Posts

Pandora’s Box Opened: Netanyahu’s Double-Tap Fuck-You

[NB: Note the byline. Portions of this post may be speculative. / ~Rayne]

I wrote a while back about Israel, discussing Israel’s repeated intelligence “failures” as not mere fuck-ups but fuck-yous.

This week’s attacks by exploding electronic devices intended for Hezbollah — attributed to Israel without any denial so far — are yet more fuck-yous delivered using an indiscriminate approach and a double tap.

These fuck-yous blew open Pandora’s box — and then some.

~ ~ ~

On Tuesday nearly 3000 pagers blew up in Lebanon. These one-way pagers are believed to have been distributed to Hezbollah members as a means to bypass Israel’s surveillance of cell phone communications. More than 30 people were killed including children.

On Wednesday during funeral services for persons who died the previous day, walkie-talkies or handheld radios were detonated in Lebanon. 12 more people died and approximately 3000 were injured.

The exploding walkie-talkie attack was the double tap: when persons who escaped a targeted attack gather during a response afterward, a second attack is launched retargeting those same persons. We’ve seen this technique employed by Russia in Ukraine, using secondary attacks to take out first responders aiding the injured and dying in a first attack, or at funeral services for the dead.

It’s a questionable practice; former President Obama had been criticized for its use with drone attacks as double taps may violate the Geneva Conventions and U.S. War Crimes Act of 1996.

But both Tuesday and Wednesday’s attacks may have violated the U.N. Convention on Certain Conventional Weapons regardless of the double tap on Wednesday, as the armed devices constituted booby traps which are prohibited.

These attacks are yet more proof that Israel under Benjamin Netanyahu’s leadership has gone rogue having repeatedly refused to comply with multiple treaties including the Geneva Conventions.

~ ~ ~

This time, though, Israel doesn’t have the excuse that IDF may have made a mistake.

These attacks were premeditated, planned out and executed over months if not years. Front companies were used to obtain components and distribute assembled devices; in the case of the pagers, it’s believed a Hungarian registered firm BAC Consulting may have been a key intermediary between a Taiwanese manufacturer and the ultimate distribution of the devices.

Nonprofit OSINT investigator Bellingcat followed evidence between the pagers and Taiwan electronics firm Gold Apollo, noting that BAC Consulting listed as an employee a “ghost”; this person can’t be traced to any real  human, suggesting strongly BAC is an intelligence front.

The operation’s timeline needs to be fleshed out more fully; it’s not clear whether some actions believed to be related to the operation behind this week’s attacks are intended solely for plausible deniability.

02-MAY-2020 — BAC Consulting appears in Hungarian business records but appears now to have been shuttered the same year.

21-MAY-2022 — BAC Consulting registered as a new company in Hungary, according to Hungarian Justice Ministry records. It was listed as a retailer of telecommunications products, management consulting, jewelry making, and fruit cultivator — a rather odd assortment of goods and services.

The business was not engaged in manufacturing according to a spokesperson for Hungary’s prime minister; they also said “the referenced devices have never been in Hungary,” suggesting BAC acted as a broker or trade intermediary.

XXX-2022 to AUG 2024 — Taiwanese electronics manufacturer Gold Apollo exported exported approximately 260,000 pagers over a two-year timeframe. The majority shipped to the EU and US with no records of pagers shipped to Lebanon during that same timeframe. The company received no reports of Gold Apollo pagers exploding.

SUMMER 2022 — Modified pagers containing PETN-adulterated batteries for which BAC was an intermediary began shipping into Lebanon.

APR-MAY 2024 — A Lebanese security source said the pagers had been imported to Lebanon five months ago.

The pagers may have been imported into Lebanon months ago, but they must have been planned out well before that given the prevailing description of the handheld improvised exploding devices (IEDs).

Acceptance of the pagers must have been worked out far earlier — which brand would the users be willing to use, how would they be distributed without raising questions, what could go wrong tipping off the plot between the time the first pagers were fitted up with explosive PETN and detonators, where could the IEDs be assembled without intelligence leaks, so on.

Which brings us to leaks by a pro-Palestinian hacktivist group Handala whose attacks on websites were first noted by computer security expert Kevin Beaumont back in May this year.

After the pager IED explosions on Tuesday, Handala published information about the pagers’ production claiming they had exfiltrated data from Israeli sources Vidisco and Israeli Industrial Batteries Ltd. (IIB).

Vidisco is an Israeli-based developer and manufacturer of X-ray inspection systems; IIB is a manufacturer of batteries which is 51% owned by Sunlight Group as of February 2023. Both appear to be contractors to Israel’s military. Breachsense indicates both firms were hacked and credentials of employees at both firms were leaked though no customer credentials have been.

Handala’s brief about the data it hacked published Wednesday explained the operation:

The operation of the last two days was a series of joint actions of the Mossad and Unit 8200 and a number of shell companies of the Zionist regime! Handala’s hackers, during extensive hacking in recent hours, were able to obtain very secret and confidential information from the operations of the past days, and all the documents will be published in the coming hours!

The summary of the operation is as follows:

* This supply chain attack has taken place by contaminating the batteries of Pagers devices with a special type of heat-sensitive explosive material in the country of origin of the producer!

