the options are endless if the threat actor has the time, money, and capacity. Organizations must combat this by remaining vigilant about where the hardware and software has been. Some software such as the BIOS and firmware is often written by external sources and not the hardware manufacturer. If you have a distrust for the location that it is being created, or uncertain about the security validation performed then you need to implement additional validation or in some case different validation. Evident by Meltdown/Spectre, the hardware industry including the semiconductor industry has historically validated technology by testing for the functionality they want to see exist rather than exploring potentially dangerous alternatives that can create harm. Simply put, companies are essentially testing a light switch to see if it turns on and off when it goes up and down, but they’re ignoring the implications of switching it left and right.

Historically speaking, this level of testing has not been done because nobody has demanded it. Extra validation costs extra dollars and slows down time to market. Similar to age old Ford Pinto case, organizations are looking at business risks to themselves rather than the risk to the computing ecosystem and therefore society. Until this way of thinking changes, we will continue to see the potential for nation-state exploits such as this one.”

Tim Bandos, Vice President, Cybersecurity, Digital Guardian:

“The fact that China manufactures many of the components that go into servers, it would be relatively simple to install and disguise a hidden chip enabling backdoor communications and control with those endpoints. Also, given where these chips reside – lower in the stack – most technologies such as EDR and AV have a visibility gap and wouldn't be able to identify anything being tampered with at the hardware-level. This (once again) demonstrates that determined adversaries have capabilities exceeding that of defenders; hopefully, this will inspire the development of methods and techniques to detect when hardware tampering has taken place. Until then, diversifying supply chain vendors and staying vigilant on outbound and inbound network traffic is highly advised.”

Neelima Rustagi, Senior Director, Product Management, Demisto:

"Although the veracity of the accusations has yet to be confirmed, it highlights a couple of worrying security trends. Firstly, no abstraction layer is safe from attack. While intrusions on the application, OS, and software layer are more visible and get talked about more, attacks that exploit hardware such as the recent Foreshadow attack can be tougher to spot for security tools. Secondly, organizations need to think of ‘supply chain security’ in addition to product/network security. Since product manufacture today straddles across nations and industries – each with their own regulations, mores, and political climates – organizations should be cognizant of processes, vendor relationships, and regulatory requirements for each step of the product lifecycle."