If Supermicro boards were so bug-ridden, why would hackers ever need implants?
Whether spy chips reported by Bloomberg existed, attackers had much easier options.
By now, everyone knows the premise behind two unconfirmed Bloomberg articles that have dominated security headlines over the past week: spies from China got multiple factories to sneak data-stealing hardware into Supermicro motherboards before the servers that used them were shipped to Apple, Amazon, an unnamed major US telecommunications provider, and more than two dozen other unnamed companies.
Motherboards that wound up inside the networks of Apple, Amazon, and more than two dozen unnamed companies reportedly included a chip no bigger than a grain of rice that funneled instructions to the baseboard management controller, a motherboard component that allows administrators to monitor or control large fleets of servers, even when they’re turned off or corrupted. The rogue instructions, Bloomberg reported, caused the BMCs to download malicious code from attacker-controlled computers and have it executed by the server’s operating system.