Supermicro Servers Hacked?


CrashnBrn

Recommended Posts

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

 

It's a great article. Makes me want to get rid of my SM motherboard in my unraid server. It looks like from the photos it's their blade motherboards but who knows, it makes me lose trust in a company.

 

There are very strong denials from AWS and Apple about the article. It's a he said, she said situation. Of course they are going to deny it, but at the same time maybe the bloomberg sources are wrong?

 

What do you guys think about the article?

Edited by CrashnBrn
Link to comment
2 minutes ago, johnnie.black said:

Seams a little farfetched to me, just hope Supermicro can survive this in the long run, they're my favorite server board manufacturer, they certainly took a hit:

 

 

 

On the bright side, maybe there will be some good deals for used Supermicro boards soon...

I've though about this since I'd read the news and others comments. It can be farfetched but at the same time if there is any type of gag order on these companies then they have to deny it. It can also be that only certain people in the companies know excluding PR so the statements released will obviously say this is false. Or bloomberg got the news wrong. If there is any country that can pull off this type of espionage it would be China, so I definitely think it's possible.

 

Either way this is going to really hurt supermicro because if the sue and they prove that they are in the right I bet the news won't report it and the damage has already been done. I love/loved supermicro so I really hope the news is wrong.

Link to comment

I have often wondered about that. I have 6 of the e5-2670 and a boatload of RAM. Now wished I had purchased more at $70. Prices have rebounded significantly. I'm surprised Facebook and Google aren't also listed as being victims.

So THAT's why a good portion of those relatively new servers and e5-26xx chips showed up at TAMS and other ebay outfits and liquidators at firesale prices. I bet some of the raw chip surplus was caused by companies destroying motherboards or surrendering them for government research.
Link to comment

Bloomberg is usually a  trustworthy source. Their tech understanding is of course low, but they claim to have done a lot of investigation, and have a lot of supporting info given in the article. I can't see so many details created out of whole cloth  -- Bloomberg would leave themselves open to endless lawsuits otherwise.
OTOH, both Apple & Amazon have made  explicit statements denying the story, and they'll take a credibility hit if it turns out true.
Someone is lying.
If I had to bet, I'd guess the story is mostly true. It also sounds very likely that US authorities would hesitate about taking steps that would harm a large US company (that itself was presumably not complicit).
This story will definitely be continued...

Link to comment

After reading the level of work that must have gone into the Stuxnet attack, this type of attack sounds completely believable. China is well known to have a massive state operated hacking organization and is also well known for counterfeiting complex integrated circuits, so it isn't far fetched at all for them to be hardware hacking new products being produced there.

 

Another big question to be asked is how many compromised products don't we know about?

Link to comment
1 hour ago, CrashnBrn said:

Going forward when building your next server would you guys skip over SM? Or would you still use their boards? HP with iLO is looking mighty nice right now.

Where do you think HP boards are made? If the SM hack is true it can be in any other manufacturer, all boards are made in China.

 

39 minutes ago, cybrnook said:

All my boards right now are SM, and I have no plans to change atm.

Same.

Link to comment
2 minutes ago, johnnie.black said:

Where do you think HP boards are made? If the SM hack is true it can be in any other manufacturer, all boards are made in China.

 

Same.

Oh I know, most boards are made at/around the same place, but if I can lower the risk by using a less high volume supplier. I don't plan on dropping my SM board but I think I might think twice about buying one in the future (TBD future news). And I love SM, we only use SM JBOD's and blades at work.

Edited by CrashnBrn
Link to comment
3 hours ago, dukiethecorgi said:

Seems kind of far fetched to me.  It looks like they replaced a coupler that connects to the cache memory, but in that case each chip would only have access to a single bit, yet the article claims it contained a processor and network capability.  I really don't see how that would work

It's possible since they supposedly are going through the BMC. If they said it was another way I would doubt it, but BMC can do everything in the article.

Link to comment
1 hour ago, johnnie.black said:

Those are exactly my thoughts, if Supermicro is affected all other manufacturers can be, since it's all made in China, some using the same suppliers SM uses.

 

 

@johnnie.black

In their detailed breakdown, which is linked in the article I linked above, there is what I believe to be a good summary:

 

"Bottom line, if this Supermicro attack vector is to the BMC, then the Bloomberg story is no bigger than the Dell EMC PowerEdge iDRACula story or any others. Saying there is a vulnerability in a BMC is like saying the sun is hot."

 

and 

 

"First and foremost, I think we need to call for an immediate SEC investigation around anyone who has recently taken short positions or sold shares in Supermicro. With the accompanying Supermicro stock price hit that was foreseeable prior to the story, if anyone knew the story would be published, and acted on that non-public or classified information, the SEC needs to take action. There seems to have been over 20 people that knew about this."

 

"Further, with public companies making statements on the impact, unless there is a valid national security/ classified reason that they gave the responses they did, there is a mismatch. Apple and Amazon did not say “no comment” they called Bloomberg’s account false. The SEC needs to investigate here as well to see if these were publicly misleading statements."

Edited by cybrnook
Link to comment

Part of me wonders if this is political. First the government is just releasing a huge cloud computing bid. Second Google just announced they will not bid as it conflicts with their corporate values..(eyeroll). Third, a whole crapload of e5 2670 xeons hit the market at extremely depressed pricing about 2 yrs ago along with matching ecc memory but there were no motherboards. Perhaps the motherboards were compromised?

 

My take is that there is enough truth here to use this as a political weapon, and maybe affect the bidding process for government cloud computing. For some unknown reason, Supermicro is the sacrificial lamb here. And Amazon by being fingered as a victim will have a tougher time assuring everyone they should automatically win the bid.

 

 

 

 

Link to comment
10 hours ago, tr0910 said:

Part of me wonders if this is political. First the government is just releasing a huge cloud computing bid. Second Google just announced they will not bid as it conflicts with their corporate values..(eyeroll). Third, a whole crapload of e5 2670 xeons hit the market at extremely depressed pricing about 2 yrs ago along with matching ecc memory but there were no motherboards. Perhaps the motherboards were compromised?

My take is that this could be a bit of politically driven protectionist China bashing, with Supermicro being a (probably) innocent victim, although the suggestions about expected movements in stock prices also add an interesting dimenison.   This seems pretty well aligned with some of the current US administration's rhetoric against China. 

 

As for the motherboards - there were plenty of motherboards from some vendors when the E5-2670 Xeons hit the market., but I am not sure that the availability of those devices is connected - they were already far from new at that time.  And there were (still are) threads on this forum with people buying up motherboards and CPUs to build some pretty decent servers. 

 

What I struggle with is the lack of credible detailed evidence.  To me, it's all hearsay.  I'd want to see some pictures - a good and bad motherboard for example; a high magnification image or two of the alleged offending devices; and so on.   

Edited by S80_UK
Link to comment
12 hours ago, S80_UK said:

I'd want to see some pictures - a good and bad motherboard for example; a high magnification image or two of the alleged offending devices; and so on.   

That's what I am waiting on too. Model motherboards, serial number ranges, want to see it in action, what's it's signature on a network, what to look for, etc...

Edited by cybrnook
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.