* Batteries have been contaminated with these explosives by IIB (Israeli Industrial Batteries) company in Nahariya!

* Mossad was responsible for transporting contaminated batteries to the country of origin of the producer!

* Due to the sensitivity of explosives detection devices to these batteries and the need to move them in several countries, Mossad, in cooperation with vidisco shell company, has moved the mentioned shipments!

*Vidisco company is an affiliated company of 8200 unit and today more than 84% of airports and seaports in the world use X-rays produced by this company in their security unit, which actually has a dedicated backdoor of 8200 unit and the Zionist regime it can exclude any shipment it considers in the countries using these devices and prevent the detection of sabotage! ( The complete source code of this project will be published in the next few hours! )

* Contaminated shipments have reached Lebanon through the use of Vidisco backdoor and after traveling through several countries!

* All the factors involved in this operation have been identified by Handala and soon all the data will be published!

* Handala has succeeded in hacking Vidisco and IIB and their 14TB data will be leaked!

More details will be published in the coming hours

(Unit 8200: Israeli Intelligence Corps group)

Beaumont published a short write-up about Handala’s information dump to date, noting the likelihood that Handala is connected to Iran through IP addresses, their talking points, and the targets of their efforts.

Beaumont also asks:

Are the claims credible?

Handala has not yet provided proof of data exfiltration of these organisations. On reaching out, one company above said they are suffering from “IT issues”.

In prior claims by Handala, they have been credible around victim names.

If the battery claims are credible; it is not possible to assess as no evidence has been provided to date.

I’ll note that Handala’s English is very good, though in the age of ChatGPT it may be generated for clarity to English-speaking audiences.

There was no mention of specifics related to handheld radios by Handala in these early releases and if they were likewise products produced by the same after-market suppliers, specialized modifiers, and distribution network.

Reports indicate some of the radios were made by Japanese manufacturer ICOM though ICOM said the model IC-V82 identified was discontinued a decade ago. As damage to recovered radios displayed blast damage in the battery area, it’s possible the radios were retrofitted with explosives or replacement batteries were manufactured with explosives. Because radios and their batteries are larger than pagers, this would explain the larger blasts associated with the radios.

~ ~ ~

Do read the essay by American researcher and hacker Andrew “bunnie” Huang at the link embedded at the phrase “Pandora’s box” above. Huang is deeply concerned about these attacks relying on handheld electronics:

Not all things that could exist should exist, and some ideas are better left unimplemented. Technology alone has no ethics: the difference between a patch and an exploit is the method in which a technology is disclosed. Exploding batteries have probably been conceived of and tested by spy agencies around the world, but never deployed en masse because while it may achieve a tactical win, it is too easy for weaker adversaries to copy the idea and justify its re-deployment in an asymmetric and devastating retaliation.

I fear that if we do not universally and swiftly condemn the practice of turning everyday gadgets into bombs, we risk legitimizing a military technology that can literally bring the front line of every conflict into your pocket, purse or home.

I share this concern,  one I’ve had for over a decade beginning with reports in 2009-2010 of Chinese-made counterfeit electronics ending up in the U.S. military’s supply chain, compounded by reports in 2018 of unauthorized chips added to server motherboards.

Oversight and investigation into these problems were thwarted by geopolitical, intelligence, and corporate interests.

Huang included a nifty visual representation of an electronics supply chain with his essay:

Every point along the supply chain can be breached, whether the items are new or used or refurbished. Huang’s 2019 presentation at BlueHat in Israel on supply chain security looks in detail at the likely points in chip and board production for unauthorized modifications; he doesn’t look far outside manufacturing, though.

What terrifies me is that Israel’s operation revealed far more than supply chains are now threatened. They’ve shown every hostile entity in the world how to wreak massive chaos in ways we haven’t fully imagined.

~ ~ ~

The IEDs have and will continue to attract attention. This week’s double tap attacks made it clear that the proliferation of small electronic devices on which we rely so heavily are the means to destroy both individuals and groups of people.

The information leaked by Handala makes it easy for hostile entities to attempt the same for their own aims.

The attacks have already spurred renewed discussion about onshoring more of our supply chain.

But what concerns me the most is what we’ve learned about the application of X-ray devices in our supply chain and elsewhere.

If Handala could obtain information about this operation — assuming everything revealed so far is truthful and in no way distorted — what other entities may have preceded Handala in breaching Vidisco’s data? How much lead time do they already have toward something similar to this week’s double tap attacks?

If the public and leaked information about Vidisco is accurate, just how badly are U.S. scanning systems compromised? Have we already been allowing Israel  (or other opportunists using Israel’s methods and means) to distribute IEDs inside the U.S.? Have our U.S. tax dollars doled out as aid to Israel paid for both the violation of Geneva Conventions, the War Crimes Act, the Convention on Certain Conventional Weapons, and now the wholesale compromise of our own national security?

If hostile entities have obtained this same information about Vidisco’s X-ray systems, how badly have our import scanning capabilities been compromised?

If the public and leaked information about Vidisco is accurate and 84% of the world’s airports use its scanning equipment, how badly are our screening systems at U.S. airports compromised?

Imagine for a moment phones and radios on planes containing PETN-adulterated batteries triggered with a single call.

Imagine laptops and tablets triggered with a single remote prompt over onboard WiFi or wireless networks.

