The Chinese spy chips would be a hack of "divine fashion", say the experts



[ad_1]

Chinese agents have reportedly poisoned the technical supply chain of major US companies, including Apple and Amazon, by installing a microchip on their servers manufactured abroad, according to a statement. Bloomberg report today. The story claims that a chip, which was assembled for a company called Super-Computer by a separate company called Super Micro Computer, would allow attackers to secretly modify these servers, bypass software security checks and give the government Chinese a complete backdoor. the networks of these companies.

The companies concerned vigorously contest the report, claiming that they had never discovered any malicious material or reported similar problems to the FBI. Even taking the Bloomberg compared to the word, there are important unanswered questions about the extent of chip distribution and about the use of access through the backdoor.

But the mere idea of ​​a malicious chip implant has already sent shockwaves into the world of security, traditionally focused on software attacks. Nicholas Weaver, a professor at the Berkeley International Institute of Informatics, described an alarming attack. "My first reaction was:" HOLY FUCKING SHIT " [sic], Says Weaver The edge. "It's a feat in" divine mode "in the system management subsystem."

Security experts have warned for years that the hardware supply chain is under threat, especially as China has a monopoly on manufacturing and processing parts. So far, however, we have not seen a widespread attack on US companies. Bloomberg claims to have found. There is no real way to prevent such a material attack, the sources say. The edgeunless the information technology industry wants to radically rethink how it gets its components and markets its products.

Katie Moussouris, founder and CEO of Luta Security, explains that an attacker could use this type of malicious implant to bypass all the software protections, a catastrophic scenario for defenders. "If you manage to put something in the hardware, it's not only hard to detect, but something that can bypass the most sophisticated software security measures," said Moussouris. The edge.

The result requires a brand new defense, replacing code audits and bugfixes with hardware-level physical interference checks. Jake Williams, founder of Rendition Infosec, says it would be an entirely new approach for security teams. "We have a bigger fundamental problem," said Williams, "which is that this material is hard to detect and we do not have the tools to do it."

In a certain way, attacks take the techniques of jailbreak, breaking the chain of trust between hardware and software, instead of attacking the software itself. George Hotz, the legendary jailbreaker turned independent contractor, was skeptical about the Bloomberg history, but said that a successful attack of the supply chain would still be almost impossible to mitigate with the conventional security tools. "If you can not trust your hardware, you can not trust anything that it checks," says Hotz. "Basically, there is no way to check this in software."

It's hard to say how companies like Apple and Amazon could adapt to these new risks. At the hardware level, a strange behavior would be like trying to detect a heart murmur. There may be small irregularities from time to time, but none will immediately trigger an alarm. And researchers looking for bugs might not be of great help either. Even though they could get these parts from Supermicro, for example, they would need enough money and supplies to perform tests. Once you have planted or damaged a physical item, it's impossible to start all over again, which complicates the implementation of the conventional bug bounty.

Instead, Moussouris said the risks of the supply chain are a reality we must accept. Companies have already made their compromise. in exchange for cheap parts, they take the risk of the supply chain.

"We chose to outsource the manufacturer of many components so that we could market them and make them a viable product," she says. "To make sure we understand that we have made these compromises is the part that could take people by surprise."

[ad_2]
Source link