https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/
By Patrick Kennedy
ServeTheHome
October 22, 2018
Today we are going to more thoroughly address the Bloomberg Businessweek
article alleging that China targeted 30 companies by inserting chips in
the manufacturing process of Supermicro servers. Despite denials from
named companies and the technology press casting some reasonable doubt on
the story, Bloomberg doubled down and posted a follow-up article claiming
a different hack took place. In this piece, we are going to present a
critical view of Bloomberg’s claims, as supported by anonymous sources, in
order to allow our readers to decide for themselves the credibility of
Bloomberg’s reporting in this case.
Technical Lightness or Inaccuracy
This is a long article. In the first section, we are going to discuss why
there are some fairly astounding plausibility and feasibility gaps in
Bloomberg’s description of how the hacks worked. The weakness in this
section of the Bloomberg article makes it extremely difficult to navigate
and it is light on details. We are going to evaluate some of the parts in
isolation, and also discuss some of the logical outcomes. In our first
investigative piece, Bloomberg Reports China Infiltrated the Supermicro
Supply Chain We Investigate, we went into some detail about why a
motherboard and hardware for a motherboard is a very difficult way to hack
a BMC. If you have not read our Explaining the Baseboard Management
Controller or BMC in Servers that should be a precursor to reading the
next section. STH has a relatively technically minded audience, so we are
going to assume our audience has at least the knowledge imparted in that
article.
The Lynchpin of How Bloomberg’s Device Activates is Not Plausible
We are going to focus on a few key parts of one of the opening paragraphs
from the story where functionality is described.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