~ ~ ~

In June 2017 amid the WannaCry and modified Petya attacks, the Department of Homeland Security and the Travel Safety Administration rolled out heightened security measures including increased scanning of electronic devices.

By the end of July 2017, handling of smaller electronics changed:

… The TSA will now require “all electronics larger than a cell phone” to be removed from carry-on bags and placed in their own separate bin for X-ray screening with nothing on top or below, similar to how laptops have been screened for years. …

At the time the measures appeared to be related to potential threats related to cyber attacks.

Now one might wonder if the changes were intended to increase the use of X-ray screening related specifically to explosives and not just cyber attacks.

We aren’t likely to receive any answers to inquiries about the triggers for these changes.

What we should understand now, though, is that much of this could be performative. The X-ray scanning systems, if tampered with the way they were to admit pagers and radio IEDs into Lebanon, could be absolutely useless for detecting rigged devices.

~ ~ ~

It’s clear we are going to have to rethink our entire screening system at all ports after Netanyahu’s latest fuck-you.

He surely must have known he was opening Pandora’s box when he authorized the detonation of pagers and handheld radios.

I must admit the first thought I had after the initial shock upon hearing about the attacks was this: if Netanyahu had this capability to take out a group of targets this neatly, why didn’t he try this approach with Hamas?

If Netanyahu felt he could expend political capital on violations of international law, why instead is he systematically overseeing the destruction of Gaza’s hospitals, schools, humanitarian aid systems, women and children instead of having neatly excised Hamas in Gaza using these handheld IEDs?

Why? Because fuck you is a likely answer.

Three Things: Boeing Boing

[NB: The byline – check it. /~Rayne]

That U.S. flights of Boeing’s model 737 Max aircraft were suspended is a good thing, I think we can agree though perhaps not all for the same reasons. I’ve had suspicions about Boeing for some time now and not because of the company’s products or its management. Three things have bothered me and the deadly crash on March 10 has only added to previous concerns.

~ 3 ~

I’ve noted before that Boeing has been a possible target for stock manipulation; in fact I wrote about my suspicions a year ago:

You can imagine my surprise on December 6, 2016, when then-president-elect tweeted about Boeing’s contract for the next Air Force One, complaining it was too expensive. Was it Boeing the spies were discussing? But the company didn’t fit what I could see in the indictment, though Boeing’s business is exposed to Russia, in terms of competition and in terms of components (titanium, in particular).

It didn’t help that Trump tweeted before the stock market opened and Boeing’s stock plummeted after the opening bell. There was plenty of time for dark pool operators to go in and take positions between Trump’s tweet and the market’s open. What an incredible bonanza for those who might be on their toes — or who knew in advance this was going to happen. …

And while Boeing 737 Max equipment safety was under public debate after Sunday March 10th crash, Trump tweeted this Luddite position on contemporary aircraft complexity on March 12:

How interesting that he avoided naming Boeing specifically, but at the same time he managed to post the first of these two tweets at exactly 10:00 a.m.; the second tweet didn’t publish for another 12 minutes, leaving those following his tweets closely to assume he was going to discuss Boeing specifically during the interim.

I can’t help think Trump has an ulterior motive with regard to Boeing considering how often he has stepped into their business one way or another since December 6, 2016.

It’d be nice to know who’s been shorting NYSE:BA before his tweets and in which stock exchanges.


[Graphic: NYSE:BA moving average and trading volume from midday Monday 11-MAR-2019 to midday Tuesday 12-MAR-2019 via Barron’s.]

~ 2 ~

Trump’s personal demands have also affected Boeing directly with regard to system updates. The government shutdown delayed for five weeks work by the Federal Aviation Administration toward certification of a software “fix” for the 737 Max flight control system.

In other words, eight more American citzens traveling on the doomed flight this past weekend may have paid the ultimate price for Trump’s gross incompetence and corruption, not to mention the other truly marvelous human beings lost to the world when that flight met the earth two weeks ago.

Boeing’s business model needs to be revisited, though, if the flight control system “fix” wasn’t treated with adequate urgency based on feedback from Boeing to the FAA. There’s a fundamental question of a product’s safety for its intended purpose if it must have a software update to fly safely but that update is an additional feature outside the product’s purchase agreement and must bought before it can be added. Smells like product liability with a whiff of extortion.

Would we tolerate this business model in other situations where so much is at stake? Imagine your computer’s operating system needs a patch before you can use it — and you must pay for the patch, it’s not included in the licensing agreement for the operating system. Oh, and the computer runs your insulin pump or your pacemaker wihout which you are likely to die.

~ 1 ~

The FAA as well as Boeing need to be reevaluated based on complaints the government agency is too closely linked to the aerospace company to provide appropriate oversight. The FAA has been relying on Boeing to self-monitor via component safety inspections because the FAA doesn’t have adequate personnel or resources.

Recall recent reports of supply chain vulnerabilities — is it at all possible Boeing components have been as compromised as other military suppliers have been? How would the public know if it has relied on the FAA’s self-inspection “designee program”?

This sounds eerily familiar, like the claims related to firmware updates needed on servers when it was possible the Supermicro motherboard hardware had been compromised.

