The recent slew of Bloomberg reports alleging that Chinese hackers somehow managed to inject hardware trojans into SuperMicro motherboards bound for western companies has been met with a lot of criticism. The likes of Apple, Facebook and Amazon have rubbished the reports, as have several security experts who’ve examined the report.
While Bloomberg is still sticking to its story, yet another report, this time by ArsTechnica, points out that implanting hardware-based trojans is an unnecessarily complicated way of hacking a server. According to the report, it’d be far easier to simply hack into the boards via software, especially when you consider the number of security vulnerabilities already plaguing the designs.
The problem with Bloomberg’s allegations is that the act of inserting a rogue chip on, say, a motherboard, and then ensuring that the infected motherboard gets to the right place at the right time is next to impossible. Bloomberg has also admitted as much in its own reports. The boards could have easily ended up in another country altogether and such a broad, unstructured attack would have been discovered sooner.
Security experts have also pointed out that designing such a chip presents a tremendous engineering challenge. As ArsTechnica notes, “the attacks involved designing at least two custom implants (one that was no bigger than a grain of rice), modifying the motherboards to work with the custom implants, and ensuring the modified boards would work even when administrators installed new firmware on the boards.”
Experts who ArsTechnica spoke with suggested that a much easier way of hacking to these motherboards would simply be via software. The boards have several known vulnerabilities that are still unpatched. The designs are inherently flawed.
Hackers would need some way to install a custom firmware on the boards. The NSA has already been doing this for years. The Stuxnet worm that played havoc with Iran’s nuclear program is also another example of this. In the case of the NSA attacks, they simply intercepted and redirected Cisco hardware that was heading to certain targeted customers. They’d then modify the firmware and ship the hardware to the original customers.
Despite all the vehement denials and criticism for Bloomberg's report, investigators haven't yet found a way to completely prove or disprove the allegations made. The attacks, as described by Bloomberg, are certainly plausible.