[ad_1]
A security researcher quoted in a recent Bloomberg report on the so-called compromise of Supermicro hardware for cyber-spying has cast doubt on the validity of the story.
Last Thursday, Bloomberg announced that Supermicro server hardware, used in supply chains around the world, had been compromised by hardware implants designed to create backgrounds in enterprise systems.
According to the publication, a total of 30 companies may have been affected, including Amazon, Apple and a major bank.
The news sent Supermicro's shares in free fall and was quickly followed by the denials of the named companies.
AWS completely refuted the report and Steve Schmidt, head of information security, added that "there are so many inaccuracies in this article with regard to Amazon, that they are difficult to count ".
Apple said the company "has never found any malicious chips, hardware manipulations, or vulnerabilities intentionally introduced on a server."
Supermicro also denied the allegations of the investigation, claiming: "We are not aware of any investigation on this subject and no government agency has contacted us about it".
See also: Apple denies spying allegations of Chinese spies implanted in the company's hardware
The companies were then followed by the US Department of Homeland Security (DHS) and the UK National Cybersecurity Center (NCSC) of the Government's Headquarters Communications (GCHQ), which denied the results of the investigation.
A named source also questioned the validity of the report, which also contains 17 anonymous sources.
Joe FitzPatrick, founder of Hardware Security Resources LLC, is one of the few sources cited in history and was asked for his contribution because of his hardware expertise.
However, in a podcast with Risky Business, the hardware security expert said that the hardware backdoor described in the article described "did not make sense".
FitzPatrick was asked about the operation of these hardware implants: "The hardware opens all the doors that he wants".
The researcher stated that this quote was "accurate in some contexts", adding:
"The hardware is a stepping stone, you put hardware into a device to help you keep the software, the malware.
You do not put hardware in a device to perform the entire attack, you put it to unlock the keys, elevate the privileges on the shell, open the network port, and then you take a software or network / remote approach do the rest of the work ".
Addressing the publication, FitzPatrick stated that he had been in touch with Bloomberg since last year but that he had not received any concrete details about the story. before last month.
CNET: Google can not be sued for mass data collection on the iPhone and court rules
"What really struck me was that, like all the details, even technically distant, they seemed to have been removed from the conversations I'd had on the theory of how hardware implants worked and the way the devices I made to be seen at Black Hat two years ago worked, "said the researcher.
FitzPatrick said he felt "uncomfortable" by reading the report, commenting:
"I'm only Joe, I do this solo work, I build hardware implants for the sake of showing myself at conferences, I'm not a professional of building hardware implants. […]
I have the impression of understanding what is possible, what is available and how to do it, just by my practice – but it was surprising to me that in a scenario in which I would describe these things and then [Bloomberg] would confirm these things, 100% of what I described was confirmed by his sources.
I have excellent vision or something else is going on. "
TechRepublic: 5 tips to secure your supply chain against cyberattacks
There are simpler ways to conduct such attacks on a supply chain, including various hardware, software, and firmware approaches.
As an example, as described by FitzPatrick in an email exchange with a Bloomberg reporter, targeting the motherboard management controllers with an outdated firmware could be "just as stealthy and could be much less expensive to design and implement. "
The theoretical approach discussed with Bloomberg is not "scalable or logical," according to the hardware expert. When FitzPatrick inquired about the possibility and accuracy of an attack of such magnitude, in a response sent by email, the reporter confirmed that it sounded "crazy," but pointed out that "many sources" corroborated the results.
"I could not understand in my mind that it was the approach that everyone could adopt," added the researcher.
FitzPatrick remains skeptical. Overall, FitzPatrick says that the technical details of the publication are "mixed" – "not quite wrong, but they are theoretical".
"I have doubts about this one," added the researcher.
At the time of writing these lines, the Supermicro stock price appears to have leveled off and has climbed 19% to $ 14.75 since the market closed yesterday.
Previous and related coverage
Source link