~ 0 ~

Treat this as a open thread. We could use a break from what will continue to be a flood of news relate to the Special Counsel’s Office report, especially after the Golfer-in-Chief parks his cart for the weekend and begins shit posting on Twitter in earnest again.

Rattled: China’s Hardware Hack – PRC’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response Bloomberg Businessweek received from the Ministry of Foreign Affairs for the People’s Republic of China (PRC) in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. PRC’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses to Bloomberg’s story will be posted separately.
__________

People’s Republic of China

China is a resolute defender of cybersecurity.[1] It advocates for the international community to work together on tackling cybersecurity threats through dialogue on the basis of mutual respect, equality and mutual benefit.

[1] It’s hard to argue that PRC does not defend its own cybersecurity resolutely.

[2] There are four themes here, at least:

— collaboration and ongoing dialog, but this requires trust which are difficult to develop without openness;
— mutuality, which again requires trust;
— equality, an insistence that footing of those in dialog is level;
— benefit, implying a transactional nature.

This may be a very small paragraph but it is heavily loaded and not for the kind of lightweight, half-assed diplomacy we’ve seen from this administration.

Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.[3] China, Russia, and other member states of the Shanghai Cooperation Organization proposed an “International code of conduct for information security” to the United Nations as early as 2011.[4] It included a pledge to ensure the supply chain security of information and communications technology products and services, in order to prevent other states from using their advantages in resources and technologies to undermine the interest of other countries.[5] We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.[6] —Translated by Bloomberg News in Beijing[7]

[3] What is PRC alleging here? Are they accusing the U.S. of compromising their supply chain? Difficult for the American public to debate this when it is so opaque though this comment may be based directly on NSA interception of networking equipment to be used in China as one example.
[4] What was happening between U.S. and Russia at that point in time? PRC acts as if an agreement to this code would happen in a vacuum.
[5] A dig at U.S.
[6] Another dig at U.S.
[7] There has been no apparent demand for correction to any of this translation.

Like Supermicro’s response this one is very short and effective, giving little away.

Still Rattled: Fallout and Pushback

[NB: Note the byline. Portions of this post may be speculative. / ~Rayne]

The tech industry and technology journalism outlets remain rattled by Bloomberg Businessweek’s The Big Hack article.

Bloomberg Businessweek’s Jordan Robertson and Michael Riley published a second article last Tuesday in which a security expert went on the record about compromised servers with Supermicro motherboards in an unnamed telecommunications provider. Do read the article; the timing of the discovery of the unexpected network communications and the off-spec covert chip fit within the timeline of Apple and Amazon problems with Supermicro motherboards.

The FBI’s and DHS’ responses are also interesting — the first refused to comment and the second offered a tepid endorsement of Apple’s and Amazon’s denials.

The second article hasn’t assuaged industry members or journalists, though, in spite of a source on the record about a third affected entity.

The main criticisms of Bloomberg piece are:

— No affected equipment or firmware has been produced for review;

— Too much of Bloomberg’s sourcing remains anonymous;

— The claims cannot be validated by other journalists, technology companies, persons at Apple and Amazon who have been contacted and interviewed by non-Bloomberg journalists;

— Contacts inside the companies in question continue to deny knowledge if they don’t express confusion about the alleged hack;

— Apple and Amazon have published firm denials, including Apple’s preemptive letter to Congress.

However,

— Something drove both Apple and Amazon to change their relationship with Supermicro within a fairly tight time frame;

— The uniformity of their early denials in which they avoid mentioning hardware and lean toward web application as a point of conflict is odd;

— Neither of these enormous firms nor Supermicro have filed a lawsuit against Bloomberg for libel that the public can see, preventing questioning of Bloomberg’s journalists and sources under subpoena;

— Securities and Exchange Commission doesn’t appear to have been engaged to investigate the claims (although it’s possible the SEC is on this and may simply not have disclosed this publicly);

— None of the other unnamed companies alleged to have received compromised motherboards have uttered a peep to defend (or rebut) Apple or Amazon.

I have not seen in any reporting I’ve read to date — from either Bloomberg Businessweek in The Big Hack or subsequent articles examining the claims or rebutting them — that any journalist, tech industry member or infosecurity community member has asked whether Apple, Amazon, or the other affected companies ordered customized motherboards or servers with customized motherboards made to their company’s specifications. Supermicro has also said nothing about any possible differentiation between motherboards for different companies which would affect the scenario. The silence on this point is confounding.

This piece in Ars Technica captures many of the concerns other tech news outlets have with the Bloomberg reports. Complaints that software — meaning firmware — is easier to hack than adding off-spec hardware miss two key points.

Made-to-order components or assemblies in Just-In-Time lean manufacturing enterprises make it easier to ensure that adulterated products reach their intended mark because each order represents an identified, traceable batch. Adherence to ISO standards in manufacturing processes may even make traceability easier.

We know Supermicro uses lean manufacturing techniques because it’s in job postings online (lousy pay, by the way, which may also say something).

Does Supermicro use the same lean manufacturing approach overseas? Do any of its suppliers also use lean manufacturing?

In contrast, release of firmware (without corresponding adulterated hardware) to a single target is more difficult to control than hardware — the example given is Stuxnet (excerpt here from Ars Technica).

