Evil Chips: The Sequel

Interesting report:

Above article points to this:

An echo from a Snowden revelation:

as it seems, routers built for export by Cisco (and probably other companies) are routinely intercepted without Cisco’s knowledge by the National Security Agency and equipped with hidden surveillance tools [since 2012]


Lol resistance is futile (stretching own tinfoil hat).
The article clearly calls out

To date, no one has presented any public evidence these spy chips exist: no one’s pointed at board and told the world, there, that’s the spy chip.

And one person claims

I have physically held evidence in my hands

Now what does it mean to me (if I take my tinfoil hat off) - there was a clumsy spearheaded attack which was detected by multiple parties. If you cannot take off-the-shelf motherboard and point into a spy chip (like you can do with Intel ME for instance) - you cannot claim supermicro ships servers with spyware. dixi

On the other hand, if spy agencies have found them, they wouldn’t necessarily make the fact public, as the article intimates.

1 Like

On the other other hand, when a spy agency says another spy agency did something which that spy agency then denies. Is it because they got caught and won’t admit it or because they never did it and this is a FUD/smear campaign. Because one agency doesn’t want to disclose their method of catching the other there’s now an eternal circle of unknowns.

Whether it never happened or they got caught and and there was no impact beyond “got you” does it really matter? The net result is no impact on the parts actually available.

My whole point is - until it is in the area of spy agencies - it is speculation. If it cannot be proven by common non agency bound security engineer - it is either political game or spearheaded attack. Either way it has nothing to do with common folks.

1 Like

Can anybody on this forum, with insight in com equipment, imagine how such a “spy chip” should work? What electronic circuit and software would do the job? Does it need a physical connection to the main cpu of the said com equipment (in which case it’s detectable)?

What I mean, unless the spy part is integrated in the original (or replaced) chip it will always be detectable.

One scarry aspect is that if the attacks are launched via FPGA hardware, then at the conclusion of the attack, the FPGA could erase itself or reconfigure itself to be a quite benign application or an unprogrammed device. Nothing to see here folks, just a blank device running no code on it. All traces of spying or attacking code could be completely erased down to the gate level, leaving no evidence behind.

One credible computer networking expert claims to have hacked in to one of the Dominion voting machines (to prove that it can be done) via wifi by coming in to a vulnerable gateway first, to access the rest of the voting machines on that same network. That vulnerable gateway was a wall mounted thermostat.

1 Like

granted fpga was part of the design in which case we’re back at ME problem.

There’s a LOT of options for a hardware tampering attack, and they all depend on what exactly the motherboard is supposed to be.
I think much of the discussion about secret spy chips has been leading people to imagine that extra ICs not present in the original design were placed on the board. It can happen but it’s easily detected. You just have to inspect every motherboard closely.
A harder to detect, and harder to verify (and harder to implement) method would be to replace some of the components with components that look the same but do things different or have extra functionality. Or for the chip designer itself to lie about what some components do in the first place so the customer just orders PCB assemblies with secretly misbehaving ICs in them. The former can be defeated if the correct components are serialized and there’s a bunch of traceability paperwork for all of them, and their exterior appearance is hard to replicate. The latter is a straight up betrayal of trust that will kick anyone who tries it out of everyone’s supply chains as soon as it’s detected and hopefully but won’t necessarily lead to investigations of that company’s connections.
IF that company had sufficient influence over the mainstream media apparatus, however, they’d instead advertise the backdoor as a “security processor” that connects to microsoft dot com before your system even boots, and you’d probably find people calling you paranoid if you got suspicious. Oh wait, I just described Pluton.
With zero social engineering, I have no idea whatsoever how affordable it is for some intelligence agency/IT megacorp to do things that way or how much they could gain by doing so or for how long it could go undetected. I only know enough to imagine it happening, and the most obvious targets are dedicated networking components, like modems and ethernet controllers. Especially cellular modems. If a cellular modem wants to duplicate every packet you send and send all of them to some IP address, there’s nothing between your device and your carrier to monitor what you’re connecting to, so your carrier will probably just oblige. At least with ethernet, you can have firewalls to keep track of that, so a hardware attack would require a compromised host that anyone using that hardware would have to be convinced to let through the firewall.