Why wouldn’t a determined nation-state ensure there was a failover, a Plan B method for accessing specific intelligence from a narrow range of sources instead of betting the farm on one method alone? Given the means to deploy both malicious firmware and adulterated hardware, why wouldn’t they try both?

~ | ~ | ~

In spite of tech industry and journalists’ criticisms of Bloomberg’s reporting, these facts remain:

1 — Technology supply chain has been compromised;

2 — U.S. government has known about it (pdf);

3 — U.S. government has not been forthcoming about it or the blacklists it has implemented;

4 — U.S. government has tried to investigate the compromise but with insufficient success;

5 — Some companies are also aware of the compromised supply chain.

We’re no closer to resolving this question: has the compromise of the supply chain remained limited to counterfeiting, or does the compromise now include altered products?

At what point will the tech industry and infosecurity community begin to take supply chain hacks more seriously?

_________

[AN: I still have to analyze both Apple’s letter to Congress and its second response posted on their website along with Amazon’s published response. More to come./~Rayne]

Rattled: China’s Hardware Hack – SMCI’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response Bloomberg Businessweek received from Super Micro Computer in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. Super Micro Computer’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses to Bloomberg’s story will be posted separately.
__________

Supermicro

While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard.[1] We are not aware of any customer dropping Supermicro as a supplier for this type of issue.[2]

[1] (a) “we are not aware” “nor have we been contacted” — who is we?

(b) “nor have we been contacted by any government agency” — has Supermicro been contacted by customers or their auditors or their security teams, contract or not, about security problems?

[2] Were one or more of Supermicro’s customers dropped by their customers because of security concerns including problems with firmware? Are any of the customers or customers of customers U.S. government entities?

Every major corporation in today’s security climate is constantly responding to threats and evolving their security posture. As part of that effort we are in regular contact with a variety of vendors, industry partners and government agencies sharing information on threats, best practices and new tools. This is standard practice in the industry today. However, we have not been in contact with any government agency regarding the issues you raised.[3]

[3] Has Supermicro been in contact with any government agency regarding any security issues including firmware updates?

Furthermore, Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies.[4]

[4] Interesting pointer about networking chips. What other motherboard content does Supermicro not design or manufacture, procuring from other companies? What procured motherboard components have firmware associated with them?

Rattled: China’s Hardware Hack – Amazon’s Response

[NB: Note the byline. Portions of my analysis may be speculative. / ~Rayne]

The following analysis includes a copy of an initial response  received from Amazon by Bloomberg Businessweek in response to its story, The Big Hack. In tandem with the Bloomberg story Amazon’s response was published on October 4 at this link. The text of Amazon’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses by Amazon to Bloomberg’s story will be assessed separately in a future post.

This analysis is a work in progress and subject to change.
__________

Amazon

It’s untrue that AWS[1] knew about a supply chain compromise, an issue with malicious chips, or hardware modifications[2] when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI[3] to investigate or provide data about malicious hardware.

[1] Identity – were there ever any third-party contractors or representatives involved in the relationship with Elemental? With Supermicro? Are there more than one Amazon subsidiary entity involved in the evaluation, purchasing, implementation of Elemental or Supermicro products into Amazon or its subsidiary enterprise? Which entity submitted this denial to Bloomberg Businessweek: Amazon, AWS, or some other subsidiary?

[2] What about evidence of bad or mismatched firmware and firmware updates?

[3] Did any law enforcement, military, or intelligence agency work with Amazon or any of its subsidiaries or contractors to investigate or provide data on hardware which failed to operate to specification or as expected?

We’ve re-reviewed our records[4] relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit[5] that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.[6]

[4] “our records” — whose records and what kind? Identity needs clarification as well as the type of records.

[5] Who is the third-party security auditor? How and why were they engaged?

[6] What about evidence of bad or mismatched firmware and firmware updates?

The pre-acquisition audit described four issues with a web application (not hardware or chips)[7] that SuperMicro provides for management of their motherboards. All these findings were fully addressed before we acquired Elemental. The first two issues, which the auditor[8] deemed as critical, related to a vulnerability in versions prior to 3.15 of this web application (our audit covered prior versions of Elemental appliances as well), and these vulnerabilities had been publicly disclosed by SuperMicro on 12/13/2013.[9]

[7] “web application” — but not firmware?

[8] Is this still the unnamed third-party security auditor or an internal auditor employed by Amazon or a subsidiary?

[9] How was this “publicly disclosed by SuperMicro”? SMCI’s website does not currently have either a press release or an SEC filing matching this date (see screenshots at bottom of this page).

Because Elemental appliances are not designed to be exposed to the public internet, our customers are protected against the vulnerability by default.[10] Nevertheless, the Elemental team had taken the extra action on or about 1/9/2014 to communicate with customers and provide instructions to download a new version of the web application from SuperMicro (and after 1/9/2014, all appliances shipped by Elemental had updated versions of the web application).[11] So, the two “critical” issues that the auditor found, were actually fixed long before we acquired Elemental. The remaining two non-critical issues with the web application were determined to be fully mitigated by the auditors if customers used the appliances as intended, without exposing them to the public internet.[12]

[10] “exposed to the public internet” — did customer data run through Elemental’s Supermicro devices between 2013 and 2015?

[11] What about firmware?

[12] Did customer data still run through devices with the two non-critical issues? Are any machines with these non-critical issues still in production?

Additionally, in June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware.[13] As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.[14]

[13] Researchers at Eclypsium are reported to have told Supermicro of vulnerabilities in January 2018. When was Amazon, AWS, or other Amazon subsidiary notified of these vulnerabilties?

[14] Give the six-month gap between Eclypsium’s notification to Supermicro and the public’s notification, when were Amazon’s, AWS’, or other Amazon subsidiary’s customers notified of these vulnerabilties?

__________

Screenshots

Supermicro’s SEC filings – last of year 2013:

Supermicro’s press releases – last of year 2013:

Rattled: China’s Hardware Hack – Apple’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response received from Apple by Bloomberg Businessweek in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. Apple’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses from Apple to Bloomberg’s story will be assessed separately in a future post.

This analysis is a work in progress and subject to change.
__________

Apple

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple.[1] Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them.[2] We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.[3]

[1] Phrasing avoids who made the allegation(s).

[2] “rigorous internal investigations” doesn’t describe what they actually investigated; “each time” refers to investigations AFTER Bloomberg contacted Apple, AFTER 2016 when Apple had broken off relations with Supermicro.

[3] “refuting virtually aspect” does not mean “every and all.”

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server.[4] Apple never had any contact with the FBI or any other agency about such an incident.[5] We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

[4] (a) What about problems with firmware updates, including malicious firmware, firmware not issued by Supermicro, or hijacking to firmware upgrade sites not created by Supermicro?

(b) “purposely planted in any server” refers not to Supermicro’s motherboards but Elemental or other server assemblies.

[5] What about contact with any government agency regarding firmware? What about contact with a third-party entity regarding firmware problems, including security researchers?

[6] This phrasing focuses on law enforcement but not on other possibilities like intelligence entities or non-law enforcement functions like Commerce or Treasury Departments.

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers;[7] Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips.[9]

[7] (a) What about earlier versions of Bloomberg’s narrative the public hasn’t seen?

(b) Did Siri and Topsy ever share a data farm facility?

[8] (a) Was Siri ever deployed on Elemental brand servers?

(b) Was Topsy ever deployed on Elemental brand servers?

[9] Did any of the servers on which Siri and Topsy were deployed experience firmware problems including malicious firmware, firmware not issued by Supermicro, or hijacking to firmware upgrade sites not created by Supermicro?

As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures.[10]

[10] Is this a statement of current practices or practices during the period of time about which Bloomberg reported? Why did Apple end its relationship with Supermicro?

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs.[11] That one-time event was determined to be accidental and not a targeted attack against Apple.[12]

[11] Gaslighting about the journalists’ credibility. Have there ever been any servers from Elemental or other server manufacturer with “infected drivers,” including the “single Super Micro server in one of our labs”? Were any servers of any make with “infected drivers” in production environments, whether they faced customers or not?

[12] How is an “infected driver” an accident?

While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us.[13] We also want them to know that what Bloomberg is reporting about Apple is inaccurate.[14]

[13] This is not the same as saying “customer data was not exposed.”

[14] “inaccurate” but not “wrong,” “erroneous,” “false,” or “untrue”?

Apple has always believed in being transparent about the ways we handle and protect data.[15] If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement.[16] Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that’s why we constantly fortify our systems against increasingly sophisticated hackers and cybercriminals who want to steal our data.[17]

[15] Tell us about iPhone encryption.

[16] “an event” is not “events”. “Forthcoming” may not mean “public disclosure” or “reveal that we are under non-disclosure agreements.” “Would work closely with law enforcement” is not the same as “working with intelligence community,” or “working with Commerce/Treasury Departments.”

[17] No specific mention of nation-state actors.

Rattled: China’s Hardware Hack

[NB: Note the byline. Portions of my analysis may be speculative. / ~Rayne]

As I noted in my last Three Things post, information security folks are rattled by the October 4 Bloomberg Businessweek report that extremely tiny microchips may have been covertly embedded in motherboards used by U.S. businesses.

Their cognitive dissonance runs in two general directions — the feasibility of implanting a chip at scale, and the ability of such a chip to provide a viable backdoor to a device.

Hardware security researchers and professionals have been debating manufacturing feasibility and chip ability across Twitter. Joe Fitz’ recent tweet threads suggest implantation of a rogue chip is entirely doable on a mechanical basis though what happens once a chip has been embedded must be assessed from a software perspective. Fitz is not alone in his assessment; other professionals and academics believe it’s possible to insert a ‘malicious’ chip. Computer security academic Nicholas Weaver pointed to small devices which could do exactly what the Bloomberg report suggested if these tiny objects were embedded into motherboards during manufacturing.

The feasibility also requires the right opportunity — a confluence of personnel, manufacturing capability and capacity, timing and traceability. Let’s say a rogue or compromised employee manages to slip chips into a batch of motherboards; which ones? To whom will they ship? How could a rogue/compromised employee ensure the motherboards left the facility undetected?

The Bloomberg report paints the U.S.-based Supermicro plant as a perfect environment in which such hardware infiltration could happen easily. With employees divided by two very different languages — English-speakers far less likely to understand Mandarin-speakers — discussions between multiple rogue/compromised employees could be very easy as would be sharing of written instructions. Supermicro’s ISO certifications for standards 9001, 13485, 14001, and 27001 may shed some light on how the company expected to manage two different languages in the same workplace.

One could argue a bilingual workplace shouldn’t pose a challenge given how many companies already use English/Spanish, English/French, or English/German. Compare, however, these words:

English: hardware

German: either hardware or computerhardware

French: either hardware or le matériel

Spanish: either hardware or los equipos

Mandarin: 硬件 (yìng jiàn)

With enough exposure the average English-as-primary-language worker could readily understand the most common western language words for equipment they were manufacturing. It would take considerably more investment in education to recognize and understand a pictographic language making casual quality control difficult.

The environment is even more challenging for mixed language staff in manufacturing plants located in China.

~ | ~ | ~

Let’s look at a timeline of events leading up to the Bloomberg report this week. Note how often the word ‘firmware‘ is used in this timeline and in the responses from Apple and Amazon to the Bloomberg story:

1993 — Charles Liang launched Supermicro.

2007 — Social search analytics company Topsy founded.

2005 — Defence Science Board warned “trojan horse” chips bought overseas could negatively affective military systems.

2008 — BusinessWeek reported that fake Chinese-made microchips had entered the military’s supply chain causing system crashes.

2010 — Defence Department bought 59,000 chips, unaware they were counterfeit.

2Q2011 — China denied entry visas to senators Levin and McCain staff for congressional probe in Guangdong province.

October 2011 — Apple releases Siri.

December 2013 — Apple acquired  Topsy.

December 2013 — Supermicro publicly disclosed vulnerability/ies in a web application related to management of motherboards (Amazon response, email Oct 2018)

December 2013 — CBS’ 60 Minutes program aired a story about the NSA in which a plot involving a rogue BIOS had been identified.

First half 2014 (date TBD) — Intelligence officials tell White House that PRC’s military would infiltrate Supermicro’s motherboard production with microchips intended for the U.S. market.

January 2014 — Elemental communicated to existing customers that a new version of the web app was available for download; equipment shipped after this date had updated versions of the web app. (Amazon response, email Oct 2018)

Early 2015 — Amazon launched pre-acquistion evaluation of startup Elemental Technologies which used Supermicro motherboards in servers it made.

Late spring 2015 — Elemental sent several servers to Ontario CAN for testing by third-party security firm. It found non-spec chips on server motherboards. (Bloomberg report)

May 2015 — Apple detected unusual network activity and experienced firmware problems.

Summer 2015 — Apple found non-spec chips on Supermicro motherboards Apple bought from Supermicro. (Bloomberg report)

September 2015 — Amazon announced its acquisition of Elemental.

December 2015 — Apple shut down Topsy.

Mid-2016 — Apple broke off its relationship with Supermicro.

June 2018 — Researchers publicized vulnerabilties found in Supermicro firmware. AWS notified customers and recommended a firmware upgrade. (Amazon response, email Oct 2018)

October 2018 — Amazon, Apple, Supermicro, and PRC submitted responses denying Bloomberg’s report. (Published by Bloomberg)

~ | ~ | ~

Follow up reporting by other news outlets increase the layers of denial that cloud companies Amazon and Apple were affected by a possible breach of the hardware supply chain.

Some have asked if Bloomberg’s report is merely an attempt to undermine Amazon and Apple, which are the two most valuable companies in the U.S. and in Apple’s case, the world.

It is their value and their place in the stock market along with the customers they serve which may drive some of the denial.

Remember that Amazon’s AWS has provided hosting to U.S. government agencies. Government employees also use Apple iPhones and by extension, Apple’s cloud services. Is it at all possible that in providing services to government agencies these corporations and/or their subsidiaries have been read into programs obligating a degree of secrecy which includes denial of vulnerabilities and breaches which do not affect directly the average non-governmental user of Amazon and Apple products and services?

~ | ~ | ~

There are additional events which appear to have happened independently of the alleged hardware supply chain infiltration. They may be extremely important and highly relevant if looked at from an industry and intelligence perspective.

March 2014Freescale Semiconductor lost 20 employees in apparent crash of Malaysia Air flight MH370 en route to Beijing. The employees were supposed to begin work on a new chip manufacturing facility in China. While Freescale’s chips were not those one might ordinarily associate with server motherboards, it’s worth asking if Freescale at that time had any chips which might have served as server chips, or if they could work as illicit hardware hacks when embedded in a motherboard. Freescale has since been acquired by NXP.

Late 2010 — Beginning in late 2010, China identified and executed a network of U.S. agents within its borders over a two-year period, resulting in the deaths of at least 30 persons and the prosecution of former CIA agent Jerry Chung Shin Lee who worked as an informant for PRC. The exposure of these spies was blamed in part on a compromised communications system which had been previously used in the middle east. Due to compartmentalization of the project, it’s reported Lee could not have identified the agents, placing more emphasis on the communications system.

Mid-2011 — China refused visas to staff for senators Carl Levin and John McCain for the purposes of investigating electronic components manufacturing in city of Shenzhen in Guangdong province. The congressional probe sought the source of counterfeit parts which had entered the U.S. military’s supply chain; U.S. Commerce Department reported in January 2010 that 400 companies surveyed “overwhelmingly cited China” as the point of origin for counterfeit parts.

These events spawn more questions when looking at technology supply chain hacking and communications systems which rely on this supply chain.

Did Freescale’s plans to expand production in China pose a risk to the hardware supply chain hack? Or was it simply a fluke that a substantive portion of the company’s manufacturing engineers disappeared on that flight? Though Freescale originated in Austin, Texas, it had a presence in China since 1992 with at least eight design labs and manufacturing facilities in China as of 2014.

Was the communications system used by doomed U.S. assets in China affected not by tradecraft or betrayal, or even by counterfeit parts, but by the hardware supply chain hack — and at an even earlier date than the timeline of events shown above related to Supermicro’s compromised motherboard production?

Did China refuse admittance to Guangdong province in 2011 related not to counterfeit parts but to the possibility that supply chain hacks beyond counterfeiting alone might be revealed?

Is the supply chain hack reported by Bloomberg part of a much larger security threat which has been slowly revealed but not widely acknowledged because the threat has been viewed through narrow military, or intelligence, or tech industry lenses?

The tech industry may be rattled by allegations that the computer hardware supply chain has been hacked. But the possibility this hack has gone on much longer and with massive potential collateral damage may truly shake them up.

~ | ~ | ~

There is a third train of cognitive dissonance, not limited to information security professionals. Persons outside the tech industry have indulged in denialism, taking comfort in the aggressive pushback by Apple and Amazon which each claim in their own way that the Bloomberg report is inaccurate. (I have an analysis of the early responses by Apple and Amazon; I will also examine later expanded responses as well as Supermicro’s and PRC’s responses as soon as time permits.)

But there have been reports for years about counterfeit electronic components, obstruction of investigations into these components, system failures which could be attributed to hardware or software which do not meet specifications. Cognitive dissonance also resists Bloomberg’s report that as many as 30 U.S. companies were affected, not just Apple and Amazon which have offered up high-profile rebuttals.

And there have been reports in industries outside of cloud services and the military where off specification or counterfeit electronic components have made it into production. One such anecdote appears in a thread at Hacker News YCombinator, discussing credit card payment systems and development of screening systems requiring application of tests using angular momentum to determine if a board has been altered without breaking the board’s tamper-proof seal.

In addition to his early tweets assessing feasibility of malicious or covert off-spec chips added to motherboards, Nicholas Weaver wrote a post for Lawfare about the Bloomberg report.

The Bloomberg story also explains a previous mystery: in 2016, Apple quietly removed all SuperMicro servers from their products due to an unspecified “Security Incident.”  At the time the rumor was that SuperMicro provided a sabotaged BIOS—that is, the bootstrap program used to start the computer, another “god mode” target for compromise. Apple denied then that there was any security incident—just as they are denying one now.

This incident once again illustrates the “Coventry problem,” referring to Winston Churchill’s apocryphal decision not to prevent the bombing of Coventry in order to keep secret that British intelligence had decrypted the Enigma machine. Robertson and Riley describe a U.S. intelligence apparatus that knew of these ongoing attacks, but could not effectively notify the affected companies nor provide useful recommendations. If the intelligence community had warned these companies, it would probably have revealed to the Chinese that the U.S. was aware of these activities, as well as potentially compromise an ongoing FBI investigation described in the article.

Weaver called the suspect Supermicro firmware a ‘BIOS’ — the first use of this term across multiple reports covering the Bloomberg report and its aftermath. This change in nomenclature is critical, particularly so given the point he makes about the “Coventry problem.” The term ‘BIOS’ does not appear in the early responses from Apple, Amazon, or Supermicro.

In December 2013, CBS’ 60 Minutes aired a report about the NSA; it appeared at the time to puff up the agency after the publication of Edward Snowden’s leaked documents about the government’s domestic spying using  PRISM. Within the story was a claim about a thwarted cyberattack:

Debora Plunkett: One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability— to destroy computers.

John Miller: To destroy computers.

Debora Plunkett: To destroy computers. So the BIOS is a basic input, output system. It’s, like, the foundational component firmware of a computer. You start your computer up. The BIOS kicks in. It activates hardware. It activates the operating system. It turns on the computer.

This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer.

John Miller: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do.

Debora Plunkett: That’s right.

John Miller: —and basically turned it into a cinderblock.

Debora Plunkett: A brick.

John Miller: And after that, there wouldn’t be much you could do with that computer.

The description sounds remarkably like the rogue firmware update in concert with a malicious/covert chip.

The manner in which this report was handled by the NSA, however, made it appear like disinformation. The assessment that such firmware would be used solely brick a device heightened the FUD around this report, deterring questions about applications other than bricking a device — like taking control of the computer, or collecting all its transaction and data. Was the FUD-enhanced release via 60 Minutes the intelligence community’s approach to the “Coventry problem”?

~ | ~ | ~

The problem Bloomberg’s Jordan Robertson and Michael Riley reported is probably much bigger than they described. It is bigger than Supermicro motherboards and firmware, and it’s not a problem of the near-term future but ongoing over the last decade.

At what point will U.S. industries organize a collective response to both counterfeit and off-specification manufacturing of electronic components overseas? They can’t count on a calm and rational response from the Trump administration given the unnecessary trade war it launched against China.
_____

Disclosure: I have positions in AAPL and AMZN in my investment portfolio.